From: Charlie Jenkins <charlie@rivosinc.com>
To: Cyril Bur <cyrilbur@tenstorrent.com>
Cc: palmer@dabbelt.com, aou@eecs.berkeley.edu,
paul.walmsley@sifive.com, linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org, Jisheng Zhang <jszhang@kernel.org>
Subject: Re: [PATCH v2 1/4] riscv: implement user_access_begin and families
Date: Fri, 17 Jan 2025 15:21:20 -0800 [thread overview]
Message-ID: <Z4rl8BgoV8tygCn9@ghost> (raw)
In-Reply-To: <20241118230112.2872978-2-cyrilbur@tenstorrent.com>
On Mon, Nov 18, 2024 at 11:01:09PM +0000, Cyril Bur wrote:
> From: Jisheng Zhang <jszhang@kernel.org>
>
> Currently, when a function like strncpy_from_user() is called,
> the userspace access protection is disabled and enabled
> for every word read.
>
> By implementing user_access_begin and families, the protection
> is disabled at the beginning of the copy and enabled at the end.
>
> The __inttype macro is borrowed from x86 implementation.
>
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> Signed-off-by: Cyril Bur <cyrilbur@tenstorrent.com>
> ---
> arch/riscv/include/asm/uaccess.h | 63 ++++++++++++++++++++++++++++++++
> 1 file changed, 63 insertions(+)
>
> diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
> index 72ec1d9bd3f3..09d4ca37522c 100644
> --- a/arch/riscv/include/asm/uaccess.h
> +++ b/arch/riscv/include/asm/uaccess.h
> @@ -28,6 +28,19 @@
> #define __disable_user_access() \
> __asm__ __volatile__ ("csrc sstatus, %0" : : "r" (SR_SUM) : "memory")
>
> +/*
> + * This is the smallest unsigned integer type that can fit a value
> + * (up to 'long long')
> + */
> +#define __inttype(x) __typeof__( \
> + __typefits(x,char, \
> + __typefits(x,short, \
> + __typefits(x,int, \
> + __typefits(x,long,0ULL)))))
> +
> +#define __typefits(x,type,not) \
> + __builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not)
> +
> /*
> * The exception table consists of pairs of addresses: the first is the
> * address of an instruction that is allowed to fault, and the second is
> @@ -335,6 +348,56 @@ do { \
> goto err_label; \
> } while (0)
>
> +static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
> +{
> + if (unlikely(!access_ok(ptr,len)))
> + return 0;
> + __enable_user_access();
> + return 1;
> +}
> +#define user_access_begin(a,b) user_access_begin(a,b)
> +#define user_access_end() __disable_user_access();
> +
> +static inline unsigned long user_access_save(void) { return 0UL; }
> +static inline void user_access_restore(unsigned long enabled) { }
> +
> +#define unsafe_put_user(x, ptr, label) do { \
> + long __kr_err = 0; \
> + __put_user_nocheck(x, (ptr), __kr_err); \
> + if (__kr_err) goto label; \
> +} while (0)
> +
> +#define unsafe_get_user(x, ptr, label) do { \
> + long __kr_err = 0; \
> + __inttype(*(ptr)) __gu_val; \
> + __get_user_nocheck(__gu_val, (ptr), __kr_err); \
> + (x) = (__force __typeof__(*(ptr)))__gu_val; \
> + if (__kr_err) goto label; \
> +} while (0)
> +
> +/*
> + * We want the unsafe accessors to always be inlined and use
> + * the error labels - thus the macro games.
> + */
> +#define unsafe_copy_loop(dst, src, len, type, label) \
> + while (len >= sizeof(type)) { \
> + unsafe_put_user(*(type *)(src),(type __user *)(dst),label); \
> + dst += sizeof(type); \
> + src += sizeof(type); \
> + len -= sizeof(type); \
> + }
> +
> +#define unsafe_copy_to_user(_dst,_src,_len,label) \
> +do { \
> + char __user *__ucu_dst = (_dst); \
> + const char *__ucu_src = (_src); \
> + size_t __ucu_len = (_len); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label); \
> +} while (0)
Since a handful of these functions are duplicated across x86/arm64 it
would be nice to consolidate them to a shared header. That would
probably require quite a bit more work though so not in scope for this
patch.
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Tested-by: Charlie Jenkins <charlie@rivosinc.com>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Charlie Jenkins <charlie@rivosinc.com>
To: Cyril Bur <cyrilbur@tenstorrent.com>
Cc: palmer@dabbelt.com, aou@eecs.berkeley.edu,
paul.walmsley@sifive.com, linux-riscv@lists.infradead.org,
linux-kernel@vger.kernel.org, Jisheng Zhang <jszhang@kernel.org>
Subject: Re: [PATCH v2 1/4] riscv: implement user_access_begin and families
Date: Fri, 17 Jan 2025 15:21:20 -0800 [thread overview]
Message-ID: <Z4rl8BgoV8tygCn9@ghost> (raw)
In-Reply-To: <20241118230112.2872978-2-cyrilbur@tenstorrent.com>
On Mon, Nov 18, 2024 at 11:01:09PM +0000, Cyril Bur wrote:
> From: Jisheng Zhang <jszhang@kernel.org>
>
> Currently, when a function like strncpy_from_user() is called,
> the userspace access protection is disabled and enabled
> for every word read.
>
> By implementing user_access_begin and families, the protection
> is disabled at the beginning of the copy and enabled at the end.
>
> The __inttype macro is borrowed from x86 implementation.
