From: David Laight <david.laight.linux@gmail.com>
To: Mateusz Guzik <mjguzik@gmail.com>
Cc: torvalds@linux-foundation.org, brauner@kernel.org,
viro@zeniv.linux.org.uk, jack@suse.cz,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
tglx@linutronix.de, pfalcato@suse.de
Subject: Re: [PATCH 1/3] x86: fix access_ok() and valid_user_address() using wrong USER_PTR_MAX in modules
Date: Sat, 1 Nov 2025 11:26:04 +0000 [thread overview]
Message-ID: <20251101112604.09d32993@pumpkin> (raw)
In-Reply-To: <20251031174220.43458-2-mjguzik@gmail.com>
On Fri, 31 Oct 2025 18:42:18 +0100
Mateusz Guzik <mjguzik@gmail.com> wrote:
> [real commit message will land here later]
Hmmm... modules use the 0x123456789abcdef0 placeholder (the 0 might not be
in the right place), this is non-canonical so nothing is badly broken.
Just allows speculative accesses to kernel space on some cpu.
> ---
> arch/x86/include/asm/uaccess_64.h | 17 +++++++++--------
> arch/x86/kernel/cpu/common.c | 8 +++++---
> 2 files changed, 14 insertions(+), 11 deletions(-)
>
> diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
> index c8a5ae35c871..f60c0ed147c3 100644
> --- a/arch/x86/include/asm/uaccess_64.h
> +++ b/arch/x86/include/asm/uaccess_64.h
> @@ -12,13 +12,14 @@
> #include <asm/cpufeatures.h>
> #include <asm/page.h>
> #include <asm/percpu.h>
> -#include <asm/runtime-const.h>
>
> -/*
> - * Virtual variable: there's no actual backing store for this,
> - * it can purely be used as 'runtime_const_ptr(USER_PTR_MAX)'
> - */
> -extern unsigned long USER_PTR_MAX;
> +extern unsigned long user_ptr_max;
> +#ifdef MODULE
> +#define __user_ptr_max_accessor user_ptr_max
> +#else
> +#include <asm/runtime-const.h>
> +#define __user_ptr_max_accessor runtime_const_ptr(user_ptr_max)
> +#endif
>
> #ifdef CONFIG_ADDRESS_MASKING
> /*
> @@ -54,7 +55,7 @@ static inline unsigned long __untagged_addr_remote(struct mm_struct *mm,
> #endif
>
> #define valid_user_address(x) \
> - likely((__force unsigned long)(x) <= runtime_const_ptr(USER_PTR_MAX))
> + likely((__force unsigned long)(x) <= __user_ptr_max_accessor)
>
> /*
> * Masking the user address is an alternative to a conditional
> @@ -67,7 +68,7 @@ static inline void __user *mask_user_address(const void __user *ptr)
> asm("cmp %1,%0\n\t"
> "cmova %1,%0"
> :"=r" (ret)
> - :"r" (runtime_const_ptr(USER_PTR_MAX)),
> + :"r" (__user_ptr_max_accessor),
> "0" (ptr));
> return ret;
> }
> diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
> index 3ff9682d8bc4..f338f5e9adfc 100644
> --- a/arch/x86/kernel/cpu/common.c
> +++ b/arch/x86/kernel/cpu/common.c
> @@ -78,6 +78,9 @@
> DEFINE_PER_CPU_READ_MOSTLY(struct cpuinfo_x86, cpu_info);
> EXPORT_PER_CPU_SYMBOL(cpu_info);
>
> +unsigned long user_ptr_max __ro_after_init;
> +EXPORT_SYMBOL(user_ptr_max);
That doesn't appear to be inside a CONFIG_X86_64 define.
I think I'd initialise it to one of its two values - probably the LA48 one.
