Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp2162673rwb; Mon, 7 Nov 2022 09:52:58 -0800 (PST) X-Google-Smtp-Source: AMsMyM4hdiYFW/fxEM5OMcV9iJ0+w2ITYJJtxTdPcNrhjyRfezl8/v5yDrM0kWTsscXiI4n23YNY X-Received: by 2002:a05:6a00:2382:b0:56c:b4d3:9057 with SMTP id f2-20020a056a00238200b0056cb4d39057mr51571843pfc.40.1667843578082; Mon, 07 Nov 2022 09:52:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667843578; cv=none; d=google.com; s=arc-20160816; b=WG4szfs7i/UuN0Ts0yRqH+vZqSs4ZCdkAVJvjvJpx2H31OkFNodcT4P3nnVorX0m8o J5DyR5MEmyGvJTooZkNtVpsQeAlsdmnMglGbTjsQXCyCbAPLLNR+Yl+QSM7n5Q+Skf8b fHaGiiLEtR6cxusm9WSShghZ/q76zVQ+gqY3PFnq7xfYr7o3qx0D3g57srz20bIiVCGk TbGS591mhEIZ7iHG+uX1C9fp/3UYrj25Cba/DrMzXwovLPf4IFZk8Z2zeM5NPvcnSXog Wpy+GT3MB2d9rHpXBAFM+vTZZ6/DDczvHamSY6qcGrkwB2Dz88lB6ZqsWugVuPNS2kK8 3tWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:feedback-id :dkim-signature:dkim-signature; bh=kUNE2iBPOSjzRRFTO7BCAn/Lk++D7uSvRl+/5vPA3tY=; b=Tru04/x2ZmT+JVnFgnsLSKGd7dNJ4jjT6Jt6li4sVZSFr79O6f7N2jTpZMkxvPHuLg ZuT9lSw0N3K1faHLTpK0M/ScPHxj1r652cwVJSwNyc6udO1WFRMtnWBGsGz9oOPxUXwa 58n6D6NzR6qxIdcEkc3ERXTAe6EUhgUv1GncBTt1xovu17eQlvRmD9zhcfzoUD0U0eJo 0b9B3XAiE0jCLLwqplynXfq2/4cqcwBvgxAEXh7hWEq8t/u94dUXtJkf5qL+mXegygjg zIoERH+9B8/m2DHGOBFPRfMGvspJklra5ubSUcrP5r82bH3gJohINFSBztLrsDerRUE0 IrOA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@shutemov.name header.s=fm2 header.b=WC1gzb+X; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=A+M+SgwU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j189-20020a6380c6000000b0046fad96095esi11066118pgd.478.2022.11.07.09.52.46; Mon, 07 Nov 2022 09:52:58 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@shutemov.name header.s=fm2 header.b=WC1gzb+X; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=A+M+SgwU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232773AbiKGRd6 (ORCPT + 92 others); Mon, 7 Nov 2022 12:33:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232085AbiKGRd5 (ORCPT ); Mon, 7 Nov 2022 12:33:57 -0500 Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 93426EA5 for ; Mon, 7 Nov 2022 09:33:56 -0800 (PST) Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 9E74E5C011B; Mon, 7 Nov 2022 12:33:55 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 07 Nov 2022 12:33:55 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shutemov.name; h=cc:cc:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1667842435; x=1667928835; bh=kU NE2iBPOSjzRRFTO7BCAn/Lk++D7uSvRl+/5vPA3tY=; b=WC1gzb+XtQOcl1rmjN gELstHuXY/Ue4k/fnrG2pTPwYY6ohB57od78ksHfeG0XPyreJUekteap45aERHlF EbbklduMfsvFL5DGY5JZ3lrnbKplNdentLcL7o0ckzQlKTGUUGJOvJJ5w+6MVbD5 jdrt5U7J2nXn6VqmqxbOkYE1PiM/Gqg0jisHiqahYQSsDz+cekvNB04hovH3YIna D7IOefPYSpi0jQPJyMJ5S94DGeNcIJah9j5FEQF0IFajS8XmTcmNkAFkzdV7RDSE 2kXFkwo5x4P0abORMgdhHyti6hprELQAW3u/Kl9xjL+EiAVDdkV0u+2ijNgNrH7G gf+Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:date:date:feedback-id :feedback-id:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:sender:subject:subject:to:to :x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1667842435; x=1667928835; bh=kUNE2iBPOSjzRRFTO7BCAn/Lk++D 7uSvRl+/5vPA3tY=; b=A+M+SgwUOYHM74VLmFnR1wyMeJvowrVYmsexZEnf2WCG xmeOiTYAFbBA3mL20KNoMmMuSyp2yYKVDliZkxt2QG8j+3Id2t22CA5N9vSpF0jS in3SXiY7TKqEtagIVfwVkuDByEoXu7DTgFWpNhDeJqY/W7LDyJy0LlNyrtoegG5f 4SYX9znueBYS+ghsRAPQ+S34sqLkFIxHG8Y3ou52keAK4rZ3Ikq4q6Fztc6eKKNU