[PATCH] userfaultfd: preserve user-supplied address tag in struct uffd_msg

[Andrew Morton]

On Mon, 28 Jun 2021 18:20:10 -0700 Peter Collingbourne <pcc at google.com> wrote:

> If a user program uses userfaultfd on ranges of heap memory, it may
> end up passing a tagged pointer to the kernel in the range.start
> field of the UFFDIO_REGISTER ioctl. This can happen when using an
> MTE-capable allocator, or on Android if using the Tagged Pointers
> feature for MTE readiness [1].
> 
> When a fault subsequently occurs, the tag is stripped from the fault
> address returned to the application in the fault.address field
> of struct uffd_msg. However, from the application's perspective,
> the tagged address *is* the memory address, so if the application
> is unaware of memory tags, it may get confused by receiving an
> address that is, from its point of view, outside of the bounds of the
> allocation. We observed this behavior in the kselftest for userfaultfd
> [2] but other applications could have the same problem.
> 
> Fix this by remembering which tag was used to originally register the
> userfaultfd and passing that tag back in fault.address. In a future
> enhancement, we may want to pass back the original fault address,
> but like SA_EXPOSE_TAGBITS, this should be guarded by a flag.

Do we have a Fixes: for this?

Is a -stable backport warranted?