[PATCH] userfaultfd: preserve user-supplied address tag in struct uffd_msg
Peter Collingbourne
pcc at google.com
Wed Jun 30 16:29:38 PDT 2021
On Wed, Jun 30, 2021 at 4:08 PM Andrew Morton <akpm at linux-foundation.org> wrote:
>
> On Mon, 28 Jun 2021 18:20:10 -0700 Peter Collingbourne <pcc at google.com> wrote:
>
> > If a user program uses userfaultfd on ranges of heap memory, it may
> > end up passing a tagged pointer to the kernel in the range.start
> > field of the UFFDIO_REGISTER ioctl. This can happen when using an
> > MTE-capable allocator, or on Android if using the Tagged Pointers
> > feature for MTE readiness [1].
> >
> > When a fault subsequently occurs, the tag is stripped from the fault
> > address returned to the application in the fault.address field
> > of struct uffd_msg. However, from the application's perspective,
> > the tagged address *is* the memory address, so if the application
> > is unaware of memory tags, it may get confused by receiving an
> > address that is, from its point of view, outside of the bounds of the
> > allocation. We observed this behavior in the kselftest for userfaultfd
> > [2] but other applications could have the same problem.
> >
> > Fix this by remembering which tag was used to originally register the
> > userfaultfd and passing that tag back in fault.address. In a future
> > enhancement, we may want to pass back the original fault address,
> > but like SA_EXPOSE_TAGBITS, this should be guarded by a flag.
>
> Do we have a Fixes: for this?
>
> Is a -stable backport warranted?
Good point. I think this was an oversight in the original tagged
address ABI, so the appropriate Fixes would be the one that introduced
the prctl(). A stable backport seems reasonable, that's what we're
planning to do in our Android kernel branch anyway. Added the tags in
v2.
Peter
More information about the linux-arm-kernel
mailing list