From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 70C32C369D1
	for <linux-mm@archiver.kernel.org>; Thu, 24 Apr 2025 00:24:05 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 10DAE6B0005; Wed, 23 Apr 2025 20:24:03 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 098086B0007; Wed, 23 Apr 2025 20:24:03 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id E2CC06B0008; Wed, 23 Apr 2025 20:24:02 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id C10076B0005
	for <linux-mm@kvack.org>; Wed, 23 Apr 2025 20:24:02 -0400 (EDT)
Received: from smtpin03.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay09.hostedemail.com (Postfix) with ESMTP id 29C2080393
	for <linux-mm@kvack.org>; Thu, 24 Apr 2025 00:24:04 +0000 (UTC)
X-FDA: 83367040008.03.5C255AF
Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169])
	by imf07.hostedemail.com (Postfix) with ESMTP id 3881F4000F
	for <linux-mm@kvack.org>; Thu, 24 Apr 2025 00:24:02 +0000 (UTC)
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=huQ2G8rS;
	spf=pass (imf07.hostedemail.com: domain of debug@rivosinc.com designates 209.85.214.169 as permitted sender) smtp.mailfrom=debug@rivosinc.com;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1745454242;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=lGbM0o/TGPFqR3aQeqhm8zgtQt8YivoCdhsm3mycjoo=;
	b=g9/q3LeV2DldkNSIgLxeIOBGA3f0MyVylEwRrMdu1f8ZnuNLUOA+dagvGsJ6FbEnj+EJu+
	ctm5XU32P/APqZ95CxYNogU1TPWgwmPvC5gwyGxnvqhyU79MgbEAvu/pYuLbmjdOeFTdHA
	nXDQ474GGPCsp99iJnat/PAWxcUuM48=
ARC-Authentication-Results: i=1;
	imf07.hostedemail.com;
	dkim=pass header.d=rivosinc-com.20230601.gappssmtp.com header.s=20230601 header.b=huQ2G8rS;
	spf=pass (imf07.hostedemail.com: domain of debug@rivosinc.com designates 209.85.214.169 as permitted sender) smtp.mailfrom=debug@rivosinc.com;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1745454242; a=rsa-sha256;
	cv=none;
	b=Pwq+nEE3wFasH7xHEu4ZG3Y7wlQwe9KLy9pMJVfe/obAfAOehVfk3C1ytjhNKxsQG9skNU
	Osh+P1eFsvWxTTRI5DNrUZUuhwTC890zeqyRwNks1FE7TdJwRTkK0BtmKo1a4bKc0VFc2I
	CGD9OGz0q+KH2K6VE4mdVDlaUpqgFEw=
Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-22423adf751so4504865ad.2
        for <linux-mm@kvack.org>; Wed, 23 Apr 2025 17:24:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=rivosinc-com.20230601.gappssmtp.com; s=20230601; t=1745454241; x=1746059041; darn=kvack.org;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date:message-id:reply-to;
        bh=lGbM0o/TGPFqR3aQeqhm8zgtQt8YivoCdhsm3mycjoo=;
        b=huQ2G8rSuazxT7nCgHft3MPpW5olAOf06zfRUv4kfbnf7sqwCDZVu7m/k8WjzsFrTv
         J8holMfpXrOTm0LkQDtO0A/aCsETc4z0Y510wZWtALSc8QCAftpV4tSopbiZ4A7XhHot
         ufUz0z9QSlLqOTK5vF0ctYnfOVA+QiiO4g6AUgUbjL9/Nci6Pui3Hs+8ykvpP1HnI3wg
         rbj9JXaafsmaaShZymCS618rajoPefOtKUvl7HoFvYG9/0EaYcWmVN3GrnkFNh15djE6
         rtRA/RwON4qgm8EQLpHER8jJbtrvqRfK+7ks9PC2Sp7BIqzpSymsDIx9WYSXKhsAzqOR
         ARDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1745454241; x=1746059041;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=lGbM0o/TGPFqR3aQeqhm8zgtQt8YivoCdhsm3mycjoo=;
        b=AcvpEJyP7aUe7/dFVt21b/MKtfj6tlbrOQxTk/FthL+MXH9odTNt6tecvQ8BLmtI38
         5tA2PRnhjOYmdYSCvJRADAVZ7X2HxYQCc5Sl0QJ9EC/toVA88uemCG9UVJxlIDat/Irq
         G0YQV3rj0g1J96V75JXddU4D+1OFnwmWo+6X8afQbVH/fJJ/YL1suiWQHFf0x8j72sc7
         08fR4GK8F6S6nQeeLeHUFb9Le/wO+aHLbeNRXUIAo8CF9UUReyenVDql2vjZg4HOfZx8
         vVwiDkpkAwFT4sUjtpnuRNdCyXXU/pvAcyj3VhAQ8s9SYHZjj1BsCZRbi88sZ+GfQSKB
         G8rQ==
X-Forwarded-Encrypted: i=1; AJvYcCXlp4Q1Wx5yajyKCQabCDFw2BNimMgtpFg/uJwQ4dbeXS/cw6kxNv7KMuX92qJu3jQAih7FnehyJQ==@kvack.org
X-Gm-Message-State: AOJu0Ywd8Mbl3jsE/+W/IJo7jbjViufZ5kwrYQ1+nOuSVmjXqsZ5NWFo
	VVVh3S1BSSKXje/D/dVtZ/3p7yVJZdbOhzz6OGhRgFe5MRWLF5JCkRUs5lTy7A4=
X-Gm-Gg: ASbGncu6NkLfaVgra0IFUaliksFTQcEThiBiLFMx3J6nQz7AFL8mIc9nPxizcJrOpa4
	PhosXCHz7qwzFD8+vXLyvrgJogZDyvE8In0Ovrvq0OTmgWUEvtVyZLUo9J53W54jw9LyOixx3rQ
	b2FXGo46VqD7zuHY/Y9NILV3FMwzB2P/Yx6BBcI4Ap3jUIWY2ZAhqtHwVklWZ60b5OJBZbgWMqp
	fTjHghbjJWO717l0p4zcahq0kLn+HS/cz78cVd5Uu+wUzCqFUj1qomYdit+fUM6Fg2Ahc7IPup8
	Hpy52c/yyGssoKc3/i78MZclWVU4Mst3/ieQ1xUG3nohL+NIfkg=
X-Google-Smtp-Source: AGHT+IGyYV/yzfLVnA9w34LRw7jQyIRxTFaioHQFl6p52L2kjU27J0WT2xyCuQTG4x/GFtq73xmJJA==
X-Received: by 2002:a17:903:1103:b0:22c:3609:97ed with SMTP id d9443c01a7336-22db3c3a039mr6299555ad.30.1745454240827;
        Wed, 23 Apr 2025 17:24:00 -0700 (PDT)
Received: from debug.ba.rivosinc.com ([64.71.180.162])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-22db5103259sm672675ad.185.2025.04.23.17.23.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 23 Apr 2025 17:24:00 -0700 (PDT)
Date: Wed, 23 Apr 2025 17:23:56 -0700
From: Deepak Gupta <debug@rivosinc.com>
To: Radim =?utf-8?B?S3LEjW3DocWZ?= <rkrcmar@ventanamicro.com>
Cc: Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>,
	Borislav Petkov <bp@alien8.de>,
	Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org,
	"H. Peter Anvin" <hpa@zytor.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	"Liam R. Howlett" <Liam.Howlett@oracle.com>,
	Vlastimil Babka <vbabka@suse.cz>,
	Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
	Paul Walmsley <paul.walmsley@sifive.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Albert Ou <aou@eecs.berkeley.edu>, Conor Dooley <conor@kernel.org>,
	Rob Herring <robh@kernel.org>,
	Krzysztof Kozlowski <krzk+dt@kernel.org>,
	Arnd Bergmann <arnd@arndb.de>,
	Christian Brauner <brauner@kernel.org>,
	Peter Zijlstra <peterz@infradead.org>,
	Oleg Nesterov <oleg@redhat.com>,
	Eric Biederman <ebiederm@xmission.com>, Kees Cook <kees@kernel.org>,
	Jonathan Corbet <corbet@lwn.net>, Shuah Khan <shuah@kernel.org>,
	Jann Horn <jannh@google.com>, Conor Dooley <conor+dt@kernel.org>,
	linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