SdCVgLgCg5HE7LanXtmjYhvKo3ddABU9/lkMvwmW5M2z8rWdCYYsEI48hJLfeIUp +ByySMqxAkZbHGUhNW3UFfotVHU6m5Auv2DS6fETiA== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvgedrvdekgddutdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvfevuffkfhggtggujgesthdttddttddtvdenucfhrhhomhepfdfmihhr ihhllhcutedrucfuhhhuthgvmhhovhdfuceokhhirhhilhhlsehshhhuthgvmhhovhdrnh grmhgvqeenucggtffrrghtthgvrhhnpefhieeghfdtfeehtdeftdehgfehuddtvdeuheet tddtheejueekjeegueeivdektdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpehkihhrihhllhesshhhuhhtvghmohhvrdhnrghmvg X-ME-Proxy: Feedback-ID: ie3994620:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 7 Nov 2022 12:33:54 -0500 (EST) Received: by box.shutemov.name (Postfix, from userid 1000) id 96A5310964A; Mon, 7 Nov 2022 20:33:52 +0300 (+03) Date: Mon, 7 Nov 2022 20:33:52 +0300 From: "Kirill A. Shutemov" To: Andy Lutomirski Cc: "Kirill A. Shutemov" , Dave Hansen , Peter Zijlstra , x86@kernel.org, Kostya Serebryany , Andrey Ryabinin , Andrey Konovalov , Alexander Potapenko , Taras Madan , Dmitry Vyukov , "H . J . Lu" , Andi Kleen , Rick Edgecombe , Bharata B Rao , Jacob Pan , Ashok Raj , linux-mm@kvack.org, linux-kernel@vger.kernel.org Subject: Re: [PATCHv11 05/16] x86/uaccess: Provide untagged_addr() and remove tags before address check Message-ID: <20221107173352.nx5zu67umwhuccir@box.shutemov.name> References: <20221025001722.17466-1-kirill.shutemov@linux.intel.com> <20221025001722.17466-6-kirill.shutemov@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 07, 2022 at 06:50:51AM -0800, Andy Lutomirski wrote: > > @@ -21,6 +22,30 @@ static inline bool pagefault_disabled(void); > > # define WARN_ON_IN_IRQ() > > #endif > > +#ifdef CONFIG_X86_64 > > +/* > > + * Mask out tag bits from the address. > > + * > > + * Magic with the 'sign' allows to untag userspace pointer without any branches > > + * while leaving kernel addresses intact. > > + */ > > +#define untagged_addr(mm, addr) ({ \ > > + u64 __addr = (__force u64)(addr); \ > > + s64 sign = (s64)__addr >> 63; \ > > + __addr &= (mm)->context.untag_mask | sign; \ > > + (__force __typeof__(addr))__addr; \ > > +}) > > + > > I think this implementation is correct, but I'm wondering if there are any > callers of untagged_addr that actually need to preserve kernel addresses. > Are there? (There certainly *were* back when we had set_fs().) I don't think there's any. CONFIG_KASAN_SW_TAGS uses untagged_addr() on kernel addresses, but it is only enabled on arm64. On x86, it will use CR4.LAM_SUP and the enabling would require a new helper for untagging kernel addresses. That said, I would rather stay on the safe side. > I'm also mildly uneasy about a potential edge case. Naively, one would > expect: > > untagged_addr(current->mm, addr) + size == > untagged_addr(current->mm, addr + size) > > at least for an address that is valid enough to be potentially dereferenced. > This isn't true any more for size that overflows into the tag bit range. That's definitely a new edge case. From quick grep, the only CONFIG_KASAN_SW_TAGS code obviously does arithmetics on address before untagging. > I *think* we're okay though -- __access_ok requires that addr <= limit - > size, so any range that overflows into tag bits will be rejected even if the > entire range consists of valid (tagged) user addresses. True. > So: > > Acked-by: Andy Lutomirski Thanks! -- Kiryl Shutsemau / Kirill A. Shutemov