On Wed, Apr 29, 2020 at 05:46:07PM +0100, Dave P Martin wrote:
> On Tue, Apr 21, 2020 at 03:25:59PM +0100, Catalin Marinas wrote:
> > Add support for bulk setting/getting of the MTE tags in a tracee's
> > address space at 'addr' in the ptrace() syscall prototype. 'data' points
> > to a struct iovec in the tracer's address space with iov_base
> > representing the address of a tracer's buffer of length iov_len. The
> > tags to be copied to/from the tracer's buffer are stored as one tag per
> > byte.
> >
> > On successfully copying at least one tag, ptrace() returns 0 and updates
> > the tracer's iov_len with the number of tags copied. In case of error,
> > either -EIO or -EFAULT is returned, trying to follow the ptrace() man
> > page.
> >
> > Note that the tag copying functions are not performance critical,
> > therefore they lack optimisations found in typical memory copy routines.
>
> Doesn't quite belong here, but:
>
> Can we dump the tags and possible the faulting mode etc. when dumping
> core?
Yes, a regset containing GCR_EL1 and SCTLR_EL1.TCF0 bits, maybe
TFSRE_EL1 could be useful. Discussing with Luis M (cc'ed, working on gdb
support), he didn't have an immediate need for this but it can be added
as a new patch.
Also coredump containing the tags may also be useful, I just have to
figure out how.
> These could probably be added later, though.
Yes, it wouldn't be a (breaking) ABI change if we do them later, just an
addition.
> > diff --git a/arch/arm64/kernel/mte.c b/arch/arm64/kernel/mte.c
> > index fa4a4196b248..0cb496ed9bf9 100644
> > --- a/arch/arm64/kernel/mte.c
> > +++ b/arch/arm64/kernel/mte.c
> > @@ -133,3 +138,125 @@ long get_mte_ctrl(void)
> >
> > return ret;
> > }
> > +
> > +/*
> > + * Access MTE tags in another process' address space as given in mm. Update
> > + * the number of tags copied. Return 0 if any tags copied, error otherwise.
> > + * Inspired by __access_remote_vm().
> > + */
> > +static int __access_remote_tags(struct task_struct *tsk, struct mm_struct *mm,
> > + unsigned long addr, struct iovec *kiov,
> > + unsigned int gup_flags)
> > +{
> > + struct vm_area_struct *vma;
> > + void __user *buf = kiov->iov_base;
> > + size_t len = kiov->iov_len;
> > + int ret;
> > + int write = gup_flags & FOLL_WRITE;
> > +
> > + if (down_read_killable(&mm->mmap_sem))
> > + return -EIO;
> > +
> > + if (!access_ok(buf, len))
> > + return -EFAULT;
>
> Leaked down_read()?
Ah, wrongly placed access_ok() check.
> > +int mte_ptrace_copy_tags(struct task_struct *child, long request,
> > + unsigned long addr, unsigned long data)
> > +{
> > + int ret;
> > + struct iovec kiov;
> > + struct iovec __user *uiov = (void __user *)data;
> > + unsigned int gup_flags = FOLL_FORCE;
> > +
> > + if (!system_supports_mte())
> > + return -EIO;
> > +
> > + if (get_user(kiov.iov_base, &uiov->iov_base) ||
> > + get_user(kiov.iov_len, &uiov->iov_len))
> > + return -EFAULT;
> > +
> > + if (request == PTRACE_POKEMTETAGS)
> > + gup_flags |= FOLL_WRITE;
> > +
> > + /* align addr to the MTE tag granule */
> > + addr &= MTE_ALLOC_MASK;
> > +
> > + ret = access_remote_tags(child, addr, &kiov, gup_flags);
> > + if (!ret)
> > + ret = __put_user(kiov.iov_len, &uiov->iov_len);
>
> Should this be put_user()? We didn't use __get_user() above, and I
> don't see what guards the access.
It doesn't make any difference on arm64 (it's just put_user) but we had
get_user() to check the access to &uiov->iov_len already above.
> > + default:
> > + ret = ptrace_request(child, request, addr, data);
> > + break;
> > + }
> > +
> > + return ret;
> > }
> >
> > enum ptrace_syscall_dir {
> > diff --git a/arch/arm64/lib/mte.S b/arch/arm64/lib/mte.S
> > index bd51ea7e2fcb..45be04a8c73c 100644
> > --- a/arch/arm64/lib/mte.S
> > +++ b/arch/arm64/lib/mte.S
> > @@ -5,6 +5,7 @@
> > #include <linux/linkage.h>
> >
> > #include <asm/assembler.h>
> > +#include <asm/mte.h>
> >
> > /*
> > * Compare tags of two pages
> > @@ -44,3 +45,52 @@ SYM_FUNC_START(mte_memcmp_pages)
> >
> > ret
> > SYM_FUNC_END(mte_memcmp_pages)
> > +
> > +/*
> > + * Read tags from a user buffer (one tag per byte) and set the corresponding
> > + * tags at the given kernel address. Used by PTRACE_POKEMTETAGS.
> > + * x0 - kernel address (to)
> > + * x1 - user buffer (from)
> > + * x2 - number of tags/bytes (n)
>
> Is it worth checking for x2 == 0? Currently, x2 will underflow and
> we'll try to loop 2^64 times (until a fault stops us).
>
> I don't think callers currently pass 0 here, but it feels like an
> accident waiting to happen. Things like memcpy() usually try to close
> this loophole.
Good point.
Thanks.
--
Catalin
