On Mon, May 22, 2023 at 12:22:45PM -0700, Peter Collingbourne wrote:
> Consider the following sequence of events:
>
> 1) A page in a PROT_READ|PROT_WRITE VMA is faulted.
> 2) Page migration allocates a page with the KASAN allocator,
> causing it to receive a non-match-all tag, and uses it
> to replace the page faulted in 1.
> 3) The program uses mprotect() to enable PROT_MTE on the page faulted in 1.
>
> As a result of step 3, we are left with a non-match-all tag for a page
> with tags accessible to userspace, which can lead to the same kind of
> tag check faults that commit e74a68468062 ("arm64: Reset KASAN tag in
> copy_highpage with HW tags only") intended to fix.
>
> The general invariant that we have for pages in a VMA with VM_MTE_ALLOWED
> is that they cannot have a non-match-all tag. As a result of step 2, the
> invariant is broken. This means that the fix in the referenced commit
> was incomplete and we also need to reset the tag for pages without
> PG_mte_tagged.
>
> Fixes: e5b8d9218951 ("arm64: mte: reset the page tag in page->flags")
> Cc: <stable@xxxxxxxxxxxxxxx> # 5.15
> Link: https://linux-review.googlesource.com/id/I7409cdd41acbcb215c2a7417c1e50d37b875beff
> Signed-off-by: Peter Collingbourne <pcc@xxxxxxxxxx>
> Reviewed-by: Catalin Marinas <catalin.marinas@xxxxxxx>
> Link: https://lore.kernel.org/r/20230420210945.2313627-1-pcc@xxxxxxxxxx
> Signed-off-by: Will Deacon <will@xxxxxxxxxx>
> (cherry picked from commit 2efbafb91e12ff5a16cbafb0085e4c10c3fca493)
> ---
> arch/arm64/mm/copypage.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
Both backports now queued up, thanks.
greg k-h
