From: Mark Rutland <mark.rutland@arm.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Arnd Bergmann <arnd@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
linux-arch <linux-arch@vger.kernel.org>,
Linux Memory Management List <linux-mm@kvack.org>,
Linux API <linux-api@vger.kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Russell King <linux@armlinux.org.uk>,
Will Deacon <will@kernel.org>, Guo Ren <guoren@kernel.org>,
Brian Cain <bcain@codeaurora.org>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Michal Simek <monstr@monstr.eu>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Nick Hu <nickhu@andestech.com>, Greentime Hu <green.hu@gmail.com>,
Dinh Nguyen <dinguyen@kernel.org>,
Stafford Horne <shorne@gmail.com>, Helge Deller <deller@gmx.de>,
Michael Ellerman <mpe@ellerman.id.au>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>,
Heiko Carstens <hca@linux.ibm.com>, Rich Felker <dalias@libc.org>,
"David S. Miller" <davem@davemloft.net>,
Richard Weinberger <richard@nod.at>, X86 ML <x86@kernel.org>,
Max Filippov <jcmvbkbc@gmail.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
alpha <linux-alpha@vger.kernel.org>,
"open list:SYNOPSYS ARC ARCHITECTURE"
<linux-snps-arc@lists.infradead.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
linux-csky@vger.kernel.org,
"open list:QUALCOMM HEXAGON..." <linux-hexagon@vger.kernel.org>,
linux-ia64@vger.kernel.org,
linux-m68k <linux-m68k@lists.linux-m68k.org>,
"open list:MIPS" <linux-mips@vger.kernel.org>,
Openrisc <openrisc@lists.librecores.org>,
"open list:PARISC ARCHITECTURE" <linux-parisc@vger.kernel.org>,
"open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)"
<linuxppc-dev@lists.ozlabs.org>,
linux-riscv <linux-riscv@lists.infradead.org>,
"open list:S390" <linux-s390@vger.kernel.org>,
Linux-sh list <linux-sh@vger.kernel.org>,
"open list:SPARC + UltraSPARC (sparc/sparc64)"
<sparclinux@vger.kernel.org>,
linux-um <linux-um@lists.infradead.org>,
"open list:TENSILICA XTENSA PORT (xtensa)"
<linux-xtensa@linux-xtensa.org>,
Robin Murphy <robin.murphy@arm.com>
Subject: Re: [PATCH 08/14] arm64: simplify access_ok()
Date: Tue, 15 Feb 2022 10:37:15 +0000 [thread overview]
Message-ID: <YguB5BeLoRc4dL7P@FVFF77S0Q05N> (raw)
In-Reply-To: <CAMj1kXGkG0KMD2rnKAJc3V7X9LP1grbcHTNYMnj_q4GiYfG2pQ@mail.gmail.com>
On Tue, Feb 15, 2022 at 10:21:16AM +0100, Ard Biesheuvel wrote:
> On Tue, 15 Feb 2022 at 10:13, Arnd Bergmann <arnd@kernel.org> wrote:
> >
> > On Tue, Feb 15, 2022 at 9:17 AM Ard Biesheuvel <ardb@kernel.org> wrote:
> > > On Mon, 14 Feb 2022 at 17:37, Arnd Bergmann <arnd@kernel.org> wrote:
> > > > From: Arnd Bergmann <arnd@arndb.de>
> > > >
> > >
> > > With set_fs() out of the picture, wouldn't it be sufficient to check
> > > that bit #55 is clear? (the bit that selects between TTBR0 and TTBR1)
> > > That would also remove the need to strip the tag from the address.
> > >
> > > Something like
> > >
> > > asm goto("tbnz %0, #55, %2 \n"
> > > "tbnz %1, #55, %2 \n"
> > > :: "r"(addr), "r"(addr + size - 1) :: notok);
> > > return 1;
> > > notok:
> > > return 0;
> > >
> > > with an additional sanity check on the size which the compiler could
> > > eliminate for compile-time constant values.
> >
> > That should work, but I don't see it as a clear enough advantage to
> > have a custom implementation. For the constant-size case, it probably
> > isn't better than a compiler-scheduled comparison against a
> > constant limit, but it does hurt maintainability when the next person
> > wants to change the behavior of access_ok() globally.
> >
>
> arm64 also has this leading up to the range check, and I think we'd no
> longer need it:
>
> if (IS_ENABLED(CONFIG_ARM64_TAGGED_ADDR_ABI) &&
> (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR)))
> addr = untagged_addr(addr);
>
ABI-wise, we aim to *reject* tagged pointers unless the task is using the
tagged addr ABI, so we need to retain both the untagging logic and the full
pointer check (to actually check the tag bits) unless we relax that ABI
decision generally (or go context-switch the TCR_EL1.TBI* bits).
Since that has subtle ABI implications, I don't think we should change that
within this series.
If we *did* relax things, we could just check bit 55 here, and unconditionally
clear that in uaccess_mask_ptr(), since LDTR/STTR should fault on kernel memory.
On parts with meltdown those might not fault until committed, and so we need
masking to avoid speculative access to a kernel pointer, and that requires the
prior explciit check.
