c4c597f1b3
The mte_sync_page_tags() function sets PG_mte_tagged if it initializes
page tags. Then we return to mte_sync_tags(), which sets PG_mte_tagged
again. At best, this is redundant. However, it is possible for
mte_sync_page_tags() to return without having initialized tags for the
page, i.e. in the case where check_swap is true (non-compound page),
is_swap_pte(old_pte) is false and pte_is_tagged is false. So at worst,
we set PG_mte_tagged on a page with uninitialized tags. This can happen
if, for example, page migration causes a PTE for an untagged page to
be replaced. If the userspace program subsequently uses mprotect() to
enable PROT_MTE for that page, the uninitialized tags will be exposed
to userspace.
Fix it by removing the redundant call to set_page_mte_tagged().
Fixes:
|
||
|---|---|---|
| .. | ||
| pi | ||
| probes | ||
| vdso | ||
| vdso32 | ||
| .gitignore | ||
| Makefile | ||
| acpi.c | ||
| acpi_numa.c | ||
| acpi_parking_protocol.c | ||
| alternative.c | ||
| armv8_deprecated.c | ||
| asm-offsets.c | ||
| cacheinfo.c | ||
| compat_alignment.c | ||
| cpu-reset.S | ||
| cpu_errata.c | ||
| cpu_ops.c | ||
| cpufeature.c | ||
| cpuidle.c | ||
| cpuinfo.c | ||
| crash_core.c | ||
| crash_dump.c | ||
| debug-monitors.c | ||
| efi-header.S | ||
| efi-rt-wrapper.S | ||
| efi.c | ||
| elfcore.c | ||
| entry-common.c | ||
| entry-fpsimd.S | ||
| entry-ftrace.S | ||
| entry.S | ||
| fpsimd.c | ||
| ftrace.c | ||
| head.S | ||
| hibernate-asm.S | ||
| hibernate.c | ||
| hw_breakpoint.c | ||
| hyp-stub.S | ||
| idle.c | ||
| idreg-override.c | ||
| image-vars.h | ||
| image.h | ||
| io.c | ||
| irq.c | ||
| jump_label.c | ||
| kaslr.c | ||
| kexec_image.c | ||
| kgdb.c | ||
| kuser32.S | ||
| machine_kexec.c | ||
| machine_kexec_file.c | ||
| module-plts.c | ||
| module.c | ||
| mte.c | ||
| paravirt.c | ||
| patch-scs.c | ||
| patching.c | ||
| pci.c | ||
| perf_callchain.c | ||
| perf_regs.c | ||
| pointer_auth.c | ||
| process.c | ||
| proton-pack.c | ||
| psci.c | ||
| ptrace.c | ||
| reloc_test_core.c | ||
| reloc_test_syms.S | ||
| relocate_kernel.S | ||
| return_address.c | ||
| sdei.c | ||
| setup.c | ||
| signal.c | ||
| signal32.c | ||
| sigreturn32.S | ||
| sleep.S | ||
| smccc-call.S | ||
| smp.c | ||
| smp_spin_table.c | ||
| stacktrace.c | ||
| suspend.c | ||
| sys.c | ||
| sys32.c | ||
| sys_compat.c | ||
| syscall.c | ||
| time.c | ||
| topology.c | ||
| trace-events-emulation.h | ||
| traps.c | ||
| vdso-wrap.S | ||
| vdso.c | ||
| vdso32-wrap.S | ||
| vmlinux.lds.S | ||