[PATCH v12 10/15] x86/mm: Reset tags in a canonical address helper call

[Maciej Wieczor-Retman]

From: Maciej Wieczor-Retman <maciej.wieczor-retman@xxxxxxxxx>

With KASAN software tag-based mode arbitrary kernel pointers can be
tagged. __is_canonical_address() helper can cause issues when met with
tagged pointers that expect the loosened canonicality checks. The
function itself shouldn't be made LAM-aware since for example in KVM,
where it's used extensively - it's not practical to deal with
differences between host and guest which might want a different LAM
state. Also by the time __is_canonical_address() is invoked KVM has
already done any necessary LAM unmasking.

Reset the address' tag early in copy_from_kernel_nofault_allowed() so
pointer arithmetic checks before a __is_canonical_address() call can
work properly.

Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@xxxxxxxxx>
---
Changelog v11:
- Reset tag earlier in copy_from_kernel_nofault_allowed() so the
  is_vsyscall_vaddr() can properly check tagged pointers.
- Redo the patch message.

Changelog v9:
- Redo the patch to not break KVM.
- Remove Alexander's acked-by tag.

Changelog v7:
- Add Alexander's acked-by tag.
- Add parentheses around vaddr_bits as suggested by checkpatch.
- Apply the bitmasks to the __canonical_address() function which is used
  in kvm code.

Changelog v6:
- Use bitmasks to check both kernel and userspace addresses in the
  __is_canonical_address() (Dave Hansen and Samuel Holland).

Changelog v4:
- Add patch to the series.

 arch/x86/mm/maccess.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c
index 42115ac079cf..7d8fa58b61b8 100644
--- a/arch/x86/mm/maccess.c
+++ b/arch/x86/mm/maccess.c
@@ -9,6 +9,7 @@
 bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
 {
 	unsigned long vaddr = (unsigned long)unsafe_src;
+	vaddr = __tag_reset(vaddr);
 
 	/*
 	 * Do not allow userspace addresses.  This disallows
-- 
2.53.0