From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out30-132.freemail.mail.aliyun.com (out30-132.freemail.mail.aliyun.com [115.124.30.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5146F284690 for ; Fri, 10 Apr 2026 12:26:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=115.124.30.132 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775823978; cv=none; b=kE9N9hBvYs0sq5ijMTe2YWHGKc0XHiB8LLiHQ/ssTv5QcwMrI7vN7kLaZ4lK9ZyaALJO+l7QV9K9ML451mHFD54fvJ9tvFZiUs9xVRJUOpQLMw138IhUS8hYLY3WyMFR27l10vm6Wx471TNoDGFTcKjfqhHdi+Rzekg3e65fQz0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775823978; c=relaxed/simple; bh=bCa5wX4iDnPUR7ZmMSa+8ljWvNsVKeQNn/GNJP9sEOM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Y6PdMEQGTYWbeqjqayz9tkHVW+bJUTqKt22A2m4uqCacCF5DH+KpxpjsmCvhrrCSweSjNClmge9cuLCJh+1nWvhY3NO/+f6psBQTeV6Pvnl/r6AP7VBLo/sfw0yX9tX8dsSHffGKUWiYHCQ1mbsX6K/H/sYIaBzAIveAORjwZGU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com; spf=pass smtp.mailfrom=linux.alibaba.com; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b=FRSAfZS7; arc=none smtp.client-ip=115.124.30.132 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.alibaba.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.alibaba.com header.i=@linux.alibaba.com header.b="FRSAfZS7" DKIM-Signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.alibaba.com; s=default; t=1775823973; h=From:To:Subject:Date:Message-ID:MIME-Version; bh=QDctR1Ti50dosVtQ0PuV1rV0QHHowo/QoSB6MQcgpPg=; b=FRSAfZS7Pudk8Xz7FGOAZB3x73P2+yADhXHD8APR+60e5KmMTT6WC98qsOu+3jWkbHEdlr4iw4unTqlt7De5DEXluGTmmVQ1SYiJzorTsjjk5xq82a/TOAvRx9rBNKEK1p9H6ZgS+/TfykK1hCZ4iq9P0RDyhXE2jhrEXl815Ys= X-Alimail-AntiSpam:AC=PASS;BC=-1|-1;BR=01201311R151e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=maildocker-contentspam033032089153;MF=cp0613@linux.alibaba.com;NM=1;PH=DS;RN=8;SR=0;TI=SMTPD_---0X0lH0Dz_1775823968; Received: from DESKTOP-S9E58SO.localdomain(mailfrom:cp0613@linux.alibaba.com fp:SMTPD_---0X0lH0Dz_1775823968 cluster:ay36) by smtp.aliyun-inc.com; Fri, 10 Apr 2026 20:26:12 +0800 From: cp0613@linux.alibaba.com To: wangruikang@iscas.ac.cn Cc: pjw@kernel.org, alex@ghiti.fr, cleger@rivosinc.com, alexghiti@rivosinc.com, guoren@kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] riscv: mm: Implement arch_within_stack_frames() for HARDENED_USERCOPY Date: Fri, 10 Apr 2026 20:26:07 +0800 Message-ID: <20260410122607.118282-1-cp0613@linux.alibaba.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Hi Vivian, Thank you very much for your review and suggestions. On Fri, 10 Apr 2026 15:25:54 +0800, wangruikang@iscas.ac.cn wrote: > On 4/10/26 09:50, cp0613@linux.alibaba.com wrote: > > From: Chen Pei > > > > Implement arch_within_stack_frames() to enable precise per-frame stack > > object validation for CONFIG_HARDENED_USERCOPY on RISC-V. > > > > == Background == > > > > [...] > > > > Signed-off-by: Chen Pei > > Patch message is probably too long. You can put additional information > like testing under a --- line to cut those out of the eventual actual > commit message. > > Make sure that Signed-off-by is above the cut if you do that. Okay, that's really helpful advice, I've learned a lot. > > --- > > arch/riscv/Kconfig | 1 + > > arch/riscv/include/asm/thread_info.h | 66 ++++++++++++++++++++++++++++ > > 2 files changed, 67 insertions(+) > > > > diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig > > index 6fe90591a274..4f765ff608d9 100644 > > --- a/arch/riscv/Kconfig > > +++ b/arch/riscv/Kconfig > > @@ -150,6 +150,7 @@ config RISCV > > select HAVE_ARCH_USERFAULTFD_MINOR if 64BIT && USERFAULTFD > > select HAVE_ARCH_USERFAULTFD_WP if 64BIT && MMU && USERFAULTFD && RISCV_ISA_SVRSW60T59B > > select HAVE_ARCH_VMAP_STACK if MMU && 64BIT > > + select HAVE_ARCH_WITHIN_STACK_FRAMES > > select HAVE_ASM_MODVERSIONS > > select HAVE_BUILDTIME_MCOUNT_SORT > > select HAVE_CONTEXT_TRACKING_USER > > diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h > > index 36918c9200c9..616a41eb7416 100644 > > --- a/arch/riscv/include/asm/thread_info.h > > +++ b/arch/riscv/include/asm/thread_info.h > > @@ -101,6 +101,72 @@ struct thread_info { > > void arch_release_task_struct(struct task_struct *tsk); > > int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src); > > > > +#ifdef CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES > > Not needed since you've selected it above. Okay, it seems that it's indeed not necessary. > > +/* > > + * RISC-V stack frame layout (with frame pointer enabled): > > + * > > + * high addr > > + * +------------------+ <--- fp (s0) points here > > + * | saved ra | fp - 8 (return address) > > + * | saved fp | fp - 16 (previous frame pointer) > fp - 2*sizeof(void*) probably, to account for RV32? Yes, You are right. The implementation already uses 2 * sizeof(void *) to be RV32-compatible. However, the comments still hardcode. I'll update the comments to use fp - 2*sizeof(void*) to be architecture-neutral. > > + * +------------------+ > > + * | local vars | > > + * | arguments | > > + * +------------------+ <--- sp > > + * low addr > > + * > > + * The struct stackframe { fp, ra } lives at (fp - sizeof(stackframe)), > > + * i.e. fp[-2]=saved_fp and fp[-1]=saved_ra. > > + * > > Maybe link to the authoritative source: > > https://github.com/riscv-non-isa/riscv-elf-psabi-doc/blob/master/riscv-cc.adoc#frame-pointer-convention Okay, I will add this link. > > + * For usercopy safety, we allow copies within [prev_fp, fp - 2*sizeof(void*)) > > + * for each frame in the chain, where prev_fp is the fp of the previous > > + * (lower) frame. This covers local variables and arguments but excludes > > + * the saved ra/fp slots at the top of the frame. > > + * > > + * We walk the frame chain starting from __builtin_frame_address(0) (the > > + * current frame), with prev_fp initialized to current_stack_pointer. > > + * Using current_stack_pointer -- rather than the 'stack' argument (which is > > + * the thread's entire stack base) -- ensures that objects in already-returned > > + * frames (address below current sp) are correctly detected as BAD_STACK, > > + * because no live frame in the chain will claim that region. > > + */ > > +__no_kmsan_checks > > +static inline int arch_within_stack_frames(const void * const stack, > > + const void * const stackend, > > + const void *obj, unsigned long len) > > +{ > > +#if defined(CONFIG_FRAME_POINTER) > > + const void *fp = (const void *)__builtin_frame_address(0); > > + const void *prev_fp = (const void *)current_stack_pointer; > > + > > + /* > > + * Walk the frame chain. Each iteration checks whether [obj, obj+len) > > + * falls within the local-variable area of the current frame: > > + * > > + * [prev_fp, fp - 2*sizeof(void*)) > > + * > > + * i.e. from the base of this frame (sp of this frame, which equals > > + * the fp of the frame below) up to (but not including) the saved > > + * fp/ra area at the top of this frame. > > + */ > > + while (stack <= fp && fp < stackend) { > > Since we access fp - 2 * sizeof(void *) below, this probably should be > something like this: > > while (stack + 2 * sizeof(void *) <= fp && fp < stackend) { > > (Possibly with some casts added.) Thank you for pointing it out; I hadn't considered the potential for boundary violations here. > > + const void *frame_vars_end = (const char *)fp - 2 * sizeof(void *); > > + > > + if (obj + len <= frame_vars_end) { > > + if (obj >= prev_fp) > > + return GOOD_FRAME; > > + return BAD_STACK; > > + } > > + prev_fp = fp; > > + fp = *(const void * const *)((const char *)fp - 2 * sizeof(void *)); > > Maybe: fp = *(const void * const *)frame_vars_end; Yes, direct reuse. > > + } > > + return BAD_STACK; > > +#else > > + return NOT_STACK; > > +#endif > > +} > > +#endif /* CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES */ > > + > > #endif /* !__ASSEMBLER__ */ > > > > /* > Thanks, > Vivian "dramforever" Wang Thanks, Pei