[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses a
|
From: |
Richard Henderson |
|
Subject: |
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1 |
|
Date: |
Tue, 30 Mar 2021 23:22:03 -0000 |
I believe that you're correct, and that I mis-read the MTE
specification.
I believed that exactly one mte tag check was made for any single memory
access. But I missed that unaligned accesses are as-if a sequence of byte
accesses -- in the Arm ARM, see aarch64/functions/memory/Mem[].
I'm still trying to verify this via the Arm FVP, but so far I've not
found the right incantation of parameters to properly enable MTE.
(I can enable the instructions, but a simple stg/ldg test suggests
that there is no tag storage enabled -- all tags read as 0.)
** Changed in: qemu
Assignee: (unassigned) => Richard Henderson (rth)
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1921948
Title:
MTE tags not checked properly for unaligned accesses at EL1
Status in QEMU:
New
Bug description:
For kernel memory accesses that span across two memory granules,
QEMU's MTE implementation only checks the tag of the first granule but
not of the second one.
To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS
enabled, apply the patch below, and boot the kernel:
diff --git a/sound/last.c b/sound/last.c
index f0bb98780e70..04745cb30b74 100644
--- a/sound/last.c
+++ b/sound/last.c
@@ -5,12 +5,18 @@
*/
#include <linux/init.h>
+#include <linux/slab.h>
#include <sound/core.h>
static int __init alsa_sound_last_init(void)
{
struct snd_card *card;
int idx, ok = 0;
+
+ char *ptr = kmalloc(128, GFP_KERNEL);
+ pr_err("KASAN report should follow:\n");
+ *(volatile unsigned long *)(ptr + 124);
+ kfree(ptr);
printk(KERN_INFO "ALSA device list:\n");
for (idx = 0; idx < SNDRV_CARDS; idx++) {
KASAN tags the 128 allocated bytes with the same tag as the returned
pointer. The memory granule that follows the 128 allocated bytes has a
different tag (with 1/15 probability).
Expected result: a tag fault is detected and a KASAN report is printed when
accessing bytes [124, 130).
Observed result: no tag fault is detected and no KASAN report is printed.
Here are the flags that I use to run QEMU if they matter:
qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net
user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic
-nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda
earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no-
shutdown -no-reboot
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions