Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp684434iog; Wed, 15 Jun 2022 10:03:55 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tUHdo7EPpgunfV36+Qa/uDj4J7Wp3Tuiyp4PrmjPf20Vox8f0aV5yixa1yyxELz/z3QJI8 X-Received: by 2002:a05:6402:518b:b0:42d:fe74:98f9 with SMTP id q11-20020a056402518b00b0042dfe7498f9mr849983edd.371.1655312635141; Wed, 15 Jun 2022 10:03:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655312635; cv=none; d=google.com; s=arc-20160816; b=U44ekFOCoDQx18af890qM9y+b27rFMtZDiWwbTRV7Qy8TgN9ZCk6r/PcbQkixL8aQE TckUK1l4IhfmHn31wYii7sDfLUJAmaLTwwXPWKVCq9LQw1k6R+HLVYCHh0iXSjLygvro X57sjpvvmeRg5SX8HCowYFIdu1hlVskWGJkETdqxU2SiDB85AcFhWA7dld9YUx1Z7P6s UTBYS7h3UqsiKXLkGv4T/EelJJ4yyeC0Y3j+RTU614814ftXK3qZoTNPpNPJYJVDSeXC 2eymORWIAhbB7nBob4lKu94owgvfMWoP3hfzBIeOepz0TxTZ1xU7PyiaOwNNXFNwxiK9 bjfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=poaobBRpwGYNnJCIZiXQgwJVCWemFBq7I2WiIfg0rvg=; b=A8o8Ds/6R4oXnjbvdCLGS/PrXfR3HuH+B8a98JFtaAeJi0BKMEJAdUkyn7omBYbJQV XtgYislMtvNTLHTpOqOcTnC77wv1Rud85bRIEUTj6uKj+gK4qUATEC+pth/V5Q22d+0J qJfzMoaDOags8RJjw3FuvcnKrEY3N9PNrAozn9eJzpvSwiF8zQhVsM6HNYIq2mUPA3jt TWz5pQDVBJa53Y2XsELRmWyJJxDeunGSXXWD7IulguZyXzmCeTDBEE636n1qw0zUL3FE h4F676kGRW5e3KuZeYXBAhayh9I8VSEBF6MvGaq65Szp+xi8z2EDGcM7IT6bAxTiKgrc w6Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=muAASBUz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w16-20020a05640234d000b0042e4da74023si19682969edc.515.2022.06.15.10.03.26; Wed, 15 Jun 2022 10:03:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=muAASBUz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356746AbiFORBb (ORCPT + 99 others); Wed, 15 Jun 2022 13:01:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33400 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349045AbiFOQ63 (ORCPT ); Wed, 15 Jun 2022 12:58:29 -0400 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A48A62CDCA for ; Wed, 15 Jun 2022 09:58:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1655312308; x=1686848308; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=bmcpvg7QLQWHYlV2e3pTfXD5SVvwtZuJHl7SPF3EiJE=; b=muAASBUzCCQ2MXABirDGudfJjDOpwonyAEv+Sk5ZMbqnKirSt6AGTIFm B61unKHQXKzFnMdbqXozZsBAHEFxpo4uyb/bQMNMAca9YEWyMyB5mmR2P CSMOTAkmv9HItAKmJKuNmeHrES14OEnjYqwIkhc2KdXq7J24CtV/Q0Wti 6RQt38oHlshnD2fgeal4MgHQwLaR/Xa4DPaPD4mQDFmNyiCNaia4sX6rU j8DK1brkDChBR6osImMmLcuSjsfljWA7xKEDMaYt5nVtkwgUig6a1zYn3 HIXaJcwF13BOfomjmt+opNaiur3dpg53uOxdWjrZa1m6IHVI5DtZ/IUuu Q==; X-IronPort-AV: E=McAfee;i="6400,9594,10379"; a="342991361" X-IronPort-AV: E=Sophos;i="5.91,302,1647327600"; d="scan'208";a="342991361" Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Jun 2022 09:58:28 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.91,302,1647327600"; d="scan'208";a="762547847" Received: from black.fi.intel.com ([10.237.72.28]) by orsmga005.jf.intel.com with ESMTP; 15 Jun 2022 09:58:24 -0700 Received: by black.fi.intel.com (Postfix, from userid 1000) id 0E39F109; Wed, 15 Jun 2022 19:58:28 +0300 (EEST) Date: Wed, 15 Jun 2022 19:58:28 +0300 From: "Kirill A. Shutemov" To: "Edgecombe, Rick P" Cc: "peterz@infradead.org" , "Lutomirski, Andy" , "dave.hansen@linux.intel.com" , "linux-kernel@vger.kernel.org" , "hjl.tools@gmail.com" , "linux-mm@kvack.org" , "kcc@google.com" , "andreyknvl@gmail.com" , "ak@linux.intel.com" , "dvyukov@google.com" , "x86@kernel.org" , "ryabinin.a.a@gmail.com" , "glider@google.com" Subject: Re: [PATCHv3 5/8] x86/uaccess: Provide untagged_addr() and remove tags before address check Message-ID: <20220615165828.5ggwnoxo7zhvmqzt@black.fi.intel.com> References: <20220610143527.22974-1-kirill.shutemov@linux.intel.com> <20220610143527.22974-6-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-5.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 13, 2022 at 05:36:43PM +0000, Edgecombe, Rick P wrote: > On Fri, 2022-06-10 at 17:35 +0300, Kirill A. Shutemov wrote: > > +#ifdef CONFIG_X86_64 > > +/* > > + * Mask out tag bits from the address. > > + * > > + * Magic with the 'sign' allows to untag userspace pointer without > > any branches > > + * while leaving kernel addresses intact. > > Trying to understand the magic part here. I guess how it works is, when > the high bit is set, it does the opposite of untagging the addresses by > setting the tag bits instead of clearing them. So: > - For proper canonical kernel addresses (with U57) it leaves them > intact since the tag bits were already set. > - For non-canonical kernel-half addresses, it fixes them up. > (0xeffffff000000840->0xfffffff000000840) > - For U48 and 5 level paging, it corrupts some normal kernel > addresses. (0xff90ffffffffffff->0xffffffffffffffff) > > I just ported this to userspace and threw some addresses at it to see > what happened, so hopefully I got that right. Ouch. Thanks for noticing this. I should have catched this myself. Yes, this implementation is broken for LAM_U48 on 5-level machine. What about this: #define untagged_addr(mm, addr) ({ \ u64 __addr = (__force u64)(addr); \ s64 sign = (s64)__addr >> 63; \ __addr &= (mm)->context.untag_mask | sign; \ (__force __typeof__(addr))__addr; \ }) It makes mask effectively. all-ones for supervisor addresses. And it is less magic to my eyes. The generated code also look sane to me: 11d0: 48 89 f8 mov %rdi,%rax 11d3: 48 c1 f8 3f sar $0x3f,%rax 11d7: 48 0b 05 52 2e 00 00 or 0x2e52(%rip),%rax # 4030 11de: 48 21 f8 and %rdi,%rax Any comments? > Is this special kernel address handling only needed because > copy_to_kernel_nofault(), etc call the user helpers? I did not have any particular use-case in mind. But just if some kernel address gets there and bits get cleared we will have very hard to debug bug. -- Kirill A. Shutemov