From: David Laight <david.laight.linux@gmail.com>
To: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Michael Ellerman <mpe@ellerman.id.au>,
Nicholas Piggin <npiggin@gmail.com>,
Naveen N Rao <naveen@kernel.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Darren Hart <dvhart@infradead.org>,
Davidlohr Bueso <dave@stgolabs.net>,
"Andre Almeida" <andrealmeid@igalia.com>,
Andrew Morton <akpm@linux-foundation.org>,
Dave Hansen <dave.hansen@linux.intel.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-fsdevel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [PATCH 0/5] powerpc: Implement masked user access
Date: Sun, 22 Jun 2025 17:20:43 +0100 [thread overview]
Message-ID: <20250622172043.3fb0e54c@pumpkin> (raw)
In-Reply-To: <cover.1750585239.git.christophe.leroy@csgroup.eu>
On Sun, 22 Jun 2025 11:52:38 +0200
Christophe Leroy <christophe.leroy@csgroup.eu> wrote:
> Masked user access avoids the address/size verification by access_ok().
> Allthough its main purpose is to skip the speculation in the
> verification of user address and size hence avoid the need of spec
> mitigation, it also has the advantage to reduce the amount of
> instructions needed so it also benefits to platforms that don't
> need speculation mitigation, especially when the size of the copy is
> not know at build time.
It also removes a conditional branch that is quite likely to be
statically predicted 'the wrong way'.
> Unlike x86_64 which masks the address to 'all bits set' when the
> user address is invalid, here the address is set to an address in
> the gap. It avoids relying on the zero page to catch offseted
> accesses. On book3s/32 it makes sure the opening remains on user
> segment. The overcost is a single instruction in the masking.
That isn't true (any more).
Linus changed the check to (approx):
if (uaddr > TASK_SIZE)
uaddr = TASK_SIZE;
(Implemented with a conditional move)
Replacing the original version that used cmp, sbb, or to get 'all bits set'.
Quite likely the comments are wrong!
I thought there was a second architecture that implemented it - and might
still set ~0u?
As you noted returning 'TASK_SIZE' (or, at least, the base of a page that
is guaranteed to fault) means that the caller only has to do 'reasonably
sequential' accesses, and not guarantee to read offset zero first.
As a separate patch, provided there is a guard page between user and kernel,
and user accesses are 'reasonably sequential' even access_ok() need not
check the transfer length. Linus wasn't that brave :-)
I think some of the 'API' is still based on the original 386 code where
the page tables had to be checked by hand for CoW.
David
>
> First patch adds masked_user_read_access_begin() and
> masked_user_write_access_begin() to match with user_read_access_end()
> and user_write_access_end().
>
> Second patch adds speculation barrier to copy_from_user_iter() so that
> the barrier in powerpc raw_copy_from_user() which is redundant with
> the one in copy_from_user() can be removed.
>
> Third patch removes the redundant barrier_nospec() in
> raw_copy_from_user().
>
> Fourth patch removes the unused size parameter when enabling/disabling
> user access.
>
> Last patch implements masked user access.
>
> Christophe Leroy (5):
> uaccess: Add masked_user_{read/write}_access_begin
> uaccess: Add speculation barrier to copy_from_user_iter()
> powerpc: Remove unused size parametre to KUAP enabling/disabling
> functions
> powerpc: Move barrier_nospec() out of allow_read_{from/write}_user()
> powerpc: Implement masked user access
>
> arch/powerpc/Kconfig | 2 +-
> arch/powerpc/include/asm/book3s/32/kup.h | 2 +-
> arch/powerpc/include/asm/book3s/64/kup.h | 4 +-
> arch/powerpc/include/asm/kup.h | 24 ++--
> arch/powerpc/include/asm/nohash/32/kup-8xx.h | 2 +-
> arch/powerpc/include/asm/nohash/kup-booke.h | 2 +-
> arch/powerpc/include/asm/uaccess.h | 140 ++++++++++++++++---
> fs/select.c | 2 +-
> include/linux/uaccess.h | 8 ++
> kernel/futex/futex.h | 4 +-
> lib/iov_iter.c | 7 +
> lib/strncpy_from_user.c | 2 +-
> lib/strnlen_user.c | 2 +-
> 13 files changed, 158 insertions(+), 43 deletions(-)
>
next prev parent reply other threads:[~2025-06-22 16:21 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-22 9:52 [PATCH 0/5] powerpc: Implement masked user access Christophe Leroy
2025-06-22 9:52 ` [PATCH 1/5] uaccess: Add masked_user_{read/write}_access_begin Christophe Leroy
2025-06-22 16:35 ` David Laight
2025-06-24 5:34 ` Christophe Leroy
2025-06-22 9:52 ` [PATCH 2/5] uaccess: Add speculation barrier to copy_from_user_iter() Christophe Leroy
2025-06-22 16:52 ` David Laight
2025-06-22 16:57 ` Linus Torvalds
2025-06-22 20:18 ` David Laight
2025-06-24 5:49 ` Christophe Leroy
2025-06-24 8:07 ` David Laight
2025-06-24 15:15 ` Linus Torvalds
2025-06-22 9:52 ` [PATCH 3/5] powerpc: Remove unused size parametre to KUAP enabling/disabling functions Christophe Leroy
2025-06-22 9:52 ` [PATCH 4/5] powerpc: Move barrier_nospec() out of allow_read_{from/write}_user() Christophe Leroy
2025-06-22 9:52 ` [PATCH 5/5] powerpc: Implement masked user access Christophe Leroy
2025-06-22 17:13 ` David Laight
2025-06-22 17:40 ` Linus Torvalds
2025-06-22 19:51 ` David Laight
2025-06-22 18:57 ` Segher Boessenkool
2025-06-27 8:09 ` kernel test robot
2025-06-22 16:20 ` David Laight [this message]
2025-06-24 5:27 ` [PATCH 0/5] " Christophe Leroy
2025-06-24 8:32 ` David Laight
2025-06-24 21:37 ` Segher Boessenkool
2025-06-25 8:30 ` David Laight
2025-06-24 13:17 ` Segher Boessenkool
2025-06-24 16:50 ` David Laight
2025-06-24 18:25 ` Segher Boessenkool
2025-06-24 21:08 ` David Laight
2025-06-26 5:56 ` Christophe Leroy
2025-06-26 22:01 ` Segher Boessenkool
2025-07-05 10:55 ` Christophe Leroy
2025-07-05 11:42 ` Segher Boessenkool
2025-07-05 18:33 ` David Laight
2025-07-05 20:15 ` Segher Boessenkool
2025-07-05 21:05 ` David Laight
2025-07-05 21:37 ` Segher Boessenkool
2025-06-26 21:39 ` Segher Boessenkool
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250622172043.3fb0e54c@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=andrealmeid@igalia.com \
--cc=brauner@kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=dave.hansen@linux.intel.com \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=naveen@kernel.org \
--cc=npiggin@gmail.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.