From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id C274E276028
	for <linux-kernel@vger.kernel.org>; Sun, 22 Mar 2026 11:03:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.41
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774177422; cv=none; b=sbr7ZPJKXee5Vwz1mDc4Sjz9eDMduYLwOybdeEEXF4P7HZjBoWtFsPRVBnSbooIFmK85t58C9HO1UqpCUaP0bLix8mFfzrcdrm4u6ap67g38KLuDKLu3VPXWNYbYrmnhHAlWb8yahAxiwqpqYTILxTuAItXUhO2safsf4LUZWmg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774177422; c=relaxed/simple;
	bh=C51eL4vC5t9OS1N2D0DV4OJuwjnautJP8n2YEU7lfEw=;
	h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type; b=WnCZ2H7G6iHeidZJJ3hAoWJ7jmKQAeSSGLJRrObDI+/pfC8NbxpH/qtaupx5UwTrq973PZBa+81JItBvrDSbCAzn6aZ+9mm8WoWvutTki8t4ft+2gX3yKkNYST9mYsQFbxC5Ryj9BgW6wTxWMjfLl1DHrEHi/4hHff+bWQqVtHs=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VLp0GPGv; arc=none smtp.client-ip=209.85.221.41
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VLp0GPGv"
Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-439b7c2788dso1178161f8f.1
        for <linux-kernel@vger.kernel.org>; Sun, 22 Mar 2026 04:03:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1774177419; x=1774782219; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=y2uMc8piwzlAYxFSiatJbfAWN3tMY29jqB8b6nTwrg4=;
        b=VLp0GPGvjCcmnY/t//XLoLDBSNSFpN6fDYE995qef06FvpIvGQxhgTXxdpjQsLghKT
         KoAmLrh7ZJZ2upG4mO0tLnZDoZfrmRKf6shJ5l8LIzwedmqcxQ7YNavzfzIBHl2VE1ce
         6S28LmBxhvEB9UDc2HinfJ8vajlsxNOuk5Hh2COxtQ9ePpl6mX1I4ja6AMBO26NeLeWh
         3sEj6g37Z4JeqDQW+cZDe6MJ4UbIcdozGsIQM2leY1Y9Kpw8ZX0y42BeGnnXVm/xE4xP
         1hJLmpAutaCtw2Jy+yyrPUgMqDAXhtiKK/eeCFWydJxz3tkyeDTHw4bqXF+8zoOVsS/4
         JQuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774177419; x=1774782219;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=y2uMc8piwzlAYxFSiatJbfAWN3tMY29jqB8b6nTwrg4=;
        b=haJPxHYmPFNVchpUKvvrQgGqseYj9F1/m4gIL+DIsvmBENc+Oxmd5c2jNrlUwfFozS
         9KtssTuiysfpFmlNIsacVZsLoIYDl0w7FtKb7ClKHH3Y6KepfKMD0lzPjeCc3ealWTzR
         H6cUCXS8yOCjxBjLtj8Rw/di9izSMGNuDoxck/mA+Wi4luZS+4fpOqSkgN/SQ61q/d6c
         HhTBLZlMDBwcZzscYagR8yhvn+LKNiOKC7rV2SCXCYpbi++9KO+mM9O+cGsLB1ZPdZJD
         NNhZ/Dvd6umZ/BddeT/Z7J4vet9gH+po/iAHzC4kyrdENHmjCK+HyW5IqcODITjPTTIx
         mJVg==
X-Forwarded-Encrypted: i=1; AJvYcCU+OhySOKZGY598tI9IUTEIDbNBDoCQjGh0IqdDfZhwuj5ROFOhXnaxzZrTgc3bwL3XrgPGJgz7hIEYay8=@vger.kernel.org
X-Gm-Message-State: AOJu0Yxs0EvLPafi4F0PZvFxy1Z820Y4yOyv7B3aAcQErvvoYp7011WU
	GtVuXoe3PoyrwPfO35TqQuVo0oZrLn53ELaC0KLgYFoPVOy+IiQQp3xe
X-Gm-Gg: ATEYQzzUBIJY4Dve4RQzR+2fYuc5CwV4NkCkPhm0+JiORjJwEkxM3ROwoGj19WwhTMJ
	m9NXP2cwj/BYecxrd1+7HMg7LsDe4pNCnfPevlHQ38yJHUTqxREvaU/vLze3MFTqWx6Oega1ETm
	+YMZ9AJJucddnnZfVogrosI2AXQGqrsSjtLVN8IltbF5Y2aO8L0Ygzo7V2ok6X5rpzKada2eou2
	HIo5xG/fJkqsuBHH+reSBT7UHzSIARX7qguEpqsRpFmu8mAbDNHxBXPz1hYV5vTUrmGj9qRajHr
	6KWQ7CDqyCJLn/TQufL3Y341vQgVJPIBYHARXL67MHUUTsUiSZdM8/2xMhgg4ocB2DVwceSBGR3
	WJ0ifXUpJhmPRpKpc9jCb8Kh0BndiX36S66o7cfp5irnR8P8L/7rMTPlJWmrVXBwSg9NLJK6QaC
	lsjPulv72SWce/asp3C6HQlDYBw67OaieGLlEnVDCasW9POu7tsOJTTiAM2c2iMvBq
X-Received: by 2002:a05:6000:2dc2:b0:43b:4aba:8f44 with SMTP id ffacd0b85a97d-43b64287241mr13236711f8f.45.1774177418769;
        Sun, 22 Mar 2026 04:03:38 -0700 (PDT)
Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43b644bd923sm24424857f8f.12.2026.03.22.04.03.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 22 Mar 2026 04:03:38 -0700 (PDT)
Date: Sun, 22 Mar 2026 11:03:36 +0000
From: David Laight <david.laight.linux@gmail.com>
To: "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>, Nicholas Piggin
 <npiggin@gmail.com>, Madhavan Srinivasan <maddy@linux.ibm.com>,
 linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH] powerpc: Simplify access_ok()
Message-ID: <20260322110336.66cd54af@pumpkin>
In-Reply-To: <56dd1a892279fade2292b7eef7a52112901ae2fd.1773770778.git.chleroy@kernel.org>
References: <56dd1a892279fade2292b7eef7a52112901ae2fd.1773770778.git.chleroy@kernel.org>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf)
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Tue, 17 Mar 2026 19:07:04 +0100
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org> wrote:

