From: Deepak Gupta <debug@rivosinc.com>
To: Lukas Gerlach <lukas.gerlach@cispa.de>
Cc: linux-riscv@lists.infradead.org, palmer@dabbelt.com,
pjw@kernel.org, aou@eecs.berkeley.edu, alex@ghiti.fr,
linux-kernel@vger.kernel.org, daniel.weber@cispa.de,
michael.schwarz@cispa.de, marton.bognar@kuleuven.be,
jo.vanbulck@kuleuven.be
Subject: Re: [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation
Date: Sat, 27 Dec 2025 16:41:36 -0800 [thread overview]
Message-ID: <aVB8wLSgmE7IRo7e@debug.ba.rivosinc.com> (raw)
In-Reply-To: <20251227125703.80908-1-lukas.gerlach@cispa.de>
On Sat, Dec 27, 2025 at 01:57:03PM +0100, Lukas Gerlach wrote:
>Thanks for the review. You're right - we should only clear the sign bit
>(b38/b47/b56 depending on mode), not b63. Clearing upper bits would
>interfere with pointer masking.
>
>Here's a fix that computes the sign bit position arithmetically to avoid
>branches, this ensures the mitigation cannot be bypassed under speculation.
>This is basically the VA_BITS macro but computed in a branch-free way.
>
>In arch/riscv/include/asm/uaccess.h:
>
> #define UACCESS_SIGN_BIT \
> (VA_BITS_SV39 - 1 + 9*((unsigned long)pgtable_l4_enabled) + \
> 9*((unsigned long)pgtable_l5_enabled))
>
> #define uaccess_mask_ptr(ptr) ((__typeof__(ptr))__uaccess_mask_ptr(ptr))
> static inline void __user *__uaccess_mask_ptr(const void __user *ptr)
> {
> return (void __user *)((unsigned long)ptr & ~BIT_ULL(UACCESS_SIGN_BIT));
> }
>
>This evaluates to bit 38 for Sv39, bit 47 for Sv48, and bit 56 for Sv57.
looks good to me.
Although, I am concerned about maintainibility and bit-rotting.
I would suggest to fix VA_BITS definition instead of defining a new macro here.
next prev parent reply other threads:[~2025-12-28 0:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-18 19:13 [PATCH 0/2] riscv: Add Spectre v1 mitigations Lukas Gerlach
2025-12-18 19:13 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
2025-12-20 0:44 ` Deepak Gupta
2025-12-27 12:57 ` Lukas Gerlach
2025-12-28 0:41 ` Deepak Gupta [this message]
2025-12-27 21:28 ` David Laight
2025-12-28 1:59 ` Deepak Gupta
2025-12-28 22:34 ` David Laight
2025-12-29 12:32 ` David Laight
2025-12-31 3:47 ` Vivian Wang
2025-12-31 10:35 ` David Laight
2025-12-18 19:13 ` [PATCH 2/2] riscv: Sanitize syscall table indexing under speculation Lukas Gerlach
2025-12-31 3:01 ` Paul Walmsley
2025-12-31 3:31 ` [PATCH 0/2] riscv: Add Spectre v1 mitigations patchwork-bot+linux-riscv
2026-01-05 23:17 ` Paul Walmsley
2026-01-06 10:30 ` [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Lukas Gerlach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVB8wLSgmE7IRo7e@debug.ba.rivosinc.com \
--to=debug@rivosinc.com \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=daniel.weber@cispa.de \
--cc=jo.vanbulck@kuleuven.be \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=lukas.gerlach@cispa.de \
--cc=marton.bognar@kuleuven.be \
--cc=michael.schwarz@cispa.de \
--cc=palmer@dabbelt.com \
--cc=pjw@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox