Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4225930pxb; Mon, 8 Feb 2021 10:49:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJxgjkxMolEZHxSubEcVE2gJs9eaTvNmFe/w/Osq+N6YzlMin1BEfyiLDsPj0M0txD65PM1R X-Received: by 2002:a05:6402:c8e:: with SMTP id cm14mr11748014edb.6.1612810190111; Mon, 08 Feb 2021 10:49:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612810190; cv=none; d=google.com; s=arc-20160816; b=MzIA6xGuM6Ztt2IKOYtOrCodzQD1zxIwgcnucil8Ri+dI85zb+t308Z09xrAHxIV/Q sLTVVOOiHolcmnvjvX2znG36KY7cD5CXBaH6eWpE6w9OBXZKB/k1T8DCCPsIqmsCAjVS MByRhDKD0LXqVl8PamwMjnFfSP+t7c1mQ5FNyiUbmXbtc8xGrDrGYQSGtAvNI6e/pRcC qn3N82DOyYzsJ4NI+Q2ONhtkkmBECM+vnXOJUKZNdxVc6E0lloR2YqCCZFjuTGyjt3XG 69KknaoWeFVYD/dBkhIOjW0sX9loPhz8eEzvJmoMeSKGCDzuwgUbNhyz8Nutkk4D+F8T poyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=RA7SSvbYOUX0tk211UpbrVnWsgFJBgVil5+7gTC/1T8=; b=wuPwuFTO4ENqgTjFq6FV9FBrWLhR7MQ+XS5TlyP/P9eMKdp5vwZu+rfyOeguvRiC3h 4TFoQN7fDk2uE+QPom5VB8dFGlPQTOmfudhtGEeiA0xPDE2BQ8Eq9z5jey7C7SqdF76b to95rGN4bNe95LHeoz1FNxSJKGYu8xvN43ntx0H7rxJXwHTpdbsbrAMBDx8yefAPWiCH xn7DwlIh8k24kVTisKVQIZxGWd0FqC8n0tqL9IGrnwxe73vT0rFu6G8X7QklR1zZdKsb Q8Z6ZlOhJfgJcYWllhBxRtpgwuFwGAnc3ympk8Pi6UBFE5mbgqQqhWSkOd7I7/+8gty/ xyiQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v6si6164480edq.183.2021.02.08.10.49.26; Mon, 08 Feb 2021 10:49:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234590AbhBHSso (ORCPT + 99 others); Mon, 8 Feb 2021 13:48:44 -0500 Received: from foss.arm.com ([217.140.110.172]:38290 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234674AbhBHQ5V (ORCPT ); Mon, 8 Feb 2021 11:57:21 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E15F511B3; Mon, 8 Feb 2021 08:56:35 -0800 (PST) Received: from e119884-lin.cambridge.arm.com (e119884-lin.cambridge.arm.com [10.1.196.72]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 0BCE13F719; Mon, 8 Feb 2021 08:56:33 -0800 (PST) From: Vincenzo Frascino To: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com Cc: Vincenzo Frascino , Andrew Morton , Catalin Marinas , Will Deacon , Dmitry Vyukov , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Evgenii Stepanov , Branislav Rankov , Andrey Konovalov , Lorenzo Pieralisi Subject: [PATCH v12 4/7] arm64: mte: Enable TCO in functions that can read beyond buffer limits Date: Mon, 8 Feb 2021 16:56:14 +0000 Message-Id: <20210208165617.9977-5-vincenzo.frascino@arm.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210208165617.9977-1-vincenzo.frascino@arm.com> References: <20210208165617.9977-1-vincenzo.frascino@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org load_unaligned_zeropad() and __get/put_kernel_nofault() functions can read passed some buffer limits which may include some MTE granule with a different tag. When MTE async mode is enable, the load operation crosses the boundaries and the next granule has a different tag the PE sets the TFSR_EL1.TF1 bit as if an asynchronous tag fault is happened. Enable Tag Check Override (TCO) in these functions before the load and disable it afterwards to prevent this to happen. Note: The same condition can be hit in MTE sync mode but we deal with it