>
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> Signed-off-by: Cyril Bur <cyrilbur@tenstorrent.com>
> ---
> arch/riscv/include/asm/uaccess.h | 63 ++++++++++++++++++++++++++++++++
> 1 file changed, 63 insertions(+)
>
> diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
> index 72ec1d9bd3f3..09d4ca37522c 100644
> --- a/arch/riscv/include/asm/uaccess.h
> +++ b/arch/riscv/include/asm/uaccess.h
> @@ -28,6 +28,19 @@
> #define __disable_user_access() \
> __asm__ __volatile__ ("csrc sstatus, %0" : : "r" (SR_SUM) : "memory")
>
> +/*
> + * This is the smallest unsigned integer type that can fit a value
> + * (up to 'long long')
> + */
> +#define __inttype(x) __typeof__( \
> + __typefits(x,char, \
> + __typefits(x,short, \
> + __typefits(x,int, \
> + __typefits(x,long,0ULL)))))
> +
> +#define __typefits(x,type,not) \
> + __builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not)
> +
> /*
> * The exception table consists of pairs of addresses: the first is the
> * address of an instruction that is allowed to fault, and the second is
> @@ -335,6 +348,56 @@ do { \
> goto err_label; \
> } while (0)
>
> +static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
> +{
> + if (unlikely(!access_ok(ptr,len)))
> + return 0;
> + __enable_user_access();
> + return 1;
> +}
> +#define user_access_begin(a,b) user_access_begin(a,b)
> +#define user_access_end() __disable_user_access();
> +
> +static inline unsigned long user_access_save(void) { return 0UL; }
> +static inline void user_access_restore(unsigned long enabled) { }
> +
> +#define unsafe_put_user(x, ptr, label) do { \
> + long __kr_err = 0; \
> + __put_user_nocheck(x, (ptr), __kr_err); \
> + if (__kr_err) goto label; \
> +} while (0)
> +
> +#define unsafe_get_user(x, ptr, label) do { \
> + long __kr_err = 0; \
> + __inttype(*(ptr)) __gu_val; \
> + __get_user_nocheck(__gu_val, (ptr), __kr_err); \
> + (x) = (__force __typeof__(*(ptr)))__gu_val; \
> + if (__kr_err) goto label; \
> +} while (0)
> +
> +/*
> + * We want the unsafe accessors to always be inlined and use
> + * the error labels - thus the macro games.
> + */
> +#define unsafe_copy_loop(dst, src, len, type, label) \
> + while (len >= sizeof(type)) { \
> + unsafe_put_user(*(type *)(src),(type __user *)(dst),label); \
> + dst += sizeof(type); \
> + src += sizeof(type); \
> + len -= sizeof(type); \
> + }
> +
> +#define unsafe_copy_to_user(_dst,_src,_len,label) \
> +do { \
> + char __user *__ucu_dst = (_dst); \
> + const char *__ucu_src = (_src); \
> + size_t __ucu_len = (_len); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label); \
> + unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label); \
> +} while (0)
Since a handful of these functions are duplicated across x86/arm64 it
would be nice to consolidate them to a shared header. That would
probably require quite a bit more work though so not in scope for this
patch.
Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Tested-by: Charlie Jenkins <charlie@rivosinc.com>
next prev parent reply other threads:[~2025-01-17 23:21 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-18 23:01 [PATCH v2 0/4] riscv: uaccess: optimizations Cyril Bur
2024-11-18 23:01 ` Cyril Bur
2024-11-18 23:01 ` [PATCH v2 1/4] riscv: implement user_access_begin and families Cyril Bur
2024-11-18 23:01 ` Cyril Bur
2025-01-17 23:21 ` Charlie Jenkins [this message]
2025-01-17 23:21 ` Charlie Jenkins
2025-02-05 15:08 ` Ben Dooks
2025-02-05 15:08 ` Ben Dooks
2025-02-13 17:07 ` Cyril Bur
2025-02-13 17:07 ` Cyril Bur
2025-02-13 17:16 ` Ben Dooks
2025-02-13 17:16 ` Ben Dooks
2025-02-18 19:21 ` Cyril Bur
2025-02-18 19:21 ` Cyril Bur
2024-11-18 23:01 ` [PATCH v2 2/4] riscv: uaccess: use input constraints for ptr of __put_user Cyril Bur
2024-11-18 23:01 ` Cyril Bur
2025-01-17 23:23 ` Charlie Jenkins
2025-01-17 23:23 ` Charlie Jenkins
2025-01-17 23:34 ` Jessica Clarke
2025-01-17 23:34 ` Jessica Clarke
2025-01-31 1:31 ` Cyril Bur
2025-01-31 1:31 ` Cyril Bur
2025-01-31 6:00 ` Charlie Jenkins
2025-01-31 6:00 ` Charlie Jenkins
2024-11-18 23:01 ` [PATCH v2 3/4] riscv: uaccess: use 'asm goto' for put_user() Cyril Bur
2024-11-18 23:01 ` Cyril Bur
2025-01-17 23:24 ` Charlie Jenkins
2025-01-17 23:24 ` Charlie Jenkins
2024-11-18 23:01 ` [PATCH v2 4/4] riscv: uaccess: use 'asm goto output' for get_user Cyril Bur
2024-11-18 23:01 ` Cyril Bur
2025-01-17 23:24 ` Charlie Jenkins
2025-01-17 23:24 ` Charlie Jenkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z4rl8BgoV8tygCn9@ghost \
--to=charlie@rivosinc.com \
--cc=aou@eecs.berkeley.edu \
--cc=cyrilbur@tenstorrent.com \
--cc=jszhang@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.