	linux-mm@kvack.org, linux-riscv@lists.infradead.org,
	devicetree@vger.kernel.org, linux-arch@vger.kernel.org,
	linux-doc@vger.kernel.org, linux-kselftest@vger.kernel.org,
	alistair.francis@wdc.com, richard.henderson@linaro.org,
	jim.shu@sifive.com, andybnac@gmail.com, kito.cheng@sifive.com,
	charlie@rivosinc.com, atishp@rivosinc.com, evan@rivosinc.com,
	cleger@rivosinc.com, alexghiti@rivosinc.com,
	samitolvanen@google.com, broonie@kernel.org,
	rick.p.edgecombe@intel.com, Zong Li <zong.li@sifive.com>,
	linux-riscv <linux-riscv-bounces@lists.infradead.org>
Subject: Re: [PATCH v12 05/28] riscv: usercfi state for task and save/restore
 of CSR_SSP on trap entry/exit
Message-ID: <aAmEnK0vSgZZOORL@debug.ba.rivosinc.com>
References: <20250314-v5_user_cfi_series-v12-0-e51202b53138@rivosinc.com>
 <20250314-v5_user_cfi_series-v12-5-e51202b53138@rivosinc.com>
 <D92WQWAUQYY4.2ED8JAFBDHGRN@ventanamicro.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <D92WQWAUQYY4.2ED8JAFBDHGRN@ventanamicro.com>
X-Rspam-User: 
X-Rspamd-Server: rspam09
X-Rspamd-Queue-Id: 3881F4000F
X-Stat-Signature: uzuagq9qt8qc64u4xuzhi1cxgsoptup6
X-HE-Tag: 1745454242-852124
X-HE-Meta: U2FsdGVkX19ojbPjo/aAYukz9WHF/6hVNnyE8Wc43QHfS2cXxi8ZXt21h05BBzT3Og3wl+UZWBmNHQzqMsAs3i5ktT2L4LaC4MqL+Rsb4OuzKvg20y1M0dv2jbbvCiblpL68KqybWONeE/RuakJ4kxOrsbI2hiQx3kzo8Uj7TxbS22OB+vkddD2LG/Ftk5X1yq+A8s8Z7Bm+L+YQhNGOnFfNtUnQnKw5BGzD9YyaFjml0QcIU8NreIG9VL2CcvH1Kz5O4PBZdC+WEshzSjpJJwSi8Uw6ke/kg++jPKV0Cpa46jcsz+MP8lWaVypJVgeVdlUyZdAU14nihyP0DO5zi8YU9it3LClkNRN/zGR4n33DF0MWZst3sScuQgUf5ElZlyKSnVKPWMueShZt9Qv7/3V0q0xVgD2rTqvQi0yS12ynfPTGrUVWxoHYaUFlsWuqUiAeiBT+riWevx41A3JLVijuvgdfdjNC6kVjRz9k+AgUpxJf7ip7mFlNVP9LQAoo0kklTe7aG64xeYdr5IjFUV8BCXFSlxnCDdK66h/UN7Qpd+FjzWUXpJ6ve9VsMTSDsgpAHk5w3whmvSsycYJEmpQBtLHRq0ys+eccEjT+ZD8awx9LgJ3YPxxDjhGMA9ib3cs0pe9bcJTM8e+e1EFVUDrlnz3We+Z4D5gF+Q3WCX1N7mVoRE+TerURzbWkUEC3uslY0DvzvTOXeAwiBbyq0qFVFp4Cu08IgOske6YK6+TdR5Eoia45ODDuX0TN8bKqWc/+SLRggQf9glF+SGW6ZSgO53wrdaC9Cvc5kSJ+s+69vXcbvPH6mII2+CoCQa4FDsoVyXfQjsxau0aQJuCqa85PVs8dlQlTgLfjVZgoYrciJarxN5T5cRBcjDEpmZnk3OuW0Tly4bfgCCfYrVcQculOSIkDvkStmjvo0fnsYTSkhKxWj0GorjCyr1MsBq+hei3df6DC3ZDQL1cd8Ju
 6cTE7x/7
 Dl9rJ2H8uiQ2H1PCBa+bBPCSj49rWrMG3iqdlKXkGdA0bChb6sythnlVdGrcZyH3cwO1WXBpoO51GM3irlIH3mgXjdFK9vmzBN0z9JO3f5WLbWG6oHqiqgwcYcsiWpnhPQPo64oJtfhtY8oFnhCM/KeZ6tu6t4THx9Pm5Be9gxiWIf1sm16vPa/qy4HPlw1jv9vnI39+zY1gEyhPPywpFQ6M4sBqbGOSkRd8y4OaGBPQjT3STKUqHNmSJ/NJZ1IE9mQk88XJ11iK2rDU2Irf4AcACFX/5pIP3R2/R+W7rjaetu+E1woJoY2gJ7aM7qOFZBn+Aiqz9+yOO4Ud6pZX1LXjNEbXUR3PCjNvBaonhDhK6qHvLb6JILjLuQkfcdvOMiLSbnEfl/wp5k/nA11x60dGiTEhtilE43YDwyaHbqnxQeM5ebuEzJAKt/ZkoS2USWPd7A7v2xC/U9fC/yruhg4/0Bx+BvJkFTnNx82vrtx9SyKR3ID6R78bgpRVcWAUO6p/9fbK3IQFxegi5RqOuVf+5jYAgusy/0MnZLya0q7nHcJv1IzpcavKhGhZ4WeDWuKFQ
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Sorry forgot to respond to rest of your comments on this thread.


On Thu, Apr 10, 2025 at 01:04:39PM +0200, Radim Krčmář wrote:
>2025-03-14T14:39:24-07:00, Deepak Gupta <debug@rivosinc.com>:
>> diff --git a/arch/riscv/include/asm/thread_info.h b/arch/riscv/include/asm/thread_info.h
>> @@ -62,6 +62,9 @@ struct thread_info {
>>  	long			user_sp;	/* User stack pointer */
>>  	int			cpu;
>>  	unsigned long		syscall_work;	/* SYSCALL_WORK_ flags */
>> +#ifdef CONFIG_RISCV_USER_CFI
>> +	struct cfi_status	user_cfi_state;
>> +#endif

<... snipped ...>

>
>
>> diff --git a/arch/riscv/kernel/entry.S b/arch/riscv/kernel/entry.S
>> @@ -147,6 +147,20 @@ SYM_CODE_START(handle_exception)
>>
>>  	REG_L s0, TASK_TI_USER_SP(tp)
>>  	csrrc s1, CSR_STATUS, t0
>> +	/*
>> +	 * If previous mode was U, capture shadow stack pointer and save it away
>> +	 * Zero CSR_SSP at the same time for sanitization.
>> +	 */
>> +	ALTERNATIVE("nop; nop; nop; nop",
>> +				__stringify(			\
>> +				andi s2, s1, SR_SPP;	\
>> +				bnez s2, skip_ssp_save;	\
>> +				csrrw s2, CSR_SSP, x0;	\
>> +				REG_S s2, TASK_TI_USER_SSP(tp); \
>> +				skip_ssp_save:),
>> +				0,
>> +				RISCV_ISA_EXT_ZICFISS,
>> +				CONFIG_RISCV_USER_CFI)
>
>(I'd prefer this closer to the user_sp and kernel_sp swap, it's breaking
> the flow here.  We also already know if we've returned from userspace
> or not even without SR_SPP, but reusing the information might tangle
> the logic.)

If CSR_SCRATCH was 0, then we would be coming from kernel else flow goes
to `.Lsave_context`. If we were coming from kernel mode, then eventually
flow merges to `.Lsave_context`.

So we will be saving CSR_SSP on all kernel -- > kernel trap handling. That
would be unnecessary. IIRC, this was one of the first review comments in
early RFC series of these patch series (to not touch CSR_SSP un-necessarily)

We can avoid that by ensuring when we branch by determining if we are coming
from user to something like `.Lsave_ssp` which eventually merges into
".Lsave_context". And if we were coming from kernel then we would branch to
`.Lsave_context` and thus skipping ssp save logic. But # of branches it
introduces in early exception handling is equivalent to what current patches
do. So I don't see any value in doing that.

Let me know if I am missing something.

>
>>  	csrr s2, CSR_EPC
>>  	csrr s3, CSR_TVAL
>>  	csrr s4, CSR_CAUSE
>> @@ -236,6 +250,18 @@ SYM_CODE_START_NOALIGN(ret_from_exception)
>>  	csrw CSR_SCRATCH, tp
>> +
>> +	/*
>> +	 * Going back to U mode, restore shadow stack pointer
>> +	 */
I can remove my comment because it's obvious.

>
>Are we?  I think we can be just as well returning back to kernel-space.
>Similar to how we can enter the exception handler from kernel-space.

Yes we are. See excerpt from `ret_from_exception` in `entry.S`

"""
SYM_CODE_START_NOALIGN(ret_from_exception)
	REG_L s0, PT_STATUS(sp)
#ifdef CONFIG_RISCV_M_MODE
	/* the MPP value is too large to be used as an immediate arg for addi */
	li t0, SR_MPP
	and s0, s0, t0
#else
	andi s0, s0, SR_SPP
#endif
	bnez s0, 1f

<... snipped ...>

	/*
	 * Going back to U mode, restore shadow stack pointer
	 */
	ALTERNATIVE("nops(2)",
				__stringify(			\
				REG_L s3, TASK_TI_USER_SSP(tp); \
				csrw CSR_SSP, s3),
				0,
				RISCV_ISA_EXT_ZICFISS,
				CONFIG_RISCV_USER_CFI)

1:
#ifdef CONFIG_RISCV_ISA_V_PREEMPTIVE
	move a0, sp
	call riscv_v_context_nesting_end

<... snipped ...>

"""


>
>> +	ALTERNATIVE("nop; nop",
>> +				__stringify(					\
>> +				REG_L s3, TASK_TI_USER_SSP(tp); \
>> +				csrw CSR_SSP, s3),
>> +				0,
>> +				RISCV_ISA_EXT_ZICFISS,
>> +				CONFIG_RISCV_USER_CFI)
>> +
>
>Thanks.