[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Thanks for opening the new ticket. I'm closing this one here on Launchpad now so that we don't accidentally migrate it later automatically. ** Changed in: qemu Status: Confirmed => Fix Released -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Fix Released Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
I happened to notice that you're moving your bug tracker to gitlab so I refiled this issue over there: https://gitlab.com/qemu- project/qemu/-/issues/403 ** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #403 https://gitlab.com/qemu-project/qemu/-/issues/403 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Confirmed Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
I see something similar in memset It SEGV on sturq0, [x4, #-16] for x4 set to 0xd55214fe008 and near tags are 0xd55214fdff0 and 0xd55214fe000 -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Confirmed Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
(s/PR_MTE_TCF_ASYNC/PR_MTE_TCF_SYNC/g in the above program -- but the actual constant is correct) -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Confirmed Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
It looks like there's still a bug here: I'm seeing false positive MTE faults for unaligned accesses that touch multiple pages. This userspace assembly program demonstrates the problem, but for some reason it only reproduces some of the time for me: .arch_extension memtag .globl _start _start: mov x0, #0x37 // PR_SET_TAGGED_ADDR_CTRL mov x1, #0x3 // PR_TAGGED_ADDR_ENABLE | PR_MTE_TCF_ASYNC mov x2, #0 mov x3, #0 mov x4, #0 mov x8, #0xa7 // prctl svc #0 mov x0, xzr mov w1, #0x2000 mov w2, #0x23 // PROT_READ|PROT_WRITE|PROT_MTE mov w3, #0x22 // MAP_PRIVATE|MAP_ANONYMOUS mov w4, #0x mov x5, xzr mov x8, #0xde // mmap svc #0 mov x1, #(1 << 56) add x0, x0, x1 add x0, x0, #0xff0 stg x0, [x0] stg x0, [x0, #16] str x1, [x0, #12] mov x0, #0 mov x8, #0x5d // exit svc #0 ** Changed in: qemu Status: Fix Committed => Confirmed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Confirmed Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
** Changed in: qemu Status: In Progress => Fix Committed -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: Fix Committed Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Ah, there's v4 now. Tested with KASAN tests + a custom test to check unaligned accesses that span across two granules, everything works. Thank you! -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
Re: [Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Alex Bennée writes: > Andrey Konovalov <1921...@bugs.launchpad.net> writes: > >> Is this with QEMU master without the patches mentioned in this bug? > > This is with Richard's latest series. > >> >> Which kernel version do you use? > > v5.11 > >> Could you share your kernel config? > > We are just testing with Richard's config and eliminating compiler > shenanigans now. OK with v5.12-rc5 and Richard's config I get a clean pass. -- Alex Bennée
Re: [Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Andrey Konovalov <1921...@bugs.launchpad.net> writes: > Is this with QEMU master without the patches mentioned in this bug? This is with Richard's latest series. > > Which kernel version do you use? v5.11 > Could you share your kernel config? We are just testing with Richard's config and eliminating compiler shenanigans now. -- Alex Bennée
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Re comments #8 and #10, I don't replicate that. I get full pass on KASAN_UNIT_TEST with and without virtualization enabled. Re comment #9, if there are bugs suspected in qemu, they need to be reported, or we'll never hear about them. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Is this with QEMU master without the patches mentioned in this bug? Which kernel version do you use? Could you share your kernel config? -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
It gets further without but still spams a lot of failure messages: The buggy address belongs to the object at ff80036a2200 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 11 bytes to the right of 128-byte region [ff80036a2200, ff80036a2280) The buggy address belongs to the page: page:46e01872 refcount:1 mapcount:0 mapping: index:0x0 pfn:0x436a2 flags: 0x3fc00200(slab) raw: 3fc00200 dead0100 dead0122 f98001c01e00 raw: 80100010 0001 f380036a2401 page dumped because: kasan: bad access detected pages's memcg:f380036a2401 Memory state around the buggy address: ff80036a2000: f6 f6 f6 f6 f6 f6 f6 f6 fe fe fe fe fe fe fe fe ff80036a2100: fa fa fa fa fe fe fe fe fe fe fe fe fe fe fe fe >ff80036a2200: f9 f9 f9 f9 f9 f9 f9 f9 fe fe fe fe fe fe fe fe ^ ff80036a2300: fc fc fc fc fe fe fe fe fe fe fe fe fe fe fe fe ff80036a2400: f3 f3 f3 f3 f3 f3 f3 f3 fe fe fe fe fe fe fe fe == Disabling lock debugging due to kernel taint # kmalloc_oob_right: EXPECTATION FAILED at lib/test_kasan.c:86 Expected fail_data.report_expected == fail_data.report_found, but fail_data.report_expected == 1 fail_data.report_found == 0 not ok 1 - kmalloc_oob_right # kmalloc_oob_left: EXPECTATION FAILED at lib/test_kasan.c:98 Expected fail_data.report_expected == fail_data.report_found, but fail_data.report_expected == 1 fail_data.report_found == 0 not ok 2 - kmalloc_oob_left # kmalloc_node_oob_right: EXPECTATION FAILED at lib/test_kasan.c:110 Expected fail_data.report_expected == fail_data.report_found, but fail_data.report_expected == 1 fail_data.report_found == 0 not ok 3 - kmalloc_node_oob_right # kmalloc_pagealloc_oob_right: EXPECTATION FAILED at lib/test_kasan.c:130 Expected fail_data.report_expected == fail_data.report_found, but fail_data.report_expected == 1 fail_data.report_found == 0 not ok 4 - kmalloc_pagealloc_oob_right # kmalloc_pagealloc_uaf: EXPECTATION FAILED at lib/test_kasan.c:148 Expected fail_data.report_expected == fail_data.report_found, but fail_data.report_expected == 1 fail_data.report_found == 0 not ok 5 - kmalloc_pagealloc_uaf -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
This warning is caused by "virtualization=on" QEMU option. This is another QEMU bug AFAIU, see [1] and [2]. [1] https://lore.kernel.org/lkml/CAAeHK+wDz8aSLyjq1b=q3+hg9ajxxwyr6+gn_ftttmn5osm...@mail.gmail.com/ [2] https://lore.kernel.org/lkml/20210311123315.GF37303@C02TD0UTHF1T.local/T/ -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
With v2, a lot of KASAN tests start failing. This likely means that MTE tag faults stop being generated in certain cases. With v3 [1], no MTE faults are generated at all. [1] https://patchew.org/QEMU/20210402214217.422585-1-richard.hender...@linaro.org/ -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Yeah, I saw an error right after posting. Please try v2: https://patchew.org/QEMU/20210402161835.286665-1-richard.hender...@linaro.org/ -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Hi Richard, I tried your patch, but QEMU crashes with: ERROR:../target/arm/mte_helper.c:588:mte_check_fail: code should not be reached Bail out! ERROR:../target/arm/mte_helper.c:588:mte_check_fail: code should not be reached when running KASAN tests. Thanks! -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
https://patchew.org/QEMU/20210402053728.265173-1-richard.hender...@linaro.org/ -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
Ah, perfect, I was missing dram_metadata.is_enabled. And my userland unaligned test case demonstrates that the second granule is tested, as reported. ** Changed in: qemu Status: New => Confirmed ** Changed in: qemu Status: Confirmed => In Progress -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: In Progress Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
The flags that you need to pass to FVP to enable MTE are listed near the end of the README here: https://cs.android.com/android/platform/superproject/+/master:device/generic/goldfish/fvpbase/README.md -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: New Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions
[Bug 1921948] Re: MTE tags not checked properly for unaligned accesses at EL1
I believe that you're correct, and that I mis-read the MTE specification. I believed that exactly one mte tag check was made for any single memory access. But I missed that unaligned accesses are as-if a sequence of byte accesses -- in the Arm ARM, see aarch64/functions/memory/Mem[]. I'm still trying to verify this via the Arm FVP, but so far I've not found the right incantation of parameters to properly enable MTE. (I can enable the instructions, but a simple stg/ldg test suggests that there is no tag storage enabled -- all tags read as 0.) ** Changed in: qemu Assignee: (unassigned) => Richard Henderson (rth) -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1921948 Title: MTE tags not checked properly for unaligned accesses at EL1 Status in QEMU: New Bug description: For kernel memory accesses that span across two memory granules, QEMU's MTE implementation only checks the tag of the first granule but not of the second one. To reproduce this, build the Linux kernel with CONFIG_KASAN_HW_TAGS enabled, apply the patch below, and boot the kernel: diff --git a/sound/last.c b/sound/last.c index f0bb98780e70..04745cb30b74 100644 --- a/sound/last.c +++ b/sound/last.c @@ -5,12 +5,18 @@ */ #include +#include #include static int __init alsa_sound_last_init(void) { struct snd_card *card; int idx, ok = 0; + + char *ptr = kmalloc(128, GFP_KERNEL); + pr_err("KASAN report should follow:\n"); + *(volatile unsigned long *)(ptr + 124); + kfree(ptr); printk(KERN_INFO "ALSA device list:\n"); for (idx = 0; idx < SNDRV_CARDS; idx++) { KASAN tags the 128 allocated bytes with the same tag as the returned pointer. The memory granule that follows the 128 allocated bytes has a different tag (with 1/15 probability). Expected result: a tag fault is detected and a KASAN report is printed when accessing bytes [124, 130). Observed result: no tag fault is detected and no KASAN report is printed. Here are the flags that I use to run QEMU if they matter: qemu-system-aarch64 -s -machine virt,mte=on -cpu max -m 2G -smp 2 -net user,host=10.0.2.10,hostfwd=tcp:127.0.0.1:10021-:22 -net nic -nographic -kernel ./Image -append "console=ttyAMA0 root=/dev/vda earlyprintk=serial" -drive file=./fs.img,format=raw,if=virtio -no- shutdown -no-reboot To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1921948/+subscriptions