From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EDD431D5CCF
	for <linux-kernel@vger.kernel.org>; Fri, 17 Jan 2025 23:21:24 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1737156087; cv=none; b=kg+nuhFSAlLN7mYQZYeljTOYCGEezOJONH0t2gZt+Doje3FUrlat4lFeakwS6Gl+zbkFoFgn39yRNsloTg/h0w3R7Q0zw0x9Jh6xX8UxFTXtnt8hpmJDI/JN3z/KudxFKeH2eYHQJ5677/7nz49+M7rVMcncJy8yjxK+DBH5PMs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1737156087; c=relaxed/simple;
	bh=sXclVRywXY8pxnnBB+pAEyvnXpF11kY3Bn/yQ/t2RgM=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=Dhv7U4VWAdQe61WkQkJTdByBbRFO+PakuoRrpWZL2bo4Jw/7gJYR60Xpt7kzej1ObB3gjOlwIlr61wPNEcByT5K2lb39aiqL6cmFHWcqYzN0cYHuDy0+m0Er7LNbkbmgbiTUDlEgoN++bvj5SejxMHSZVM+0Fc4yHzcy1bJNonc=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rivosinc.com; spf=pass smtp.mailfrom=rivosinc.com; dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com header.i=@rivosinc-com.20230601.gappssmtp.com header.b=KwhZFOjH; arc=none smtp.client-ip=209.85.214.169
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rivosinc.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=rivosinc-com.20230601.gappssmtp.com header.i=@rivosinc-com.20230601.gappssmtp.com header.b="KwhZFOjH"
Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-216634dd574so33035945ad.2
        for <linux-kernel@vger.kernel.org>; Fri, 17 Jan 2025 15:21:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1737156084; x=1737760884; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=A2KDSSjMPoe6KhHmCqTxDB5hjW9EhX35hsDpyUvTOnM=;
        b=KwhZFOjHcDAH0aG1sc3+VjYXDyklwurXdRUaDKAWQeAz7PgR0wACL79SRakZDJq97X
         B3RPo5I9bxfurMML1WV1+yvkARrdyP6l+tQICcgb+EiYc2JqzTqrK27CZZuALSjMdmE0
         kkYWNdjeNlQD5uZFbMLc/Ff6/5zIyWNeN+STr1i8orgurlCmcq05yGHT69saiKF5I+wy
         rlc9wB7IRuhNzRicg446CI3Ux04ESF2r13zTP/pvK3svAf5LMzBQ9q9Z0jtwaR2sJULP
         X6o79x7ZV29qaQWVW+/IbkxEhXt8KUmRdJX+L5skcdmORcYrXXkbQ4hjIonjtDIeU6KL
         oudA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1737156084; x=1737760884;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=A2KDSSjMPoe6KhHmCqTxDB5hjW9EhX35hsDpyUvTOnM=;
        b=w+gGWxi2TXIvQpfGGu8Rd90ZqxSMQtaXcf5CIJQ4yjlUyoB6mDbFUf8QDmUfsJ4Mih
         kUXzky1AtgBv15UMdCYLm2i83ABlnvEdLkq5T+ua/vQBwPtUsMPbIheiYwSOgtLofVcI
         kI+CVQbEs1EMcS261mghxQD3sRboNTLQBkPbJZZv8Xdn/IYiJG0FNQxodNuf6svWm5rW
         bPhb7ZnAUVhYh0SySE+DuNWj/n4Tf/zuuYcPYp7WJjp0SiE8x8Jg9Y5jMRkts1eX78BN
         Ys86kue6vjdaSDe479+ctx+yG7kVzRFAGZHlVLmeTRm8vlxPVxvzsFHIr/fcuGgyc7RT
         ar9w==
X-Forwarded-Encrypted: i=1; AJvYcCWMjrwK0egz6vis8b4x7e12dyC38+7zsGnPjvYZphvXyu+XbARYgMlYRFydel/GfnOPKhQnZgjLi9n1T5Q=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy3vareSDxzmmKgkZh6WhrvpEF91ZKyzYOn3K1pBAGgB1iQhwqA
	71l0zUq6AfbCdZHhJfJUrL10vcwDUIB75hFhplATQHcYm4yWy1w9aIt2vZwt+nQ=
X-Gm-Gg: ASbGncsQ6sPu38aOGXAEd9V+r57+Nma1a1yu/Uf1uacurQK7y1YhM6seJVka1RdxP2c
	Sw9l7QzW95i9g8P02CFhFWVdbZPQdZD/+lE9LjSU+9/+g48WPYcWEo322IXhJ9ckpXrYhM+A4nb
	dmVkKQbSzhoOKjPq/M75Zb/TzexQ62Rqh64UsgaDyBw1vy9DMmJvTtwuZDcry0jlIPrh9XhhPiR
	B5iffH66YzWg8ZoxhCcoVZ5zXwublw9uf85+NMxi38/z22W/uDk00V8tukhY0RPtw==
X-Google-Smtp-Source: AGHT+IFFDclPSde28EVYoiFIZFZ3Ujco9A17f76zbeRAwHkYFdPC1xAWhkq2oVqSM/QEw4QVdzl5Xw==
X-Received: by 2002:a05:6a00:ad8a:b0:72d:8fa2:99ac with SMTP id d2e1a72fcca58-72daf975d73mr7162106b3a.13.1737156084118;
        Fri, 17 Jan 2025 15:21:24 -0800 (PST)
Received: from ghost ([2601:647:6700:64d0:d0ea:9b9e:5556:aa82])
        by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-72daba48951sm2450749b3a.121.2025.01.17.15.21.22
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 17 Jan 2025 15:21:23 -0800 (PST)
Date: Fri, 17 Jan 2025 15:21:20 -0800
From: Charlie Jenkins <charlie@rivosinc.com>
To: Cyril Bur <cyrilbur@tenstorrent.com>
Cc: palmer@dabbelt.com, aou@eecs.berkeley.edu, paul.walmsley@sifive.com,
	linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
	Jisheng Zhang <jszhang@kernel.org>
Subject: Re: [PATCH v2 1/4] riscv: implement user_access_begin and families
Message-ID: <Z4rl8BgoV8tygCn9@ghost>
References: <20241118230112.2872978-1-cyrilbur@tenstorrent.com>
 <20241118230112.2872978-2-cyrilbur@tenstorrent.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20241118230112.2872978-2-cyrilbur@tenstorrent.com>

