From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id A9EEDECAAD8 for ; Fri, 23 Sep 2022 12:30:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=v5KEqOb/ng3Ry9qeJmydbCISpFGJo+t+3oso/TOcDqo=; b=B+FuOCM4ydqdnu e0a4knDVN1yOL4QDScAja8/8LCXa2Hyt4vYptzJjPo+ZBHY6fk76hYDDU/2d4K8K0amvNTQ/LQReo PDGH7Tt4GS9/yIjb3ZR4WvFdGqSKL1GrcE4BmHdyw5rEEQcYAZWfLoLh0VC8wU4gdy1k3+IsWsei7 qrzz8kCXkTMaHb7ji4LvNssWnrBm1zrq8pTdDFu33T4IWQKacjhGdc3JdmN0Z/TaV8xQAPQR+qYHs rZ7prDMtJPE9eRUCjRSu0/xZBehFXrczQb/Z7/BxjIL828PSFm+81R9O7ge3xPy8sA580s5MezY/V Tq6qbbgTgAj91Wi4BEXw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1obho9-004ASV-Qm; Fri, 23 Sep 2022 12:29:29 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1obho6-004ART-R4 for linux-arm-kernel@lists.infradead.org; Fri, 23 Sep 2022 12:29:28 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 63B4D113E; Fri, 23 Sep 2022 05:29:31 -0700 (PDT) Received: from FVFF77S0Q05N (unknown [10.57.80.223]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id DC1E63F73D; Fri, 23 Sep 2022 05:29:23 -0700 (PDT) Date: Fri, 23 Sep 2022 13:29:21 +0100 From: Mark Rutland To: Will Deacon Cc: linux-arm-kernel@lists.infradead.org, catalin.marinas@arm.com, james.morse@arm.com, robin.murphy@arm.com Subject: Re: [PATCH] arm64: uaccess: simplify uaccess_mask_ptr() Message-ID: References: <20220922151053.3520750-1-mark.rutland@arm.com> <20220922205545.GA12945@willie-the-truck> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20220922205545.GA12945@willie-the-truck> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220923_052927_001717_6BCB5790 X-CRM114-Status: GOOD ( 36.66 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Sep 22, 2022 at 09:55:46PM +0100, Will Deacon wrote: > On Thu, Sep 22, 2022 at 04:10:53PM +0100, Mark Rutland wrote: > > We introduced uaccess pointer masking for arm64 in commit: > > > > 4d8efc2d5ee4c9cc ("arm64: Use pointer masking to limit uaccess speculation") > > > > Which was intended to prevent speculative uaccesses to kernel memory on > > CPUs where access permissions were not respected under speculation. > > > > At the time, the uaccess primitives were occasionally used to access > > kernel memory, with the maximum permitted address held in > > thread_info::addr_limit. Consequently, the address masking needed to > > take this dynamic limit into account. > > > > Subsequently the uaccess primitives were reworked such that they are > > only used for user memory, and as of commit: > > > > 3d2403fd10a1dbb3 ("arm64: uaccess: remove set_fs()") > > > > ... the address limit was made a compile-time constant, but the logic > > was otherwise unchanged. > > > > Regardless of the configured VA size or whether TBI is in use, the > > address space can be divided into three ranges: > > > > * The TTBR0 VA range, for which any valid pointer has bit 55 *clear*, > > and any non-tag bits [63-56] must match bit 55 (i.e. must be clear). > > > > * The TTBR1 VA range, for which any valid pointer has bit 55 *set*, and > > any non-tag bits [63-56] must match bit 55 (i.e. must be set). > > > > * The gap between the TTBR0 and TTBR1 ranges, where bit 55 may be set or > > clear, but any access will result in a fault. > > > > As the uaccess primitives are now only used for user memory in the TTBR0 > > VA range, we can prevent generation of TTBR1 addresses by clearing bit > > 55, which will either result in a TTBR0 address or a faulting address > > between the TTBR VA ranges. > > > > This is beneficial for code generation as: > > > > * We no longer clobber the condition codes. > > > > * We no longer burn a register on (TASK_SIZE_MAX - 1). > > > > * We no longer need to consume the untagged pointer. > > > > When building a defconfig v6.0-rc3 with GCC 12.1.0, this change makes > > the resulting Image 64KiB smaller. > > > > Signed-off-by: Mark Rutland > > Cc: Catalin Marinas > > Cc: James Morse > > Cc: Robin Murphy > > Cc: Will Deacon > > --- > > arch/arm64/include/asm/uaccess.h | 19 ++++++++++--------- > > 1 file changed, 10 insertions(+), 9 deletions(-) > > > > diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h > > index 2fc9f0861769a..e69559826cb8c 100644 > > --- a/arch/arm64/include/asm/uaccess.h > > +++ b/arch/arm64/include/asm/uaccess.h > > @@ -203,9 +203,11 @@ static inline void uaccess_enable_privileged(void) > > } > > > > /* > > - * Sanitise a uaccess pointer such that it becomes NULL if above the maximum > > - * user address. In case the pointer is tagged (has the top byte set), untag > > - * the pointer before checking. > > + * Sanitize a uaccess pointer such that it cannot reach any kernel address. > > + * > > + * Clearing bit 55 ensures the pointer cannot address any portion of the TTBR1 > > + * address range (i.e. any kernel address), and either the pointer falls within > > + * the TTBR0 address range or must cause a fault. > > */ > > #define uaccess_mask_ptr(ptr) (__typeof__(ptr))__uaccess_mask_ptr(ptr) > > static inline void __user *__uaccess_mask_ptr(const void __user *ptr) > > @@ -213,12 +215,11 @@ static inline void __user *__uaccess_mask_ptr(const void __user *ptr) > > void __user *safe_ptr; > > > > asm volatile( > > - " bics xzr, %3, %2\n" > > - " csel %0, %1, xzr, eq\n" > > - : "=&r" (safe_ptr) > > - : "r" (ptr), "r" (TASK_SIZE_MAX - 1), > > - "r" (untagged_addr(ptr)) > > - : "cc"); > > + " bic %0, %1, %2\n" > > + : "=r" (safe_ptr) > > + : "r" (ptr), > > + "i" (BIT(55)) > > + ); > > > > csdb(); > > Why do we still need the CSDB after your change? I went back and forth on whether that was necessary, and left it purely due to an abundance of caution. I don't believe it should be necessary (since the BIC is unconditional), and I'm happy to delete it. Should I do that for v2? ... or would you like to delete that when applying? Thanks, Mark. _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel