Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp346729pxf; Thu, 11 Mar 2021 05:28:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJyAXxMPEvcvgEExaiwgF8uwyfegHerZ9XtHZ7XntaLIEBNkMq6gC5ImpEldEjsffT+lc8ED X-Received: by 2002:a05:6402:1855:: with SMTP id v21mr8494995edy.310.1615469327153; Thu, 11 Mar 2021 05:28:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1615469327; cv=none; d=google.com; s=arc-20160816; b=ao4eHU/pZAmCCXLqXc/V4Nb8sz44+iFg0ShZpOt7iEkf1T1OW7tmv7mhILkJAvVpoL 2MXlEMDnBueUVkYn9O4gZEEh2jLvgC0zUtFtSARDdqLE+vxFlMIZZNYwVEMOsujm36K5 N7mNVCXXsy6NnR3Q2QYMZSXF2G9nMES48CDDwKE2RbYpzxjFyRSjeFTV3gnHdfzQgBEx y28EaufVMDhn8czfd6J58t8p9tECMGwrS0pfxa61LM4VXINxfHNkE0fipf3a+nYFv9Zm 6lrrpt6FOUjg18wP+bOA34hy1lNvDOXj4IzcEgNCdCDl0eh9XAMABNFh3qQnIRzlNhOQ 56eA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=qhNWHZYa7eynvrYHc3LRuunGbk/pMqdS0wGF41w/Aqc=; b=iIbj0/0w/d2A7qjgaN5jgx3BBmRSQbdyxU/xUm4yQfP/VuiTmke603sQ/R8bfjP4In GkQRQjY50WAT22YOAbtTfO9J/OZ/29YgaptxYaBOLzu+/gmSxJUJnenotnPm1fK2jSiS Td1dIJekL1y20022A7MZGJffgC9la3TjPNvcblDLa35BX4sR9uEYei5opgFdpiYlBKHw +4rIZ8wNWvff7zEueOM7LxXJddPUdhEXe/FxWWnmCZ+uwShnyvEUu8jcNDdQwkRIeL84 K+txn6/fpGwKoQqmI6UF/yUKKy1GLTVxkewk3oHgJ0GbLBumpOYMjGybBLpun6LsALBP 6/Jg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cw22si1774373edb.429.2021.03.11.05.28.24; Thu, 11 Mar 2021 05:28:47 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233576AbhCKNZh (ORCPT + 99 others); Thu, 11 Mar 2021 08:25:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:39340 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233574AbhCKNZQ (ORCPT ); Thu, 11 Mar 2021 08:25:16 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id A17A264E22; Thu, 11 Mar 2021 13:25:13 +0000 (UTC) Date: Thu, 11 Mar 2021 13:25:10 +0000 From: Catalin Marinas To: Vincenzo Frascino Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, Andrew Morton , Will Deacon , Dmitry Vyukov , Andrey Ryabinin , Alexander Potapenko , Marco Elver , Evgenii Stepanov , Branislav Rankov , Andrey Konovalov , Lorenzo Pieralisi Subject: Re: [PATCH v14 8/8] kselftest/arm64: Verify that TCO is enabled in load_unaligned_zeropad() Message-ID: <20210311132509.GB30821@arm.com> References: <20210308161434.33424-1-vincenzo.frascino@arm.com> <20210308161434.33424-9-vincenzo.frascino@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210308161434.33424-9-vincenzo.frascino@arm.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 08, 2021 at 04:14:34PM +0000, Vincenzo Frascino wrote: > load_unaligned_zeropad() and __get/put_kernel_nofault() functions can > read passed some buffer limits which may include some MTE granule with a > different tag. > > When MTE async mode is enable, the load operation crosses the boundaries > and the next granule has a different tag the PE sets the TFSR_EL1.TF1 > bit as if an asynchronous tag fault is happened: > > ================================================================== > BUG: KASAN: invalid-access > Asynchronous mode enabled: no access details available > > CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc1-ge1045c86620d-dirty #8 > Hardware name: FVP Base RevC (DT) > Call trace: > dump_backtrace+0x0/0x1c0 > show_stack+0x18/0x24 > dump_stack+0xcc/0x14c > kasan_report_async+0x54/0x70 > mte_check_tfsr_el1+0x48/0x4c > exit_to_user_mode+0x18/0x38 > finish_ret_to_user+0x4/0x15c > ================================================================== > > Verify that Tag Check Override (TCO) is enabled in these functions before > the load and disable it afterwards to prevent this to happen. > > Note: The issue has been observed only with an MTE enabled userspace. The above bug is all about kernel buffers. While userspace can trigger the relevant code paths, it should not matter whether the user has MTE enabled or not. Can you please confirm that you can still triggered the fault with kernel-mode MTE but non-MTE user-space? If not, we may have a bug somewhere as the two are unrelated: load_unaligned_zeropad() only acts on kernel buffers and are subject to the kernel MTE tag check fault mode. I don't think we should have a user-space selftest for this. The bug is not about a user-kernel interface, so an in-kernel test is more appropriate. Could we instead add this to the kasan tests and calling load_unaligned_zeropad() and other functions directly? -- Catalin