Re: [PATCH v2] x86/uaccess: Use pointer masking to limit uaccess speculation
From: Josh Poimboeuf
Date: Wed Sep 09 2020 - 09:10:23 EST
On Wed, Sep 09, 2020 at 07:46:51AM -0500, Josh Poimboeuf wrote:
> On Wed, Sep 09, 2020 at 08:20:07AM +0000, David Laight wrote:
> > From: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> > > Sent: 08 September 2020 18:43
> > > Hi x86 maintainers,
> > ...
> > > > --- a/arch/x86/lib/putuser.S
> > > > +++ b/arch/x86/lib/putuser.S
> > > > @@ -38,6 +38,8 @@ SYM_FUNC_START(__put_user_1)
> > > > ENTER
> > > > cmp TASK_addr_limit(%_ASM_BX),%_ASM_CX
> > > > jae .Lbad_put_user
> > > > + sbb %_ASM_BX, %_ASM_BX /* uaccess_mask_ptr() */
> > > > + and %_ASM_BX, %_ASM_CX
> > > > ASM_STAC
> > > > 1: movb %al,(%_ASM_CX)
> > > > xor %eax,%eax
> >
> > For 64bit the sbb+and pattern can be replaced by an instruction
> > that clears the high bit (eg btr $63, %rcx).
> > This isn't dependant on the earlier instructions so can execute
> > in parallel with them.
>
> Wouldn't that break with KERNEL_DS?
Looks like the set_fs() removal patches are now in the vfs tree for
-next. I doubt this is going in an -rc so I'll rework the patch based
on top of Christoph's changes.
--
Josh