On Thu, Apr 30, 2020 at 11:21:32AM +0100, Catalin Marinas wrote:
> On Wed, Apr 29, 2020 at 05:46:07PM +0100, Dave P Martin wrote:
> > On Tue, Apr 21, 2020 at 03:25:59PM +0100, Catalin Marinas wrote:
> > > Add support for bulk setting/getting of the MTE tags in a tracee's
> > > address space at 'addr' in the ptrace() syscall prototype. 'data' points
> > > to a struct iovec in the tracer's address space with iov_base
> > > representing the address of a tracer's buffer of length iov_len. The
> > > tags to be copied to/from the tracer's buffer are stored as one tag per
> > > byte.
> > >
> > > On successfully copying at least one tag, ptrace() returns 0 and updates
> > > the tracer's iov_len with the number of tags copied. In case of error,
> > > either -EIO or -EFAULT is returned, trying to follow the ptrace() man
> > > page.
> > >
> > > Note that the tag copying functions are not performance critical,
> > > therefore they lack optimisations found in typical memory copy routines.
> >
> > Doesn't quite belong here, but:
> >
> > Can we dump the tags and possible the faulting mode etc. when dumping
> > core?
>
> Yes, a regset containing GCR_EL1 and SCTLR_EL1.TCF0 bits, maybe
> TFSRE_EL1 could be useful. Discussing with Luis M (cc'ed, working on gdb
> support), he didn't have an immediate need for this but it can be added
> as a new patch.
>
> Also coredump containing the tags may also be useful, I just have to
> figure out how.
>
> > These could probably be added later, though.
>
> Yes, it wouldn't be a (breaking) ABI change if we do them later, just an
> addition.
Agreed
> > > diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
> > > index fa4a4196b248..0cb496ed9bf9 100644
> > > --- a/arch/arm64/kernel/mte.c
> > > +++ b/arch/arm64/kernel/mte.c
> > > @@ -133,3 +138,125 @@ long get_mte_ctrl(void)
> > >
> > > return ret;
> > > }
> > > +
> > > +/*
> > > + * Access MTE tags in another process' address space as given in mm. Update
> > > + * the number of tags copied. Return 0 if any tags copied, error otherwise.
> > > + * Inspired by __access_remote_vm().
> > > + */
> > > +static int __access_remote_tags(struct task_struct *tsk, struct mm_struct *mm,
> > > + unsigned long addr, struct iovec *kiov,
> > > + unsigned int gup_flags)
> > > +{
> > > + struct vm_area_struct *vma;
> > > + void __user *buf = kiov->iov_base;
> > > + size_t len = kiov->iov_len;
> > > + int ret;
> > > + int write = gup_flags & FOLL_WRITE;
> > > +
> > > + if (down_read_killable(&mm->mmap_sem))
> > > + return -EIO;
> > > +
> > > + if (!access_ok(buf, len))
> > > + return -EFAULT;
> >
> > Leaked down_read()?
>
> Ah, wrongly placed access_ok() check.
>
> > > +int mte_ptrace_copy_tags(struct task_struct *child, long request,
> > > + unsigned long addr, unsigned long data)
> > > +{
> > > + int ret;
> > > + struct iovec kiov;
> > > + struct iovec __user *uiov = (void __user *)data;
> > > + unsigned int gup_flags = FOLL_FORCE;
> > > +
> > > + if (!system_supports_mte())
> > > + return -EIO;
> > > +
> > > + if (get_user(kiov.iov_base, &uiov->iov_base) ||
> > > + get_user(kiov.iov_len, &uiov->iov_len))
> > > + return -EFAULT;
> > > +
> > > + if (request == PTRACE_POKEMTETAGS)
> > > + gup_flags |= FOLL_WRITE;
> > > +
> > > + /* align addr to the MTE tag granule */
> > > + addr &= MTE_ALLOC_MASK;
> > > +
> > > + ret = access_remote_tags(child, addr, &kiov, gup_flags);
> > > + if (!ret)
> > > + ret = __put_user(kiov.iov_len, &uiov->iov_len);
> >
> > Should this be put_user()? We didn't use __get_user() above, and I
> > don't see what guards the access.
>
> It doesn't make any difference on arm64 (it's just put_user) but we had
> get_user() to check the access to &uiov->iov_len already above.
Given that this isn't a critical path, I'd opt for now relying on side-
effects, since this could lead to mismaintenance in the future -- or
badly educate people who read the code.
That's just my preference though.
[...]
Cheers
---Dave
