On Tue, Aug 27, 2024 at 12:38:04PM +0100, Will Deacon wrote:
> On Fri, Aug 23, 2024 at 07:40:52PM +0100, Catalin Marinas wrote:
> > On Fri, Aug 23, 2024 at 06:08:36PM +0100, Will Deacon wrote:
> > > On Fri, Aug 23, 2024 at 05:41:06PM +0100, Catalin Marinas wrote:
> > > > On Fri, Aug 23, 2024 at 03:45:32PM +0100, Will Deacon wrote:
> > > > > On Thu, Aug 22, 2024 at 04:10:49PM +0100, Joey Gouly wrote:
> > > > > > +static void permission_overlay_switch(struct task_struct *next)
> > > > > > +{
> > > > > > + if (!system_supports_poe())
> > > > > > + return;
> > > > > > +
> > > > > > + current->thread.por_el0 = read_sysreg_s(SYS_POR_EL0);
> > > > > > + if (current->thread.por_el0 != next->thread.por_el0) {
> > > > > > + write_sysreg_s(next->thread.por_el0, SYS_POR_EL0);
> > > > > > + /* ISB required for kernel uaccess routines when chaning POR_EL0 */
> > > > >
> > > > > nit: typo "chaning".
> > > > >
> > > > > But more substantially, is this just to prevent spurious faults in the
> > > > > context of a new thread using a stale value for POR_EL0?
> > > >
> > > > Not just prevent faults but enforce the permissions from the new
> > > > thread's POR_EL0. The kernel may continue with a uaccess routine from
> > > > here, we can't tell.
[...]
> > > So what do we actually gain by having the uaccess routines honour this?
> >
> > I guess where it matters is more like not accidentally faulting because
> > the previous thread had more restrictive permissions.
>
> That's what I wondered initially, but won't the fault handler retry in
> that case?
Yes, it will retry and this should be fine (I assume you are only
talking about the dropping ISB in the context switch).
For the case of running with a more permissive stale POR_EL0, arguably it's
slightly more predictable for the user but, OTOH, some syscalls like
readv() could be routed through GUP with no checks. As with MTE, we
don't guarantee uaccesses honour the user permissions.
That said, at some point we should sanitise this path anyway and have a
single ISB at the end. In the meantime, I'm fine with dropping the ISB
here.
--
Catalin
