Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp440041pxb; Tue, 15 Feb 2022 17:51:51 -0800 (PST) X-Google-Smtp-Source: ABdhPJwTtavY7ORn+wb2rxw9tc5G7kwHrxSjheIdB9eRMge3smXh3PQ2Kz6pg/ZE+tRzI15lh0cG X-Received: by 2002:a17:906:1b11:b0:6cf:d90:8dd4 with SMTP id o17-20020a1709061b1100b006cf0d908dd4mr554998ejg.710.1644976311218; Tue, 15 Feb 2022 17:51:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644976311; cv=none; d=google.com; s=arc-20160816; b=HsEUBY7189gBU5vSKH/8xPnyGpMeGZVFGcXmRAURaEal4hLvl5DUSrwmdWF6teQYIh 1N7uQlh/SR3W+MFpmLLV2TD9MCn/1muSvfoto99TXsT4+ATdF31KojLgw+TG1+RGkho1 jqKMw4lfruG6VbeeseqMGIPZmDLaJJeViS4tdpThXlJqb1IRUeatWKqQXFOJ+PUZxXxo RhkfzKzZ00jTBw1ed5MerbtOwYlQ+/EXwBLzPaujwBlkptIsfNrvVdkgD9sWp2DgVGOw QwtFCiiQ7CWqMZ0j2kuBz2gYZNl0kl8Urlii4Ze36C8GHzv605GFOregXltvrpIcxW6I ifGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=NQCxvgu/pNtK74KyF0GXVaYZ+DUvZ8Z2V1SbIvvHkrs=; b=pLuxGOykucCIRK3lBkzZHbPzBNTETGeeAqrfAos2NOWD3FdHMt077m/LlDZEStkHhu YS+dh3o2TiJ8mv6v76ajKlBJ2T8KERTm+yd+WrZhze6OeLJVsv0BWafwKHSYDSQyols/ pMvcrS0qRFy/Df2q7RgkLz5snYoULe2UBnMSI49Jj6A4SvYcn+Jd1EhhdbBQqJ8nLlHK ZfgrL4iO5GD7n48frhpqOTyP6UNPEp9tNe/XxMjaF/Vj77biJ7vC3gKNEy2liHHSRVF7 +XKjBY8Hy960HrN1BwJr0reyRYwTdk2Z+WykGWNGJmpe8M8Am4uHlbB4bIpuNKIdtF67 Y+tA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id di7si25565599ejc.411.2022.02.15.17.51.27; Tue, 15 Feb 2022 17:51:51 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237105AbiBOLYy (ORCPT + 99 others); Tue, 15 Feb 2022 06:24:54 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:43490 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237117AbiBOLYv (ORCPT ); Tue, 15 Feb 2022 06:24:51 -0500 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3865B108766; Tue, 15 Feb 2022 03:24:37 -0800 (PST) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DF7F21476; Tue, 15 Feb 2022 03:24:36 -0800 (PST) Received: from FVFF77S0Q05N (unknown [10.57.89.144]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 160403F718; Tue, 15 Feb 2022 03:24:29 -0800 (PST) Date: Tue, 15 Feb 2022 11:24:26 +0000 From: Mark Rutland To: David Laight Cc: 'Ard Biesheuvel' , Arnd Bergmann , Rich Felker , "linux-ia64@vger.kernel.org" , "linux-sh@vger.kernel.org" , Peter Zijlstra , "open list:MIPS" , Linux Memory Management List , Guo Ren , "open list:SPARC + UltraSPARC (sparc/sparc64)" , "linux-hexagon@vger.kernel.org" , linux-riscv , Will Deacon , Christoph Hellwig , linux-arch , "open list:S390" , Brian Cain , Helge Deller , X86 ML , Russell King , "linux-csky@vger.kernel.org" , Ingo Molnar , Geert Uytterhoeven , "linux-snps-arc@lists.infradead.org" , Robin Murphy , "open list:TENSILICA XTENSA PORT (xtensa)" , Arnd Bergmann , Heiko Carstens , alpha , linux-um , "open list:LINUX FOR POWERPC (32-BIT AND 64-BIT)" , linux-m68k , "openrisc@lists.librecores.org" , Greentime Hu , Stafford Horne , Linux ARM , "monstr@monstr.eu" , Thomas Bogendoerfer , "open list:PARISC ARCHITECTURE" , Nick Hu , Max Filippov , "linux-api@vger.kernel.org" , Linux Kernel Mailing List , "dinguyen@kernel.org" , "Eric W. Biederman" , Richard Weinberger , Andrew Morton , Linus Torvalds , "David S. Miller" Subject: Re: [PATCH 08/14] arm64: simplify access_ok() Message-ID: References: <20220214163452.1568807-1-arnd@kernel.org> <20220214163452.1568807-9-arnd@kernel.org> <153bb1887f484ed79ce8224845a4b2ea@AcuMS.aculab.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <153bb1887f484ed79ce8224845a4b2ea@AcuMS.aculab.com> X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Feb 15, 2022 at 09:30:41AM +0000, David Laight wrote: > From: Ard Biesheuvel > > Sent: 15 February 2022 08:18 > > > > On Mon, 14 Feb 2022 at 17:37, Arnd Bergmann wrote: > > > > > > From: Arnd Bergmann > > > > > > arm64 has an inline asm implementation of access_ok() that is derived from > > > the 32-bit arm version and optimized for the case that both the limit and > > > the size are variable. With set_fs() gone, the limit is always constant, > > > and the size usually is as well, so