On Mon, 28 Jun 2021 18:20:10 -0700 Peter Collingbourne <pcc@xxxxxxxxxx> wrote: > If a user program uses userfaultfd on ranges of heap memory, it may > end up passing a tagged pointer to the kernel in the range.start > field of the UFFDIO_REGISTER ioctl. This can happen when using an > MTE-capable allocator, or on Android if using the Tagged Pointers > feature for MTE readiness [1]. > > When a fault subsequently occurs, the tag is stripped from the fault > address returned to the application in the fault.address field > of struct uffd_msg. However, from the application's perspective, > the tagged address *is* the memory address, so if the application > is unaware of memory tags, it may get confused by receiving an > address that is, from its point of view, outside of the bounds of the > allocation. We observed this behavior in the kselftest for userfaultfd > [2] but other applications could have the same problem. > > Fix this by remembering which tag was used to originally register the > userfaultfd and passing that tag back in fault.address. In a future > enhancement, we may want to pass back the original fault address, > but like SA_EXPOSE_TAGBITS, this should be guarded by a flag. Do we have a Fixes: for this? Is a -stable backport warranted?
