diff for duplicates of <877dleuds3.fsf@linaro.org> diff --git a/a/1.txt b/N1/1.txt index 9214333..86f4d81 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,4 +1,3 @@ - Richard Henderson <richard.henderson@linaro.org> writes: > We were incorrectly assuming that only the first byte of an MTE access @@ -188,3 +187,64 @@ with them. -- Alex Bennée + +-- +You received this bug notification because you are a member of qemu- +devel-ml, which is subscribed to QEMU. +https://bugs.launchpad.net/bugs/1921948 + +Title: + MTE tags not checked properly for unaligned accesses at EL1 + +Status in QEMU: + In Progress + +Bug description: + For kernel memory accesses that span across two memory granules, + QEMU's MTE implementation only checks the tag of the first granule but + not of the second one. + + To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS + enabled, apply the patch below, and boot the kernel: + + diff --git a/sound/last.c b/sound/last.c + index f0bb98780e70..04745cb30b74 100644 + --- a/sound/last.c + +++ b/sound/last.c + @@ -5,12 +5,18 @@ + */ + + #include <linux/init.h> + +#include <linux/slab.h> + #include <sound/core.h> + + static int __init alsa_sound_last_init(void) + { + struct snd_card *card; + int idx, ok = 0; + + + + char *ptr = kmalloc(128, GFP_KERNEL); + + pr_err("KASAN report should follow:\n"); + + *(volatile unsigned long *)(ptr + 124); + + kfree(ptr); + + printk(KERN_INFO "ALSA device list:\n"); + for (idx = 0; idx < SNDRV_CARDS; idx++) { + + KASAN tags the 128 allocated bytes with the same tag as the returned + pointer. The memory granule that follows the 128 allocated bytes has a + different tag (with 1/15 probability). + + Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). + Observed result: no tag fault is detected and no KASAN report is printed. + + Here are the flags that I use to run QEMU if they matter: + + qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net + user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic + -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda + earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- + shutdown -no-reboot + +To manage notifications about this bug go to: +https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions diff --git a/a/content_digest b/N1/content_digest index 6579eaa..5fd20d3 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,25 +1,17 @@ [ - "ref\00020210406174031.64299-1-richard.henderson\@linaro.org\0" + "ref\000161713286145.25906.15042270704525675392.malonedeb\@wampee.canonical.com\0" ] [ - "ref\00020210406174031.64299-4-richard.henderson\@linaro.org\0" + "From\0Alex Benn\303\251e <1921948\@bugs.launchpad.net>\0" ] [ - "From\0Alex Benn\303\251e <alex.bennee\@linaro.org>\0" + "Subject\0[Bug 1921948] Re: [PATCH v4 03/12] target/arm: Fix mte_checkN\0" ] [ - "Subject\0Re: [PATCH v4 03/12] target/arm: Fix mte_checkN\0" + "Date\0Wed, 07 Apr 2021 18:39:29 -0000\0" ] [ - "Date\0Wed, 07 Apr 2021 19:39:29 +0100\0" -] -[ - "To\0Richard Henderson <richard.henderson\@linaro.org>\0" -] -[ - "Cc\0001921948\@bugs.launchpad.net", - " qemu-arm\@nongnu.org", - " qemu-devel\@nongnu.org\0" + "To\0qemu-devel\@nongnu.org\0" ] [ "\0000:1\0" @@ -28,7 +20,6 @@ "b\0" ] [ - "\n", "Richard Henderson <richard.henderson\@linaro.org> writes:\n", "\n", "> We were incorrectly assuming that only the first byte of an MTE access\n", @@ -217,7 +208,68 @@ "\n", "\n", "-- \n", - "Alex Benn\303\251e" + "Alex Benn\303\251e\n", + "\n", + "-- \n", + "You received this bug notification because you are a member of qemu-\n", + "devel-ml, which is subscribed to QEMU.\n", + "https://bugs.launchpad.net/bugs/1921948\n", + "\n", + "Title:\n", + " MTE tags not checked properly for unaligned accesses at EL1\n", + "\n", + "Status in QEMU:\n", + " In Progress\n", + "\n", + "Bug description:\n", + " For kernel memory accesses that span across two memory granules,\n", + " QEMU's MTE implementation only checks the tag of the first granule but\n", + " not of the second one.\n", + "\n", + " To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS\n", + " enabled, apply the patch below, and boot the kernel:\n", + "\n", + " diff --git a/sound/last.c b/sound/last.c\n", + " index f0bb98780e70..04745cb30b74 100644\n", + " --- a/sound/last.c\n", + " +++ b/sound/last.c\n", + " \@\@ -5,12 +5,18 \@\@\n", + " */\n", + " \n", + " #include <linux/init.h>\n", + " +#include <linux/slab.h>\n", + " #include <sound/core.h>\n", + " \n", + " static int __init alsa_sound_last_init(void)\n", + " {\n", + " struct snd_card *card;\n", + " int idx, ok = 0;\n", + " +\n", + " + char *ptr = kmalloc(128, GFP_KERNEL);\n", + " + pr_err(\"KASAN report should follow:\\n\");\n", + " + *(volatile unsigned long *)(ptr + 124);\n", + " + kfree(ptr);\n", + " \n", + " printk(KERN_INFO \"ALSA device list:\\n\");\n", + " for (idx = 0; idx < SNDRV_CARDS; idx++) {\n", + "\n", + " KASAN tags the 128 allocated bytes with the same tag as the returned\n", + " pointer. The memory granule that follows the 128 allocated bytes has a\n", + " different tag (with 1/15 probability).\n", + "\n", + " Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130).\n", + " Observed result: no tag fault is detected and no KASAN report is printed.\n", + "\n", + " Here are the flags that I use to run QEMU if they matter:\n", + "\n", + " qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net\n", + " user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic\n", + " -nographic -kernel ./Image -append \"console=ttyAMA0 root=/dev/vda\n", + " earlyprintk=serial\" -drive file=./fs.img,format=raw,if=virtio -no-\n", + " shutdown -no-reboot\n", + "\n", + "To manage notifications about this bug go to:\n", + "https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions" ] -29413d98025da40f0f6d818218a97c7d5b9fa7ab0b783a34f0e065fa42e29ec9 +247b2a66a3b9ef7ee62a7558837151fc27c70c9409f95998ec95ccd72dd7a486
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.