David
> +
> u32 elf_hwcap2 __read_mostly;
>
> /* Number of siblings per CPU package */
> @@ -2575,14 +2578,13 @@ void __init arch_cpu_finalize_init(void)
> alternative_instructions();
>
> if (IS_ENABLED(CONFIG_X86_64)) {
> - unsigned long USER_PTR_MAX = TASK_SIZE_MAX;
> -
> + user_ptr_max = TASK_SIZE_MAX;
> /*
> * Enable this when LAM is gated on LASS support
> if (cpu_feature_enabled(X86_FEATURE_LAM))
> USER_PTR_MAX = (1ul << 63) - PAGE_SIZE;
> */
> - runtime_const_init(ptr, USER_PTR_MAX);
> + runtime_const_init(ptr, user_ptr_max);
>
> /*
> * Make sure the first 2MB area is not mapped by huge pages
next prev parent reply other threads:[~2025-11-01 11:26 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-30 10:52 [PATCH v4] fs: hide names_cachep behind runtime access machinery Mateusz Guzik
2025-10-30 13:13 ` kernel test robot
2025-10-30 13:19 ` Mateusz Guzik
2025-10-30 16:15 ` Linus Torvalds
2025-10-30 16:35 ` Mateusz Guzik
2025-10-30 18:07 ` Linus Torvalds
2025-10-30 18:25 ` Linus Torvalds
2025-10-30 21:39 ` Mateusz Guzik
2025-10-30 22:06 ` Mateusz Guzik
2025-10-31 12:08 ` Christian Brauner
2025-10-31 15:13 ` Mateusz Guzik
2025-10-31 16:04 ` Linus Torvalds
2025-10-31 16:25 ` Mateusz Guzik
2025-10-31 16:31 ` Linus Torvalds
2025-10-31 17:42 ` [WIP RFC PATCH 0/3] runtime-const header split and whatnot Mateusz Guzik
2025-10-31 17:42 ` [PATCH 1/3] x86: fix access_ok() and valid_user_address() using wrong USER_PTR_MAX in modules Mateusz Guzik
2025-10-31 21:46 ` Linus Torvalds
2025-10-31 22:01 ` Mateusz Guzik
2025-11-01 11:26 ` David Laight [this message]
2025-11-04 6:25 ` Linus Torvalds
2025-11-04 8:56 ` Mateusz Guzik
2025-11-04 9:37 ` Linus Torvalds
2025-11-04 10:25 ` Borislav Petkov
2025-11-04 16:13 ` Borislav Petkov
2025-11-05 1:50 ` Linus Torvalds
2025-11-05 11:37 ` Borislav Petkov
2025-11-05 20:50 ` Mateusz Guzik
2025-11-06 11:14 ` Borislav Petkov
2025-11-06 12:06 ` Mateusz Guzik
2025-11-06 13:10 ` Borislav Petkov
2025-11-06 13:19 ` Mateusz Guzik
2025-11-06 13:36 ` Borislav Petkov
2025-11-06 14:49 ` Mateusz Guzik
2025-11-06 19:26 ` David Laight
2025-11-06 19:49 ` Linus Torvalds
2025-11-04 17:09 ` Sean Christopherson
2025-11-04 19:07 ` Linus Torvalds
2025-11-04 19:34 ` Linus Torvalds
2025-11-04 21:53 ` Sean Christopherson
2025-11-04 20:17 ` Borislav Petkov
2025-11-04 22:06 ` Linus Torvalds
2025-11-05 11:49 ` Borislav Petkov
2025-10-31 17:42 ` [PATCH 2/3] runtime-const: split headers between accessors and fixup; disable for modules Mateusz Guzik
2025-10-31 17:42 ` [PATCH 3/3] fs: hide names_cachep behind runtime access machinery Mateusz Guzik
2025-10-31 23:30 ` kernel test robot
2025-10-31 23:30 ` kernel test robot
2025-10-31 23:41 ` kernel test robot
2025-11-01 17:49 ` kernel test robot
2025-10-31 13:30 ` [PATCH v4] " kernel test robot
2025-10-31 22:43 ` kernel test robot
2025-11-01 23:06 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251101112604.09d32993@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=pfalcato@suse.de \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).