On Wed, Jun 30, 2021 at 4:08 PM Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Mon, 28 Jun 2021 18:20:10 -0700 Peter Collingbourne <pcc@xxxxxxxxxx> wrote: > > > If a user program uses userfaultfd on ranges of heap memory, it may > > end up passing a tagged pointer to the kernel in the range.start > > field of the UFFDIO_REGISTER ioctl. This can happen when using an > > MTE-capable allocator, or on Android if using the Tagged Pointers > > feature for MTE readiness [1]. > > > > When a fault subsequently occurs, the tag is stripped from the fault > > address returned to the application in the fault.address field > > of struct uffd_msg. However, from the application's perspective, > > the tagged address *is* the memory address, so if the application > > is unaware of memory tags, it may get confused by receiving an > > address that is, from its point of view, outside of the bounds of the > > allocation. We observed this behavior in the kselftest for userfaultfd > > [2] but other applications could have the same problem. > > > > Fix this by remembering which tag was used to originally register the > > userfaultfd and passing that tag back in fault.address. In a future > > enhancement, we may want to pass back the original fault address, > > but like SA_EXPOSE_TAGBITS, this should be guarded by a flag. > > Do we have a Fixes: for this? > > Is a -stable backport warranted? Good point. I think this was an oversight in the original tagged address ABI, so the appropriate Fixes would be the one that introduced the prctl(). A stable backport seems reasonable, that's what we're planning to do in our Android kernel branch anyway. Added the tags in v2. Peter
