[PATCH v14 8/8] kselftest/arm64: Verify that TCO is enabled in load_unaligned_zeropad()
Catalin Marinas
catalin.marinas at arm.com
Thu Mar 11 13:25:10 GMT 2021
On Mon, Mar 08, 2021 at 04:14:34PM +0000, Vincenzo Frascino wrote:
> load_unaligned_zeropad() and __get/put_kernel_nofault() functions can
> read passed some buffer limits which may include some MTE granule with a
> different tag.
>
> When MTE async mode is enable, the load operation crosses the boundaries
> and the next granule has a different tag the PE sets the TFSR_EL1.TF1
> bit as if an asynchronous tag fault is happened:
>
> ==================================================================
> BUG: KASAN: invalid-access
> Asynchronous mode enabled: no access details available
>
> CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc1-ge1045c86620d-dirty #8
> Hardware name: FVP Base RevC (DT)
> Call trace:
> dump_backtrace+0x0/0x1c0
> show_stack+0x18/0x24
> dump_stack+0xcc/0x14c
> kasan_report_async+0x54/0x70
> mte_check_tfsr_el1+0x48/0x4c
> exit_to_user_mode+0x18/0x38
> finish_ret_to_user+0x4/0x15c
> ==================================================================
>
> Verify that Tag Check Override (TCO) is enabled in these functions before
> the load and disable it afterwards to prevent this to happen.
>
> Note: The issue has been observed only with an MTE enabled userspace.
The above bug is all about kernel buffers. While userspace can trigger
the relevant code paths, it should not matter whether the user has MTE
enabled or not. Can you please confirm that you can still triggered the
fault with kernel-mode MTE but non-MTE user-space? If not, we may have a
bug somewhere as the two are unrelated: load_unaligned_zeropad() only
acts on kernel buffers and are subject to the kernel MTE tag check fault
mode.
I don't think we should have a user-space selftest for this. The bug is
not about a user-kernel interface, so an in-kernel test is more
appropriate. Could we instead add this to the kasan tests and calling
load_unaligned_zeropad() and other functions directly?
--
Catalin
More information about the linux-arm-kernel
mailing list