From: Deepak Gupta <debug@rivosinc.com>
To: Lukas Gerlach <lukas.gerlach@cispa.de>
Cc: linux-riscv@lists.infradead.org, palmer@dabbelt.com,
pjw@kernel.org, aou@eecs.berkeley.edu, alex@ghiti.fr,
linux-kernel@vger.kernel.org, daniel.weber@cispa.de,
michael.schwarz@cispa.de, marton.bognar@kuleuven.be,
jo.vanbulck@kuleuven.be
Subject: Re: [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation
Date: Sat, 27 Dec 2025 16:41:36 -0800 [thread overview]
Message-ID: <aVB8wLSgmE7IRo7e@debug.ba.rivosinc.com> (raw)
In-Reply-To: <20251227125703.80908-1-lukas.gerlach@cispa.de>
On Sat, Dec 27, 2025 at 01:57:03PM +0100, Lukas Gerlach wrote:
>Thanks for the review. You're right - we should only clear the sign bit
>(b38/b47/b56 depending on mode), not b63. Clearing upper bits would
>interfere with pointer masking.
>
>Here's a fix that computes the sign bit position arithmetically to avoid
>branches, this ensures the mitigation cannot be bypassed under speculation.
>This is basically the VA_BITS macro but computed in a branch-free way.
>
>In arch/riscv/include/asm/uaccess.h:
>
> #define UACCESS_SIGN_BIT \
> (VA_BITS_SV39 - 1 + 9*((unsigned long)pgtable_l4_enabled) + \
> 9*((unsigned long)pgtable_l5_enabled))
>
> #define uaccess_mask_ptr(ptr) ((__typeof__(ptr))__uaccess_mask_ptr(ptr))
> static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
> {
> return (void __user *)((unsigned long)ptr & ~BIT_ULL(UACCESS_SIGN_BIT));
> }
>
>This evaluates to bit 38 for Sv39, bit 47 for Sv48, and bit 56 for Sv57.
looks good to me.
Although, I am concerned about maintainibility and bit-rotting.
I would suggest to fix VA_BITS definition instead of defining a new macro here.
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
WARNING: multiple messages have this Message-ID (diff)
From: Deepak Gupta <debug@rivosinc.com>
To: Lukas Gerlach <lukas.gerlach@cispa.de>
Cc: linux-riscv@lists.infradead.org, palmer@dabbelt.com,
pjw@kernel.org, aou@eecs.berkeley.edu, alex@ghiti.fr,
linux-kernel@vger.kernel.org, daniel.weber@cispa.de,
michael.schwarz@cispa.de, marton.bognar@kuleuven.be,
jo.vanbulck@kuleuven.be
Subject: Re: [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation
Date: Sat, 27 Dec 2025 16:41:36 -0800 [thread overview]
Message-ID: <aVB8wLSgmE7IRo7e@debug.ba.rivosinc.com> (raw)
In-Reply-To: <20251227125703.80908-1-lukas.gerlach@cispa.de>
On Sat, Dec 27, 2025 at 01:57:03PM +0100, Lukas Gerlach wrote:
>Thanks for the review. You're right - we should only clear the sign bit
>(b38/b47/b56 depending on mode), not b63. Clearing upper bits would
>interfere with pointer masking.
>
>Here's a fix that computes the sign bit position arithmetically to avoid
>branches, this ensures the mitigation cannot be bypassed under speculation.
>This is basically the VA_BITS macro but computed in a branch-free way.
>
>In arch/riscv/include/asm/uaccess.h:
>
> #define UACCESS_SIGN_BIT \
> (VA_BITS_SV39 - 1 + 9*((unsigned long)pgtable_l4_enabled) + \
> 9*((unsigned long)pgtable_l5_enabled))
>
> #define uaccess_mask_ptr(ptr) ((__typeof__(ptr))__uaccess_mask_ptr(ptr))
> static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
> {
> return (void __user *)((unsigned long)ptr & ~BIT_ULL(UACCESS_SIGN_BIT));
> }
>
>This evaluates to bit 38 for Sv39, bit 47 for Sv48, and bit 56 for Sv57.
looks good to me.
Although, I am concerned about maintainibility and bit-rotting.
I would suggest to fix VA_BITS definition instead of defining a new macro here.
next prev parent reply other threads:[~2025-12-28 0:42 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 19:13 [PATCH 0/2] riscv: Add Spectre v1 mitigations Lukas Gerlach
2025-12-18 19:13 ` Lukas Gerlach
2025-12-18 19:13 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
2025-12-18 19:13 ` Lukas Gerlach
2025-12-20 0:44 ` Deepak Gupta
2025-12-20 0:44 ` Deepak Gupta
2025-12-27 12:57 ` Lukas Gerlach
2025-12-27 12:57 ` Lukas Gerlach
2025-12-28 0:41 ` Deepak Gupta [this message]
2025-12-28 0:41 ` Deepak Gupta
2025-12-27 21:28 ` David Laight
2025-12-27 21:28 ` David Laight
2025-12-28 1:59 ` Deepak Gupta
2025-12-28 1:59 ` Deepak Gupta
2025-12-28 22:34 ` David Laight
2025-12-28 22:34 ` David Laight
2025-12-29 12:32 ` David Laight
2025-12-29 12:32 ` David Laight
2025-12-31 3:47 ` Vivian Wang
2025-12-31 3:47 ` Vivian Wang
2025-12-31 10:35 ` David Laight
2025-12-31 10:35 ` David Laight
2025-12-18 19:13 ` [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation Lukas Gerlach
2025-12-18 19:13 ` Lukas Gerlach
2025-12-31 3:01 ` Paul Walmsley
2025-12-31 3:01 ` Paul Walmsley
2025-12-31 3:31 ` [PATCH 0/2] riscv: Add Spectre v1 mitigations patchwork-bot+linux-riscv
2025-12-31 3:31 ` patchwork-bot+linux-riscv
2026-01-05 23:17 ` Paul Walmsley
2026-01-05 23:17 ` Paul Walmsley
2026-01-06 10:30 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
2026-01-06 10:30 ` Lukas Gerlach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVB8wLSgmE7IRo7e@debug.ba.rivosinc.com \
--to=debug@rivosinc.com \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=daniel.weber@cispa.de \
--cc=jo.vanbulck@kuleuven.be \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=lukas.gerlach@cispa.de \
--cc=marton.bognar@kuleuven.be \
--cc=michael.schwarz@cispa.de \
--cc=palmer@dabbelt.com \
--cc=pjw@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.