Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1028785iob; Fri, 13 May 2022 20:13:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyIu9glecPJL1T6r8IbLN0TPIU1ZDP9BU6gHepRBx4VuPBZi3b/JUOvsCC7m8QplPWqmXwh X-Received: by 2002:a7b:c082:0:b0:394:3a45:bcc5 with SMTP id r2-20020a7bc082000000b003943a45bcc5mr17623440wmh.138.1652498034910; Fri, 13 May 2022 20:13:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652498034; cv=none; d=google.com; s=arc-20160816; b=PIRDEMoQ5nBOHhAodUw67Zc2N9M/gLGQ0sP8SrAGUCHcd3fDPUu+DRSzpz0NhS/IKY 0DNI+5UFK9Unf5VWWANsAF795m1U1tjmRJYhaGXqkcmlZ++37L/ypHAMPMerE8esvlOA +CyX536NWtf6VYfuVk8yMNha2ExH3K1LJz/Na+BRrLIysVFiNda4uzsmGJNAu+6AHmyB mVlS7CHlmgFVLRIuwvDNLfukEYs32NcOSBkOfcSOAExeacsuPa/lNGzeiOi442Hk4OCk 2x8ePq7lTotziRsTXV+h845NCVWA3/JF3+lkDnFboy6/wE4pE8j2iSvFM5kYvYsZGrJf unUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=JlEV3K9yOT7uBM1miGaNujsDqkwcKpKywLjTwv4uzP8=; b=HSyPZjfF/qb+0XvQSHmVC2R5taI6w5QPg8uLvT0UyFOtk+MvT3FsehVeqCraJ7NoQg 25yAS6SBIztmQq/F/OYjAPloRKBZe7pYL3+ZSY7Cq5AiXxpFswxSoBQ1euVQiB26gbuk vYM9uioRbTJKDYoqSV6lOCq5aGtacQKUevNggQ2uM54zpFwfEXqFPzHMXMu0D07xd3k9 ubaNYJF5oLCMIO0wXPFimb0zNBg6pATXEoB6PmjH7tXo0SiM/8PZp5uOR1MgXNOQpqXE Q3q0Xn5L4RJdyGc3q7GnCKVGhbVaKUA3RVgI1JQHKqunAfFuXVAeZGZGrGc3AAZwtyOK bvPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id l5-20020a05600002a500b0020adff84efcsi5132559wry.509.2022.05.13.20.13.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 13 May 2022 20:13:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C37583D9203; Fri, 13 May 2022 16:53:47 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378429AbiEMJOT (ORCPT + 99 others); Fri, 13 May 2022 05:14:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53312 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231523AbiEMJOS (ORCPT ); Fri, 13 May 2022 05:14:18 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EF1F31882BE for ; Fri, 13 May 2022 02:14:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 7F3CD621AF for ; Fri, 13 May 2022 09:14:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 45CD1C34113; Fri, 13 May 2022 09:14:13 +0000 (UTC) Date: Fri, 13 May 2022 10:14:09 +0100 From: Catalin Marinas To: Thomas Gleixner Cc: Dave Hansen , "H.J. Lu" , Peter Zijlstra , "Kirill A. Shutemov" , Dave Hansen , Andy Lutomirski , the arch/x86 maintainers , Alexander Potapenko , Dmitry Vyukov , Andi Kleen , Rick Edgecombe , Linux-MM , LKML Subject: Re: [RFCv2 00/10] Linear Address Masking enabling Message-ID: References: <20220511022751.65540-1-kirill.shutemov@linux.intel.com> <20220511064943.GR76023@worktop.programming.kicks-ass.net> <20bada85-9203-57f4-2502-57a6fd11f3ea@intel.com> <875ymav8ul.ffs@tglx> <55176b79-90af-4a47-dc06-9f5f2f2c123d@intel.com> <87o802tjd7.ffs@tglx> <67aef839-0757-37b1-a42d-154c0116cbf5@intel.com> <878rr6te6b.ffs@tglx> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <878rr6te6b.ffs@tglx> X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, May 13, 2022 at 03:27:24AM +0200, Thomas Gleixner wrote: > On Thu, May 12 2022 at 17:46, Dave Hansen wrote: > > On 5/12/22 17:08, H.J. Lu wrote: > > If I had to take a shot at this today, I think I'd opt for: > > > > mask = sys_enable_masking(bits=6, flags=FUZZY_NR_BITS); > > > > although I'm not super confident about the "fuzzy" flag. I also don't > > think I'd totally hate the "blind" interface where the kernel just gets > > to pick unilaterally and takes zero input from userspace. > > That's the only sane choice and you can make it simple for userspace: > > ret = prctl(GET_XXX_MASK, &mask); > > and then let it decide based on @ret and @mask whether to use it or not. Getting the mask would work for arm64 as well (it's always 0xffUL << 56, top-byte-ignore). Setting the mask from user space won't be of any use to us, it's baked in hardware. > But of course nobody thought about this as a generic feature and so we > have the ARM64 TBI muck as a precedence. > > So much for coordination and portability... Well, we had TBI in the architecture and enabled for user-space since the first arm64 kernel port (2012), no ABI controls needed. It had some specific uses like JITs to avoid masking out type bits encoded in pointers. In 2019 sanitisers appeared and we relaxed the TBI at the syscall level but, to avoid potentially confusing some programs, we added a control which only changes the behaviour of access_ok(). More of a safety thing, we might have as well skipped it. There is no hardware configuration toggled by this control, nor is the user address space layout (max 52-bit on arm64). Since sanitisers require compiler instrumentation (or, with MTE, arm64-specific libc changes), it's pretty much all within the arm64-specific user codebase. MTE came along and we added some more bits on top which, again, are hardware specific and contained within the arm64 libc startup code (tag checking modes etc). Dave indeed mentioned passing a mask to allow a more flexible control but, as already mentioned in the old thread, for arm64 the feature was already on, so it didn't make much sense, it seemed more like over-engineering. Had we known that Intel is pursing something similar, maybe we'd have designed the interface differently (we didn't get the hint). Intel's LAM has more flexibility but I don't see the arm64 TBI getting in the way. Just don't use it as an example because they evolved in different ways. I'm happy for arm64 to adopt a more flexible interface while keeping the current one around for backwards compatibility). But on arm64 we can't control the masking, not even disable it per process since it has always been on. > I'm so tired of this short sighted 'cram my feature in' approach of > _all_ involved parties. Unfortunately it happens occasionally, especially when developers can't disclose that their companies work on similar features (resctrl is a good example where arm64 would have benefited from a more generic approach but at the time MPAM was not public). -- Catalin