• Peter Collingbourne's avatar
    userfaultfd: do not untag user pointers · e71e2ace
    Peter Collingbourne authored
    Patch series "userfaultfd: do not untag user pointers", v5.
    
    If a user program uses userfaultfd on ranges of heap memory, it may end
    up passing a tagged pointer to the kernel in the range.start field of
    the UFFDIO_REGISTER ioctl.  This can happen when using an MTE-capable
    allocator, or on Android if using the Tagged Pointers feature for MTE
    readiness [1].
    
    When a fault subsequently occurs, the tag is stripped from the fault
    address returned to the application in the fault.address field of struct
    uffd_msg.  However, from the application's perspective, the tagged
    address *is* the memory address, so if the application is unaware of
    memory tags, it may get confused by receiving an address that is, from
    its point of view, outside of the bounds of the allocation.  We observed
    this behavior in the kselftest for userfaultfd [2] but other
    applications could have the same problem.
    
    Address this by not untagging pointers passed to the userfaultfd ioctls.
    Instead, let the system call fail.  Also change the kselftest to use
    mmap so that it doesn't encounter this problem.
    
    [1] https://source.android.com/devices/tech/debug/tagged-pointers
    [2] tools/testing/selftests/vm/userfaultfd.c
    
    This patch (of 2):
    
    Do not untag pointers passed to the userfaultfd ioctls.  Instead, let
    the system call fail.  This will provide an early indication of problems
    with tag-unaware userspace code instead of letting the code get confused
    later, and is consistent with how we decided to handle brk/mmap/mremap
    in commit dcde2373 ("mm: Avoid creating virtual address aliases in
    brk()/mmap()/mremap()"), as well as being consistent with the existing
    tagged address ABI documentation relating to how ioctl arguments are
    handled.
    
    The code change is a revert of commit 7d032574 ("userfaultfd: untag
    user pointers") plus some fixups to some additional calls to
    validate_range that have appeared since then.
    
    [1] https://source.android.com/devices/tech/debug/tagged-pointers
    [2] tools/testing/selftests/vm/userfaultfd.c
    
    Link: https://lkml.kernel.org/r/20210714195437.118982-1-pcc@google.com
    Link: https://lkml.kernel.org/r/20210714195437.118982-2-pcc@google.com
    Link: https://linux-review.googlesource.com/id/I761aa9f0344454c482b83fcfcce547db0a25501b
    Fixes: 63f0c603 ("arm64: Introduce prctl() options to control the tagged user addresses ABI")
    Signed-off-by: default avatarPeter Collingbourne <pcc@google.com>
    Reviewed-by: default avatarAndrey Konovalov <andreyknvl@gmail.com>
    Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    Cc: Alistair Delva <adelva@google.com>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: Dave Martin <Dave.Martin@arm.com>
    Cc: Evgenii Stepanov <eugenis@google.com>
    Cc: Lokesh Gidra <lokeshgidra@google.com>
    Cc: Mitch Phillips <mitchp@google.com>
    Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
    Cc: Will Deacon <will@kernel.org>
    Cc: William McVicker <willmcvicker@google.com>
    Cc: <stable@vger.kernel.org>	[5.4]
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    e71e2ace
tagged-address-abi.rst 6.02 KB