Received: by 2002:a05:6a10:6006:0:0:0:0 with SMTP id w6csp495515pxa; Thu, 27 Aug 2020 07:56:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwnoJD/zRVxB9xTAkXtShF6Mz9kpkL7ebMZiKbNCbGK4n3Gpoejmu9UknB1SwTs2HZfrcuy X-Received: by 2002:aa7:cf19:: with SMTP id a25mr19612198edy.67.1598540188631; Thu, 27 Aug 2020 07:56:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598540188; cv=none; d=google.com; s=arc-20160816; b=Hg4t8NWfmG4Og4Hq2+9wi+NMFbCkieT3wsG9nS7no7JvlrC3QqzGaXWfReFAApG8jk HlZ6nKs8LKAl8+nhwC3Y6/bsT5Rk+g+tqL+UPZs+Q56rwvxtBbvsUyF2P9GqwlEBNS9B ROh6+g7Q0M2rKSxnMShleqp4P7sz5uh1jfsVvQyvIF7fQIAoWczvMhpFQwRdOafRxDyh m62xXQ7dl+HdQCV7w9b8Ugw2X1wXFxGhBfExBhPIRYJN0pCSZJcYh6weHOO+M9ll01q8 K1eo5NuIzLsNkCTnN/yVOkO906eCToyPLgI00+jYHGgKPmmjbDJLM8VuX9vXMMES/hTT tv4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=M5ytjJxKxU7wUyTQaQ/T1WyGq4hSu4S+y4z/z0e+HNU=; b=OHD95An114y6DNs7B8eddAeGE9T3G5TSUz5ynExkSuCuO/7EzEMRuL4MnzhUsQD8gF zAQEcNtMDCgJNHklYr9WLoGDMAz2/lk9c6tzESc8fign+mLOci+NDf3Rfn9zO/pLi9aF Mvci47avsZAQTiouOQeughM+cOBiegf7kSrClKJJi+GL529ZVOqHguhUjN3DUaOxCgWG v9Ke72iOeqK1HSrdj1a1UZN568Rh5MyPy7WMcVD4qXZzVBaQ8NhDJLS27E8xcpftxOQ6 0WAt420LEdvb+cC7DZhDTpgdtbFYsKLp1URbq/7rEsusL51Y0O6Yj3i4tRZy6UDkVMA7 rR+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t19si1856656edt.161.2020.08.27.07.56.06; Thu, 27 Aug 2020 07:56:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727980AbgH0OzS (ORCPT + 99 others); Thu, 27 Aug 2020 10:55:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:49014 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727075AbgH0NLT (ORCPT ); Thu, 27 Aug 2020 09:11:19 -0400 Received: from gaia (unknown [46.69.195.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 10065206F0; Thu, 27 Aug 2020 13:10:47 +0000 (UTC) Date: Thu, 27 Aug 2020 14:10:45 +0100 From: Catalin Marinas To: Andrey Konovalov Cc: Vincenzo Frascino , Dmitry Vyukov , kasan-dev , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Evgenii Stepanov , Elena Petrova , Branislav Rankov , Kevin Brodsky , Will Deacon , Andrew Morton , Linux ARM , Linux Memory Management List , LKML Subject: Re: [PATCH 21/35] arm64: mte: Add in-kernel tag fault handler Message-ID: <20200827131045.GM29264@gaia> References: <20200827095429.GC29264@gaia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Aug 27, 2020 at 02:31:23PM +0200, Andrey Konovalov wrote: > On Thu, Aug 27, 2020 at 11:54 AM Catalin Marinas > wrote: > > On Fri, Aug 14, 2020 at 07:27:03PM +0200, Andrey Konovalov wrote: > > > +static int do_tag_recovery(unsigned long addr, unsigned int esr, > > > + struct pt_regs *regs) > > > +{ > > > + report_tag_fault(addr, esr, regs); > > > + > > > + /* Skip over the faulting instruction and continue: */ > > > + arm64_skip_faulting_instruction(regs, AARCH64_INSN_SIZE); > > > > Ooooh, do we expect the kernel to still behave correctly after this? I > > thought the recovery means disabling tag checking altogether and > > restarting the instruction rather than skipping over it. > > The intention is to be able to catch multiple MTE faults without > panicking or disabling MTE when executing KASAN tests (those do > multiple bad accesses one after another). The problem is that for MTE synchronous tag check faults, the access has not happened, so you basically introduce memory corruption by skipping the access. > We do arm64_skip_faulting_instruction() for software tag-based KASAN > too, it's not ideal, but works for testing purposes. IIUC, KASAN only skips over the brk instruction which doesn't have any other side-effects. Has the actual memory access taken place when it hits the brk? > Can we disable MTE, reexecute the instruction, and then reenable MTE, > or something like that? If you want to preserve the MTE enabled, you could single-step the instruction or execute it out of line, though it's a bit more convoluted (we have a similar mechanism for kprobes/uprobes). Another option would be to attempt to set the matching tag in memory, under the assumption that it is writable (if it's not, maybe it's fine to panic). Not sure how this interacts with the slub allocator since, presumably, the logical tag in the pointer is wrong rather than the allocation one. Yet another option would be to change the tag in the register and re-execute but this may confuse the compiler. > When running in-kernel MTE in production, we'll either panic or > disable MTE after the first fault. This was controlled by the > panic_on_mte_fault option Vincenzo initially had. I prefer to disable MTE, print something and continue, but no panic. > > We only skip if we emulated it. > > I'm not sure I understand this part, what do you mean by emulating? Executing it out of line or other form of instruction emulation (see arch/arm64/kernel/probes/simulate-insn.c) so that the access actually takes place. But you can single-step or experiment with some of the other tricks above. -- Catalin