Thanks,
Mark.
next prev parent reply other threads:[~2022-02-15 10:37 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-14 16:34 [PATCH 00/14] clean up asm/uaccess.h, kill set_fs for good Arnd Bergmann
2022-02-14 16:34 ` [PATCH 01/14] uaccess: fix integer overflow on access_ok() Arnd Bergmann
2022-02-14 16:58 ` Christoph Hellwig
2022-02-14 16:34 ` [PATCH 02/14] sparc64: add __{get,put}_kernel_nocheck() Arnd Bergmann
2022-02-14 16:34 ` [PATCH 03/14] nds32: fix access_ok() checks in get/put_user Arnd Bergmann
2022-02-14 17:01 ` Christoph Hellwig
2022-02-14 17:10 ` David Laight
2022-02-15 9:18 ` Arnd Bergmann
2022-02-15 10:25 ` Greg KH
2022-02-14 16:34 ` [PATCH 04/14] x86: use more conventional access_ok() definition Arnd Bergmann
2022-02-14 17:02 ` Christoph Hellwig
2022-02-14 19:45 ` Arnd Bergmann
2022-02-14 20:00 ` Christoph Hellwig
2022-02-14 20:01 ` Linus Torvalds
2022-02-14 20:17 ` Al Viro
2022-02-15 2:47 ` Al Viro
2022-02-14 20:24 ` Linus Torvalds
2022-02-14 22:13 ` David Laight
2022-02-14 16:34 ` [PATCH 05/14] uaccess: add generic __{get,put}_kernel_nofault Arnd Bergmann
2022-02-14 17:02 ` Christoph Hellwig
2022-02-15 0:31 ` Al Viro
2022-02-15 13:16 ` Arnd Bergmann
2022-02-14 16:34 ` [PATCH 06/14] mips: use simpler access_ok() Arnd Bergmann
2022-02-14 16:34 ` [PATCH 07/14] uaccess: generalize access_ok() Arnd Bergmann
2022-02-14 17:04 ` Christoph Hellwig
2022-02-14 17:15 ` Al Viro
2022-02-14 19:25 ` Arnd Bergmann
2022-02-15 10:58 ` Mark Rutland
2022-02-14 16:34 ` [PATCH 08/14] arm64: simplify access_ok() Arnd Bergmann
2022-02-14 21:06 ` Robin Murphy
2022-02-15 8:17 ` Ard Biesheuvel
2022-02-15 9:12 ` Arnd Bergmann
2022-02-15 9:21 ` Ard Biesheuvel
2022-02-15 9:39 ` Arnd Bergmann
2022-02-15 10:39 ` Mark Rutland
2022-02-15 10:37 ` Mark Rutland [this message]
2022-02-16 19:43 ` Christophe Leroy
2022-02-15 9:30 ` David Laight
2022-02-15 11:24 ` Mark Rutland
2022-02-15 11:07 ` Mark Rutland
2022-02-14 16:34 ` [PATCH 09/14] m68k: drop custom __access_ok() Arnd Bergmann
2022-02-15 0:37 ` Al Viro
2022-02-15 6:29 ` Christoph Hellwig
2022-02-15 7:13 ` Al Viro
2022-02-15 10:02 ` Arnd Bergmann
2022-02-15 13:28 ` David Laight
2022-02-14 16:34 ` [PATCH 10/14] uaccess: remove most CONFIG_SET_FS users Arnd Bergmann
2022-02-14 17:06 ` Christoph Hellwig
2022-02-14 19:40 ` Arnd Bergmann
2022-02-14 16:34 ` [PATCH 11/14] sparc64: remove CONFIG_SET_FS support Arnd Bergmann
2022-02-14 17:06 ` Christoph Hellwig
2022-02-16 13:06 ` Arnd Bergmann
2022-02-15 0:48 ` Al Viro
2022-02-16 13:07 ` Arnd Bergmann
2022-02-14 16:34 ` [PATCH 12/14] sh: " Arnd Bergmann
2022-02-14 16:34 ` [PATCH 13/14] ia64: " Arnd Bergmann
2022-02-14 16:34 ` [PATCH 14/14] uaccess: drop set_fs leftovers Arnd Bergmann
2022-02-15 3:03 ` Al Viro
2022-02-15 7:46 ` Helge Deller
2022-02-15 8:10 ` Arnd Bergmann
2022-02-14 17:35 ` [PATCH 00/14] clean up asm/uaccess.h, kill set_fs for good Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YguB5BeLoRc4dL7P@FVFF77S0Q05N \
--to=mark.rutland@arm.com \
--cc=akpm@linux-foundation.org \
--cc=ardb@kernel.org \
--cc=arnd@arndb.de \
--cc=arnd@kernel.org \
--cc=bcain@codeaurora.org \
--cc=dalias@libc.org \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=dinguyen@kernel.org \
--cc=ebiederm@xmission.com \
--cc=geert@linux-m68k.org \
--cc=green.hu@gmail.com \
--cc=guoren@kernel.org \
--cc=hca@linux.ibm.com \
--cc=hch@lst.de \
--cc=jcmvbkbc@gmail.com \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-csky@vger.kernel.org \
--cc=linux-hexagon@vger.kernel.org \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mips@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-sh@vger.kernel.org \
--cc=linux-snps-arc@lists.infradead.org \
--cc=linux-um@lists.infradead.org \
--cc=linux-xtensa@linux-xtensa.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mingo@redhat.com \
--cc=monstr@monstr.eu \
--cc=mpe@ellerman.id.au \
--cc=nickhu@andestech.com \
--cc=openrisc@lists.librecores.org \
--cc=peterz@infradead.org \
--cc=richard@nod.at \
--cc=robin.murphy@arm.com \
--cc=shorne@gmail.com \
--cc=sparclinux@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tsbogend@alpha.franken.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).