On Mon, Nov 18, 2024 at 11:01:09PM +0000, Cyril Bur wrote:
> From: Jisheng Zhang <jszhang@kernel.org>
> 
> Currently, when a function like strncpy_from_user() is called,
> the userspace access protection is disabled and enabled
> for every word read.
> 
> By implementing user_access_begin and families, the protection
> is disabled at the beginning of the copy and enabled at the end.
> 
> The __inttype macro is borrowed from x86 implementation.
> 
> Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
> Signed-off-by: Cyril Bur <cyrilbur@tenstorrent.com>
> ---
>  arch/riscv/include/asm/uaccess.h | 63 ++++++++++++++++++++++++++++++++
>  1 file changed, 63 insertions(+)
> 
> diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h
> index 72ec1d9bd3f3..09d4ca37522c 100644
> --- a/arch/riscv/include/asm/uaccess.h
> +++ b/arch/riscv/include/asm/uaccess.h
> @@ -28,6 +28,19 @@
>  #define __disable_user_access()							\
>  	__asm__ __volatile__ ("csrc sstatus, %0" : : "r" (SR_SUM) : "memory")
>  
> +/*
> + * This is the smallest unsigned integer type that can fit a value
> + * (up to 'long long')
> + */
> +#define __inttype(x) __typeof__(		\
> +	__typefits(x,char,			\
> +	  __typefits(x,short,			\
> +	    __typefits(x,int,			\
> +	      __typefits(x,long,0ULL)))))
> +
> +#define __typefits(x,type,not) \
> +	__builtin_choose_expr(sizeof(x)<=sizeof(type),(unsigned type)0,not)
> +
>  /*
>   * The exception table consists of pairs of addresses: the first is the
>   * address of an instruction that is allowed to fault, and the second is
> @@ -335,6 +348,56 @@ do {									\
>  		goto err_label;						\
>  } while (0)
>  
> +static __must_check __always_inline bool user_access_begin(const void __user *ptr, size_t len)
> +{
> +	if (unlikely(!access_ok(ptr,len)))
> +		return 0;
> +	__enable_user_access();
> +	return 1;
> +}
> +#define user_access_begin(a,b)	user_access_begin(a,b)
> +#define user_access_end()	__disable_user_access();
> +
> +static inline unsigned long user_access_save(void) { return 0UL; }
> +static inline void user_access_restore(unsigned long enabled) { }
> +
> +#define unsafe_put_user(x, ptr, label)	do {				\
> +	long __kr_err = 0;						\
> +	__put_user_nocheck(x, (ptr), __kr_err);				\
> +	if (__kr_err) goto label;					\
> +} while (0)
> +
> +#define unsafe_get_user(x, ptr, label)	do {				\
> +	long __kr_err = 0;						\
> +	__inttype(*(ptr)) __gu_val;					\
> +	__get_user_nocheck(__gu_val, (ptr), __kr_err);			\
> +	(x) = (__force __typeof__(*(ptr)))__gu_val;			\
> +	if (__kr_err) goto label;					\
> +} while (0)
> +
> +/*
> + * We want the unsafe accessors to always be inlined and use
> + * the error labels - thus the macro games.
> + */
> +#define unsafe_copy_loop(dst, src, len, type, label)				\
> +	while (len >= sizeof(type)) {						\
> +		unsafe_put_user(*(type *)(src),(type __user *)(dst),label);	\
> +		dst += sizeof(type);						\
> +		src += sizeof(type);						\
> +		len -= sizeof(type);						\
> +	}
> +
> +#define unsafe_copy_to_user(_dst,_src,_len,label)			\
> +do {									\
> +	char __user *__ucu_dst = (_dst);				\
> +	const char *__ucu_src = (_src);					\
> +	size_t __ucu_len = (_len);					\
> +	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u64, label);	\
> +	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u32, label);	\
> +	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u16, label);	\
> +	unsafe_copy_loop(__ucu_dst, __ucu_src, __ucu_len, u8, label);	\
> +} while (0)

Since a handful of these functions are duplicated across x86/arm64 it
would be nice to consolidate them to a shared header. That would
probably require quite a bit more work though so not in scope for this
patch.

Reviewed-by: Charlie Jenkins <charlie@rivosinc.com>
Tested-by: Charlie Jenkins <charlie@rivosinc.com>