through the exception handling. Cc: Catalin Marinas Cc: Will Deacon Reported-by: Branislav Rankov Tested-by: Branislav Rankov Signed-off-by: Vincenzo Frascino --- arch/arm64/include/asm/uaccess.h | 19 +++++++++++++++++++ arch/arm64/include/asm/word-at-a-time.h | 4 ++++ arch/arm64/kernel/mte.c | 10 ++++++++++ 3 files changed, 33 insertions(+) diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h index 0deb88467111..f43d78aee593 100644 --- a/arch/arm64/include/asm/uaccess.h +++ b/arch/arm64/include/asm/uaccess.h @@ -188,6 +188,21 @@ static inline void __uaccess_enable_tco(void) ARM64_MTE, CONFIG_KASAN_HW_TAGS)); } +/* Whether the MTE asynchronous mode is enabled. */ +DECLARE_STATIC_KEY_FALSE(mte_async_mode); + +static inline void __uaccess_disable_tco_async(void) +{ + if (static_branch_unlikely(&mte_async_mode)) + __uaccess_disable_tco(); +} + +static inline void __uaccess_enable_tco_async(void) +{ + if (static_branch_unlikely(&mte_async_mode)) + __uaccess_enable_tco(); +} + static inline void uaccess_disable_privileged(void) { __uaccess_disable_tco(); @@ -307,8 +322,10 @@ do { \ do { \ int __gkn_err = 0; \ \ + __uaccess_enable_tco_async(); \ __raw_get_mem("ldr", *((type *)(dst)), \ (__force type *)(src), __gkn_err); \ + __uaccess_disable_tco_async(); \ if (unlikely(__gkn_err)) \ goto err_label; \ } while (0) @@ -379,9 +396,11 @@ do { \ #define __put_kernel_nofault(dst, src, type, err_label) \ do { \ int __pkn_err = 0; \ + __uaccess_enable_tco_async(); \ \ __raw_put_mem("str", *((type *)(src)), \ (__force type *)(dst), __pkn_err); \ + __uaccess_disable_tco_async(); \ if (unlikely(__pkn_err)) \ goto err_label; \ } while(0) diff --git a/arch/arm64/include/asm/word-at-a-time.h b/arch/arm64/include/asm/word-at-a-time.h index 3333950b5909..c62d9fa791aa 100644 --- a/arch/arm64/include/asm/word-at-a-time.h +++ b/arch/arm64/include/asm/word-at-a-time.h @@ -55,6 +55,8 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) { unsigned long ret, offset; + __uaccess_enable_tco_async(); + /* Load word from unaligned pointer addr */ asm( "1: ldr %0, %3\n" @@ -76,6 +78,8 @@ static inline unsigned long load_unaligned_zeropad(const void *addr) : "=&r" (ret), "=&r" (offset) : "r" (addr), "Q" (*(unsigned long *)addr)); + __uaccess_disable_tco_async(); + return ret; } diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c index 92078e1eb627..60531afc706e 100644 --- a/arch/arm64/kernel/mte.c +++ b/arch/arm64/kernel/mte.c @@ -27,6 +27,10 @@ u64 gcr_kernel_excl __ro_after_init; static bool report_fault_once = true; +/* Whether the MTE asynchronous mode is enabled. */ +DEFINE_STATIC_KEY_FALSE(mte_async_mode); +EXPORT_SYMBOL_GPL(mte_async_mode); + static void mte_sync_page_tags(struct page *page, pte_t *ptep, bool check_swap) { pte_t old_pte = READ_ONCE(*ptep); @@ -170,6 +174,12 @@ void mte_enable_kernel_sync(void) void mte_enable_kernel_async(void) { __mte_enable_kernel("asynchronous", SCTLR_ELx_TCF_ASYNC); + + /* + * This function is called on each active smp core, we do not + * to take cpu_hotplug_lock again. + */ + static_branch_enable_cpuslocked(&mte_async_mode); } void mte_set_report_once(bool state) -- 2.30.0