> With the implementation of masked user access, we always have a memory
> gap between user memory space and kernel memory space, so use it to
> simplify access_ok() by relying on access fault in case of an access
> in the gap.
> 
> Most of the time the size is known at build time.
> 
> On powerpc64, the kernel space starts at 0x8000000000000000 which is
> always more than two times TASK_USER_MAX so when the size is known at
> build time and lower than TASK_USER_MAX, only the address needs to be
> verified. If not, a binary or of address and size must be lower than
> TASK_USER_MAX. As TASK_USER_MAX is a power of 2, just check that
> there is no bit set outside of TASK_USER_MAX - 1 mask.
> 
> On powerpc32, there is a garanteed gap of 128KB so when the size is
> known at build time and not greater than 128KB, just check that the
> address is below TASK_SIZE. Otherwise use the original formula.

Given that the whole thing relies on the kernel code 'obeying the rules'
is it enough to require that the accesses will be 'moderately sequential'?
Provided there are no jumps greater than 128k the length can be ignored.

I think Linus thought about doing that for x86-64.

I can't imagine that happening unless there is code that probes the end of
the user buffer before starting a transfer - and that is pretty pointless.

There are places that skip a few bytes (or just access in the wrong order)
but it is likely to be alignment padding, and code should be doing the
access_ok() check for each fragment - not on the entire buffer.

> 
> Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
> ---
>  arch/powerpc/include/asm/uaccess.h | 26 ++++++++++++++++++++++++++
>  1 file changed, 26 insertions(+)
> 
> diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
> index 570b3d91e2e4..ec210ae62be7 100644
> --- a/arch/powerpc/include/asm/uaccess.h
> +++ b/arch/powerpc/include/asm/uaccess.h
> @@ -15,8 +15,34 @@
>  #define TASK_SIZE_MAX		TASK_SIZE_USER64
>  #endif
>  
> +#define __access_ok __access_ok
> +
>  #include <asm-generic/access_ok.h>
>  
> +/*
> + * On powerpc64, TASK_SIZE_MAX is 0x0010000000000000 then even if both ptr and size
> + * are TASK_SIZE_MAX we are still inside the memory gap. So make it simple.
> + */
> +static __always_inline int __access_ok(const void __user *ptr, unsigned long size)
> +{
> +	unsigned long addr = (unsigned long)ptr;
> +
> +	if (IS_ENABLED(CONFIG_PPC64)) {
> +		BUILD_BUG_ON(!is_power_of_2(TASK_SIZE_MAX));
> +		BUILD_BUG_ON(TASK_SIZE_MAX > 0x0010000000000000);
> +
> +		if (__builtin_constant_p(size))
> +			return size <= TASK_SIZE_MAX && !(addr & ~(TASK_SIZE_MAX - 1));
> +		else
> +			return !((size | addr) & ~(TASK_SIZE_MAX - 1));

The compiler may know an upper bound for 'size' even when it isn't a constant.
It might be 32bit or from 'size = is_compat_foo ? 16 : 24', so:
		if (statically_true(size < TASK_SIZE_MAX)
			return !(addr & ~(TASK_SIZE_MAX - 1);
		return !((size | addr) & ~(TASK_SIZE_MAX - 1));

> +	} else {
> +		if (__builtin_constant_p(size) && size < SZ_128K)

Again the compiler may know an upper bound even if the value isn't constant:
		if (statically_true(size < SZ_128K)

	David

> +			return addr < TASK_SIZE;
> +		else
> +			return size <= TASK_SIZE && addr <= TASK_SIZE - size);
> +	}
> +}
> +
>  /*
>   * These are the main single-value transfer routines.  They automatically
>   * use the right size if we just have the right pointer type.