From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 17C271E520A for ; Sun, 28 Dec 2025 00:41:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766882500; cv=none; b=F0hmz22e+taSqdusaHH/VCr9RQKwqyyG/z2IUIHtaQlKdo7pPan6zzs2+onEB3cv5aAhpqGkRCg9HybGmKOcQb/NMq0NzMHml7Jl2es4LToSsIIhxth9gTsQZvjjQJnS52GWmGDemNGOFZbEmjwLeBvkQGtVu6IXTJHqhdxmqqg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766882500; c=relaxed/simple; bh=VGSJG/5RDMtjI745L1xnl5VxXnjYtYnlR83/qOe7YpU=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=IB3SS0M9I6H53yXo9BleFY0Hhnd/iaAVVQOXrRWkQgAxM05+dmDjnWbDH2fMFC0ltV2i+T8gFnWKuUX41uUEJWowTOaZU7JikGDiqIKY7iGFEQqj0Zax6HagNFpIFPk6JMjfLnRPDQSDMtEZv4tUoJIaB4dJThZq79pLRtNJk1w= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rivosinc.com; spf=pass smtp.mailfrom=rivosinc.com; dkim=pass (2048-bit key) header.d=rivosinc.com header.i=@rivosinc.com header.b=NyiQqcOa; arc=none smtp.client-ip=209.85.216.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rivosinc.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rivosinc.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rivosinc.com header.i=@rivosinc.com header.b="NyiQqcOa" Received: by mail-pj1-f42.google.com with SMTP id 98e67ed59e1d1-34c21417781so8298608a91.3 for ; Sat, 27 Dec 2025 16:41:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc.com; s=google; t=1766882498; x=1767487298; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=Gw4MkyZJ+UJg7p/q4E1O0Sly5zd+czDle7puXTH1chs=; b=NyiQqcOaKfMvFlRkpKJbG1Leqyc8VDL+3l28niAYuX9GRfb3jqVNcd60wnIQk9chyj o2Lx/QkuolE88KuoOd1NpgxEKFmslXJp+LU0EXpq5HSvywwxBpyCmbzGlo47Elp8GpIa ZTEizOtvWYIX37AQA9WNLL/ql3S2I21G8k6+DnmdqhPk6wr4WiNBekhZ9KGbeji5VsqD plA1qlovsg5nVz0Qtqk5vJZGByeZ9RE0PL3DAlSG9/ZXB24ZkTOiQDUuBsspl/XkFJ5a 4U5cf++KZ7MLrqMdp0FNjBBlQzZ8SBnunwcFvd4y9zSOlbATP2VA3anRS+hGVE0RbFNJ IAKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766882498; x=1767487298; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Gw4MkyZJ+UJg7p/q4E1O0Sly5zd+czDle7puXTH1chs=; b=TWKAJsNYm/mV/10W7NgeUTnbpZVLvBY/VNho4RYFgqrMjGkHyGmVPzWJG0fLhl+TiM A3oLAPrd/22XJ4+jq+4igi1A8YrlQZvEW6ku94zv5wk/7/tZSIrk+4f3wFRScYnYz4Cz /C7brPucAx0BjcBK8tcQkdk1kI2QRzc50O6OjNikxZ9YMNyFMYXABgkb8rTrQAqupeI4 ZP24kntEv9F0tGGLpdciGwepGDAVINEyDTtMmKLCiNYaNsr3h7jkbk4x4yqV89NqlAq/ tYR0MkgI2t8voekou8opQ0GhOnw3o/WZZXPvCI6kJULptLWfFwoB7cJlucGLfWG3kebC 68MA== X-Forwarded-Encrypted: i=1; AJvYcCWDEmjLzgTPpMs+oDUP1GJwRUYOhzF21H3UH8Yu4k0c7b5iUKIPztKSvsFAwXNaVv31w98luRC6GKo/ngA=@vger.kernel.org X-Gm-Message-State: AOJu0YxNrL1P/zwMkv/9Nat+gZS9fwKcIYcAlTT8drlgq2EvyJvMDkqM FkzaraRX2dNlXCgMtBJB7oohS45uqSZfnBfsxmPFd09EcGXwiO+wRflDNat82TeHTbA= X-Gm-Gg: AY/fxX5BE8lC/0eqNolUIEWU6h4UrhpgKqY4QVF0j3elWQAAES7yBZiSNBLKutAPTAq hGe0wpereTJwLJ4cA9MYd9U3DjBrQtbwfPxHHp2rGuik3Tx2IeWkFK9d1WuevwyiJAL87lZCRqY QUUUVO8a+tLWKZ/CYHVQQ1apDr9dEFwu43nXsHumfcV2FCAaiHMeFuhzh498yHnwlxbemgJMFB4 DJq5ECFhmZf0AaRb2uRIkQAzPzqR27f96PUAphQCkJfSN0msUcMaD103+1OybxUrHlsIedZL3tH ZVQkD+DWi3qhfpMzRJanRgzdBlsjXXpMU4TIcfWTLwC49AssyjORs5Y/F51Q1HYHMlsS9foHtmx XXSPJo6H3X8bIdnIiMgfARlle/HuBqSlJ/UALwzXNtjQUHTRquAX5ZzkiJuif5OLJNt+kf/leKN mWFrC5zfmSnhhJ/SMyA7M0 X-Google-Smtp-Source: AGHT+IGrhcLVRql/ecClqZ2fx6pan1FBl0pOXpuVSIHvZOtyEy3By+NFkAzg0QrATL79JgxEDW8PKg== X-Received: by 2002:a05:7022:69aa:b0:121:a01a:8e2f with SMTP id a92af1059eb24-121a01a8f2bmr8549456c88.42.1766882498226; Sat, 27 Dec 2025 16:41:38 -0800 (PST) Received: from debug.ba.rivosinc.com ([64.71.180.162]) by smtp.gmail.com with ESMTPSA id a92af1059eb24-1217253c058sm102986023c88.11.2025.12.27.16.41.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 27 Dec 2025 16:41:37 -0800 (PST) Date: Sat, 27 Dec 2025 16:41:36 -0800 From: Deepak Gupta To: Lukas Gerlach Cc: linux-riscv@lists.infradead.org, palmer@dabbelt.com, pjw@kernel.org, aou@eecs.berkeley.edu, alex@ghiti.fr, linux-kernel@vger.kernel.org, daniel.weber@cispa.de, michael.schwarz@cispa.de, marton.bognar@kuleuven.be, jo.vanbulck@kuleuven.be Subject: Re: [PATCH 1/2] riscv: Use pointer masking to limit uaccess speculation Message-ID: References: <20251227125703.80908-1-lukas.gerlach@cispa.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20251227125703.80908-1-lukas.gerlach@cispa.de> On Sat, Dec 27, 2025 at 01:57:03PM +0100, Lukas Gerlach wrote: >Thanks for the review. You're right - we should only clear the sign bit >(b38/b47/b56 depending on mode), not b63. Clearing upper bits would >interfere with pointer masking. > >Here's a fix that computes the sign bit position arithmetically to avoid >branches, this ensures the mitigation cannot be bypassed under speculation. >This is basically the VA_BITS macro but computed in a branch-free way. > >In arch/riscv/include/asm/uaccess.h: > > #define UACCESS_SIGN_BIT \ > (VA_BITS_SV39 - 1 + 9*((unsigned long)pgtable_l4_enabled) + \ > 9*((unsigned long)pgtable_l5_enabled)) > > #define uaccess_mask_ptr(ptr) ((__typeof__(ptr))__uaccess_mask_ptr(ptr)) > static inline void __user *__uaccess_mask_ptr(const void __user *ptr) > { > return (void __user *)((unsigned long)ptr & ~BIT_ULL(UACCESS_SIGN_BIT)); > } > >This evaluates to bit 38 for Sv39, bit 47 for Sv48, and bit 56 for Sv57. looks good to me. Although, I am concerned about maintainibility and bit-rotting. I would suggest to fix VA_BITS definition instead of defining a new macro here.