From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7FDF5C7115A
	for <linux-mm@archiver.kernel.org>; Sun, 22 Jun 2025 09:52:56 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 68A6A6B0095; Sun, 22 Jun 2025 05:52:55 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 662636B0096; Sun, 22 Jun 2025 05:52:55 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 5784B6B0098; Sun, 22 Jun 2025 05:52:55 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 43BD66B0095
	for <linux-mm@kvack.org>; Sun, 22 Jun 2025 05:52:55 -0400 (EDT)
Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id C4CF7141D14
	for <linux-mm@kvack.org>; Sun, 22 Jun 2025 09:52:54 +0000 (UTC)
X-FDA: 83582572668.02.EC2455F
Received: from pegase1.c-s.fr (pegase1.c-s.fr [93.17.236.30])
	by imf28.hostedemail.com (Postfix) with ESMTP id A7C59C0002
	for <linux-mm@kvack.org>; Sun, 22 Jun 2025 09:52:52 +0000 (UTC)
Authentication-Results: imf28.hostedemail.com;
	dkim=none;
	spf=pass (imf28.hostedemail.com: domain of christophe.leroy@csgroup.eu designates 93.17.236.30 as permitted sender) smtp.mailfrom=christophe.leroy@csgroup.eu;
	dmarc=pass (policy=quarantine) header.from=csgroup.eu
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1750585973;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references; bh=M/o8uCxnyWRqwDvT4Ppcd6cBuXvl3tzAOfkmRNNHsRQ=;
	b=cMz/TKLbGvC9joky1HKggMdF8Sizvm8IhR4rv1TqeeSLn5p8V2XtqdPYA91lwypgRLGhwo
	Ilr34Bx4XzcMs0nHu10oawFsXWbOy+nYi9/4tlIbdpjYbGtKchEiMZBmF7TscV+JK4Noo9
	zKMsVQnDRkpUi19+0nq/v6TRWTEg5Ww=
ARC-Authentication-Results: i=1;
	imf28.hostedemail.com;
	dkim=none;
	spf=pass (imf28.hostedemail.com: domain of christophe.leroy@csgroup.eu designates 93.17.236.30 as permitted sender) smtp.mailfrom=christophe.leroy@csgroup.eu;
	dmarc=pass (policy=quarantine) header.from=csgroup.eu
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750585973; a=rsa-sha256;
	cv=none;
	b=M0VZYjcVeAgesPiOve5Fc07+Ph4Wz6Jf7/Yo1KqQsNkXf0msRNGs5UwbBPqB8XcJj4H47F
	AbnsdKKnd/KTUDa0FBU8osrydqOCIsBF9bndRm3OmeczWQBEJGPI0Y8Gk1v5K+BqkINVje
	5oAwLjUU+pUaHt9YwcOb/hvOcqmgaH8=
Received: from localhost (mailhub3.si.c-s.fr [192.168.12.233])
	by localhost (Postfix) with ESMTP id 4bQ62n4sxNz9sWb;
	Sun, 22 Jun 2025 11:52:49 +0200 (CEST)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
	by localhost (pegase1.c-s.fr [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id pIyFw4tvJjvf; Sun, 22 Jun 2025 11:52:49 +0200 (CEST)
Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192])
	by pegase1.c-s.fr (Postfix) with ESMTP id 4bQ62n3Qplz9sTD;
	Sun, 22 Jun 2025 11:52:49 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by messagerie.si.c-s.fr (Postfix) with ESMTP id 6704E8B765;
	Sun, 22 Jun 2025 11:52:49 +0200 (CEST)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from messagerie.si.c-s.fr ([127.0.0.1])
	by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023)
	with ESMTP id SWopfc0YWtyj; Sun, 22 Jun 2025 11:52:49 +0200 (CEST)
Received: from PO20335.idsi0.si.c-s.fr (unknown [192.168.235.99])
	by messagerie.si.c-s.fr (Postfix) with ESMTP id 6A6848B763;
	Sun, 22 Jun 2025 11:52:48 +0200 (CEST)
From: Christophe Leroy <christophe.leroy@csgroup.eu>
To: Michael Ellerman <mpe@ellerman.id.au>,
	Nicholas Piggin <npiggin@gmail.com>,
	Naveen N Rao <naveen@kernel.org>,
	Madhavan Srinivasan <maddy@linux.ibm.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>,
	Jan Kara <jack@suse.cz>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Darren Hart <dvhart@infradead.org>,
	Davidlohr Bueso <dave@stgolabs.net>,
	"Andre Almeida" <andrealmeid@igalia.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Laight <david.laight.linux@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>,
	linux-kernel@vger.kernel.org,
	linuxppc-dev@lists.ozlabs.org,
	linux-fsdevel@vger.kernel.org,
	linux-mm@kvack.org
Subject: [PATCH 0/5] powerpc: Implement masked user access
Date: Sun, 22 Jun 2025 11:52:38 +0200
Message-ID: <cover.1750585239.git.christophe.leroy@csgroup.eu>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
X-Developer-Signature: v=1; a=ed25519-sha256; t=1750585958; l=2465; i=christophe.leroy@csgroup.eu; s=20211009; h=from:subject:message-id; bh=HySJmJimN0Mbor6aO2XQhe3eawUJ2DpD2MDAE2rsTBw=; b=avw+yxifZez04tL6hY4uI10f64fY7knh0RlaYqBAin24xTC5w1XQBwEkR2nEsI8dapqkvp3tb 3bSsrPI4uwKB/yFAZpo4xgJKt+m/LB7sfSbDkCIdrD3prqpxjkg79xc
X-Developer-Key: i=christophe.leroy@csgroup.eu; a=ed25519; pk=HIzTzUj91asvincQGOFx6+ZF5AoUuP9GdOtQChs7Mm0=
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: A7C59C0002
X-Stat-Signature: x5mmaae4pdcoc3ifrsiprohn3mjt4ko9
X-Rspam-User: 
X-Rspamd-Server: rspam04
X-HE-Tag: 1750585972-110828
X-HE-Meta: U2FsdGVkX1+PLnrcCVFFmM4/Ky8TxVrzTuY/FDqwKd8ZRn8aN7Z1I5nF5A6tw/fIQVEPvx52YX6UzCey0fnY5fJ96LeMg/EGQeQOHl+ypHTUKgL7VZ7logXmN+zj3PLjEV+/gG94/TPbLVhxTOr4Fjmp0PkZR+cC3tMdqVzg0nvWIn4/7lQ1MjwR27swH+SypE7XCwSv/edzlM0ovYuxaJtt19OuYoTUcYbUEpe8RDXOZHm3xcBkcIRPA4yFshl8TVOW++F4jJq0JZsPVSpPj5C68Aa4tN4WUl2z5SdtoNs6prUPkwfg/vgccHJOdwR5/dSYVGtuHAn+MhFEGelBMP7SbExP/+Ug0PK5poezhf5HsTERtoS42dFtTZTny166N5LHH+QkHiIp02owOZN4UpmObq3eUjUPWgQfQni4oFc0nn/D24s/elrMkFSw91z5QRmtRpPgz3ZPKqI4CKG9k9423s3IcNS8nZd2dvbtQMJD1FvEVIljF0K881YnDQClKx1rLe7Dd9qYjxk/cvUPN4sljGPRr0fl8iEgdy78T/WqOAs8UwIv2HdPhvOMUoHAyoOHgFvNYH74NVBGm13psCYFhaX+6h4e/zEYQBRVt86BubE63VlVjJ0KcOFUCz/jcGEZk/3Zqw/7bM0gzt+XsZy3yfB+4CB/T/S9P3JgRh5zHSKcGVd6mxdc1eGX9tTGBR+INGcSZBB/zVMFb9Cz96JUsUkMIaSuDOBnKIum7n/MxycqhcM5kstA0uRLGNzguV+nafB/8CbqliILUmXbV2hmuFr7spTYlv+Nw8k2eusqUcxgLw/UJPMqOYsy50fdstNF6jQ/y8Qr63XTVyoIUSCOeaH+SuWu+Xx8M4hMtUJTMtZfkKD24+qmKHif+cNpJLhNm/oP6RdIZjOT2jyHu7MEzuPbJjfg2L2OGu9gL2xU2Kt9arhOSvHkJkVjoNM8BLh4dHVEcZkGGeefqCT
 ZF3LpMat
 X9Eoa3ak4YgV1J/MtBjNTJmwhwuDJAt1TBvY0XNxdVZmX02BQ7+2/O48WYoxwN1WvadDe/rpZC2S6+Gn3wrCN/mHYCPKWxyYIJ7ceXVoOsnP4xuVeCUg+UGxmRsSqmPiMlG22RYCSunm4VxJXdPNkpjn4Hd4PGWI4Kay4FXhVzhG6RZvGGaV5EM+ZfA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Masked user access avoids the address/size verification by access_ok().
Allthough its main purpose is to skip the speculation in the
verification of user address and size hence avoid the need of spec
mitigation, it also has the advantage to reduce the amount of
instructions needed so it also benefits to platforms that don't
need speculation mitigation, especially when the size of the copy is
not know at build time.

Unlike x86_64 which masks the address to 'all bits set' when the
user address is invalid, here the address is set to an address in
the gap. It avoids relying on the zero page to catch offseted
accesses. On book3s/32 it makes sure the opening remains on user
segment. The overcost is a single instruction in the masking.

First patch adds masked_user_read_access_begin() and
masked_user_write_access_begin() to match with user_read_access_end()
and user_write_access_end().

Second patch adds speculation barrier to copy_from_user_iter() so that
the barrier in powerpc raw_copy_from_user() which is redundant with
the one in copy_from_user() can be removed.

Third patch removes the redundant barrier_nospec() in
raw_copy_from_user().

Fourth patch removes the unused size parameter when enabling/disabling
user access.

Last patch implements masked user access.

Christophe Leroy (5):
  uaccess: Add masked_user_{read/write}_access_begin
  uaccess: Add speculation barrier to copy_from_user_iter()
  powerpc: Remove unused size parametre to KUAP enabling/disabling
    functions
  powerpc: Move barrier_nospec() out of allow_read_{from/write}_user()
  powerpc: Implement masked user access

 arch/powerpc/Kconfig                         |   2 +-
 arch/powerpc/include/asm/book3s/32/kup.h     |   2 +-
 arch/powerpc/include/asm/book3s/64/kup.h     |   4 +-
 arch/powerpc/include/asm/kup.h               |  24 ++--
 arch/powerpc/include/asm/nohash/32/kup-8xx.h |   2 +-
 arch/powerpc/include/asm/nohash/kup-booke.h  |   2 +-
 arch/powerpc/include/asm/uaccess.h           | 140 ++++++++++++++++---
 fs/select.c                                  |   2 +-
 include/linux/uaccess.h                      |   8 ++
 kernel/futex/futex.h                         |   4 +-
 lib/iov_iter.c                               |   7 +
 lib/strncpy_from_user.c                      |   2 +-
 lib/strnlen_user.c                           |   2 +-
 13 files changed, 158 insertions(+), 43 deletions(-)

-- 
2.49.0