-
Vincenzo Frascino authored
load_unaligned_zeropad() and __get/put_kernel_nofault() functions can read passed some buffer limits which may include some MTE granule with a different tag. When MTE async mode is enable, the load operation crosses the boundaries and the next granule has a different tag the PE sets the TFSR_EL1.TF1 bit as if an asynchronous tag fault is happened: ================================================================== BUG: KASAN: invalid-access Asynchronous mode enabled: no access details available CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc1-ge1045c86 -dirty #8 Hardware name: FVP Base RevC (DT) Call trace: dump_backtrace+0x0/0x1c0 show_stack+0x18/0x24 dump_stack+0xcc/0x14c kasan_report_async+0x54/0x70 mte_check_tfsr_el1+0x48/0x4c exit_to_user_mode+0x18/0x38 finish_ret_to_user+0x4/0x15c ================================================================== Verify that Tag Check Override (TCO) is enabled in these functions before the load and disable it afterwards to prevent this to happen. Note: The issue has been observed only with an MTE enabled userspace. Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Will Deacon <will@kernel.org> Reported-by: Branislav Rankov <Branislav.Rankov@arm.com> Signed-off-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
15bfd167