Re: [PATCH v2 10/10] powerpc/uaccess: Implement masked user access

Mon, 25 Aug 2025 02:27:44 -0700 


Hi Christophe,

On Fri, Aug 22, 2025 at 11:58:06AM +0200, Christophe Leroy wrote:
> Masked user access avoids the address/size verification by access_ok().
> Allthough its main purpose is to skip the speculation in the
> verification of user address and size hence avoid the need of spec
> mitigation, it also has the advantage of reducing the amount of
> instructions required so it even benefits to platforms that don't
> need speculation mitigation, especially when the size of the copy is
> not know at build time.
> 
> So implement masked user access on powerpc. The only requirement is
> to have memory gap that faults between the top user space and the
> real start of kernel area.
> 
> On 64 bits platforms the address space is divided that way:
> 
>       0xffffffffffffffff      +------------------+
>                               |                  |
>                               |   kernel space   |
>                               |                  |
>       0xc000000000000000      +------------------+  <== PAGE_OFFSET
>                               |//////////////////|
>                               |//////////////////|
>       0x8000000000000000      |//////////////////|
>                               |//////////////////|
>                               |//////////////////|
>       0x0010000000000000      +------------------+  <== TASK_SIZE_MAX
>                               |                  |
>                               |    user space    |
>                               |                  |
>       0x0000000000000000      +------------------+
> 
> Kernel is always above 0x8000000000000000 and user always
> below, with a gap in-between. It leads to a 4 instructions sequence:
> 
>   80: 7c 69 1b 78     mr      r9,r3
>   84: 7c 63 fe 76     sradi   r3,r3,63
>   88: 7d 29 18 78     andc    r9,r9,r3
>   8c: 79 23 00 4c     rldimi  r3,r9,0,1
> 
> This sequence leaves r3 unmodified when it is below 0x8000000000000000
> and clamps it to 0x8000000000000000 if it is above.
> 

This comment looks wrong: the second instruction converts r3 to a
replicated sign bit of the address ((addr>0)?0:-1) if treating the
address as signed. After that the code only modifies the MSB of r3. So I
don't see how r3 could be unchanged from the original value...

OTOH, I believe the following 3 instructions sequence would work,
input address (a) in r3, scratch value (tmp) in r9, both intptr_t:

        sradi r9,r3,63  ; tmp = (a >= 0) ? 0L : -1L;
        andc r3,r3,r9   ; a = a & ~tmp; (equivalently a = (a >= 0) ? a : 0)
        rldimi r3,r9,0,1 ; copy MSB of tmp to MSB of a 

But maybe I goofed...

Gabriel

Reply via email to