lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <23d87c37c97fd995a10297f8cc33ae2fa569f26d.1768845098.git.m.wieczorretman@pm.me>
Date: Tue, 20 Jan 2026 14:42:01 +0000
From: Maciej Wieczor-Retman <m.wieczorretman@...me>
To: Dave Hansen <dave.hansen@...ux.intel.com>, Andy Lutomirski <luto@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Thomas Gleixner <tglx@...nel.org>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, x86@...nel.org, "H. Peter Anvin" <hpa@...or.com>
Cc: m.wieczorretman@...me, Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>, linux-kernel@...r.kernel.org
Subject: [PATCH v9 09/13] x86/mm: Reset tags in a canonical address helper call

From: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>

For an address to be canonical it has to have its top bits equal to each
other. The number of bits depends on the paging level and whether
they're supposed to be ones or zeroes depends on whether the address
points to kernel or user space.

With Linear Address Masking (LAM) enabled, the definition of linear
address canonicality is modified. Not all of the previously required
bits need to be equal, only the first and last from the previously equal
bitmask. So for example a 5-level paging kernel address needs to have
bits [63] and [56] set.

__is_canonical_address() helper can cause issues when met with tagged
pointers that expect the loosened canonicality checks. The function
itself shouldn't be made LAM-aware since for example in KVM, where it's
used extensively - it's not practical to deal with differences between
host and guest which might want a different LAM state. Also by the time
__is_canonical_address() is invoked KVM has already done any necessary
LAM unmasking.

Reset tags in the address argument of __is_canonical_address() located
in copy_from_kernel_nofault_allowed() which is the only function causing
problems.

Signed-off-by: Maciej Wieczor-Retman <maciej.wieczor-retman@...el.com>
---
Changelog v9:
- Redo the patch to not break KVM.
- Remove Alexander's acked-by tag.

Changelog v7:
- Add Alexander's acked-by tag.
- Add parentheses around vaddr_bits as suggested by checkpatch.
- Apply the bitmasks to the __canonical_address() function which is used
  in kvm code.

Changelog v6:
- Use bitmasks to check both kernel and userspace addresses in the
  __is_canonical_address() (Dave Hansen and Samuel Holland).

Changelog v4:
- Add patch to the series.

 arch/x86/mm/maccess.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/mm/maccess.c b/arch/x86/mm/maccess.c
index 42115ac079cf..dbaf70bdc383 100644
--- a/arch/x86/mm/maccess.c
+++ b/arch/x86/mm/maccess.c
@@ -33,7 +33,7 @@ bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
 	if (!boot_cpu_data.x86_virt_bits)
 		return true;
 
-	return __is_canonical_address(vaddr, boot_cpu_data.x86_virt_bits);
+	return __is_canonical_address(__tag_reset(vaddr), boot_cpu_data.x86_virt_bits);
 }
 #else
 bool copy_from_kernel_nofault_allowed(const void *unsafe_src, size_t size)
-- 
2.52.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