just using the default implementation > > > reduces the check into a comparison against a constant that can be > > > scheduled by the compiler. > > > > > > On a defconfig build, this saves over 28KB of .text. > > > > > > Signed-off-by: Arnd Bergmann > > > --- > > > arch/arm64/include/asm/uaccess.h | 28 +++++----------------------- > > > 1 file changed, 5 insertions(+), 23 deletions(-) > > > > > > diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h > > > index 357f7bd9c981..e8dce0cc5eaa 100644 > > > --- a/arch/arm64/include/asm/uaccess.h > > > +++ b/arch/arm64/include/asm/uaccess.h > > > @@ -26,6 +26,8 @@ > > > #include > > > #include > > > > > > +static inline int __access_ok(const void __user *ptr, unsigned long size); > > > + > > > /* > > > * Test whether a block of memory is a valid user space address. > > > * Returns 1 if the range is valid, 0 otherwise. > > > @@ -33,10 +35,8 @@ > > > * This is equivalent to the following test: > > > * (u65)addr + (u65)size <= (u65)TASK_SIZE_MAX > > > */ > > > -static inline unsigned long __access_ok(const void __user *addr, unsigned long size) > > > +static inline int access_ok(const void __user *addr, unsigned long size) > > > { > > > - unsigned long ret, limit = TASK_SIZE_MAX - 1; > > > - > > > /* > > > * Asynchronous I/O running in a kernel thread does not have the > > > * TIF_TAGGED_ADDR flag of the process owning the mm, so always untag > > > @@ -46,27 +46,9 @@ static inline unsigned long __access_ok(const void __user *addr, unsigned long s > > > (current->flags & PF_KTHREAD || test_thread_flag(TIF_TAGGED_ADDR))) > > > addr = untagged_addr(addr); > > > > > > - __chk_user_ptr(addr); > > > - asm volatile( > > > - // A + B <= C + 1 for all A,B,C, in four easy steps: > > > - // 1: X = A + B; X' = X % 2^64 > > > - " adds %0, %3, %2\n" > > > - // 2: Set C = 0 if X > 2^64, to guarantee X' > C in step 4 > > > - " csel %1, xzr, %1, hi\n" > > > - // 3: Set X' = ~0 if X >= 2^64. For X == 2^64, this decrements X' > > > - // to compensate for the carry flag being set in step 4. For > > > - // X > 2^64, X' merely has to remain nonzero, which it does. > > > - " csinv %0, %0, xzr, cc\n" > > > - // 4: For X < 2^64, this gives us X' - C - 1 <= 0, where the -1 > > > - // comes from the carry in being clear. Otherwise, we are > > > - // testing X' - C == 0, subject to the previous adjustments. > > > - " sbcs xzr, %0, %1\n" > > > - " cset %0, ls\n" > > > - : "=&r" (ret), "+r" (limit) : "Ir" (size), "0" (addr) : "cc"); > > > - > > > - return ret; > > > + return likely(__access_ok(addr, size)); > > > } > > > -#define __access_ok __access_ok > > > +#define access_ok access_ok > > > > > > #include > > > > > > -- > > > 2.29.2 > > > > > > > With set_fs() out of the picture, wouldn't it be sufficient to check > > that bit #55 is clear? (the bit that selects between TTBR0 and TTBR1) > > That would also remove the need to strip the tag from the address. > > > > Something like > > > > asm goto("tbnz %0, #55, %2 \n" > > "tbnz %1, #55, %2 \n" > > :: "r"(addr), "r"(addr + size - 1) :: notok); > > return 1; > > notok: > > return 0; > > > > with an additional sanity check on the size which the compiler could > > eliminate for compile-time constant values. > > Is there are reason not to just use: > size < 1u << 48 && !((addr | (addr + size - 1)) & 1u << 55) That has a few problems, including being an ABI change for tasks not using the relaxed tag ABI and not working for 52-bit VAs. If we really want to relax the tag checking aspect, there are simpler options, including variations on Ard's approach above. > Ugg, is arm64 addressing as horrid as it looks - with the 'kernel' > bit in the middle of the virtual address space? It's just sign-extension/canonical addressing, except bits [63:56] are configurable between a few uses, so the achitecture says bit 55 is the one to look at in all configurations to figure out if an address is high/low (in addition to checking the remaining bits are canonical). Thanks, Mark.