| Message ID | 20191014102113.16546-1-julien.grall@arm.com |
|---|---|
| State | Accepted |
| Commit | ec52c7134b1fcef0edfc56d55072fd4f261ef198 |
| Headers | show |
| Series | arm64: cpufeature: Don't expose ZFR0 to userspace when SVE is not enabled | expand |
On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote: > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and > will hide the feature from the from userspace. > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could > lead to undefined behavior in userspace. > > The kernel should not used the register when CONFIG_SVE is disabled. > Therefore, we only need to hidden them from the userspace. > > Signed-off-by: Julien Grall <julien.grall@arm.com> > Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace') Reviewed-by: Dave Martin <Dave.Martin@arm.com> > --- > arch/arm64/kernel/cpufeature.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > index cabebf1a7976..80f459ad0190 100644 > --- a/arch/arm64/kernel/cpufeature.c > +++ b/arch/arm64/kernel/cpufeature.c > @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = { > }; > > static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = { > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), > ARM64_FTR_END, > }; > > -- > 2.11.0 > > > _______________________________________________ > linux-arm-kernel mailing list > linux-arm-kernel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
Hi Julien, Some minor nits in the description. On 14/10/2019 11:21, Julien Grall wrote: > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and > will hide the feature from the from userspace. > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could > lead to undefined behavior in userspace. > > The kernel should not used the register when CONFIG_SVE is disabled. s/used/use ? > Therefore, we only need to hidden them from the userspace. s/hidden/hide ? With the above: Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com> > > Signed-off-by: Julien Grall <julien.grall@arm.com> > Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace') > --- > arch/arm64/kernel/cpufeature.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > index cabebf1a7976..80f459ad0190 100644 > --- a/arch/arm64/kernel/cpufeature.c > +++ b/arch/arm64/kernel/cpufeature.c > @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = { > }; > > static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = { > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), > ARM64_FTR_END, > }; > >
On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote: > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and > will hide the feature from the from userspace. Nit: s/may not/will not/ > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could > lead to undefined behavior in userspace. > > The kernel should not used the register when CONFIG_SVE is disabled. > Therefore, we only need to hidden them from the userspace. > > Signed-off-by: Julien Grall <julien.grall@arm.com> > Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace') Reviewed-by: Mark Rutland <mark.rutland@arm.com> Mark. > --- > arch/arm64/kernel/cpufeature.c | 15 ++++++++++----- > 1 file changed, 10 insertions(+), 5 deletions(-) > > diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c > index cabebf1a7976..80f459ad0190 100644 > --- a/arch/arm64/kernel/cpufeature.c > +++ b/arch/arm64/kernel/cpufeature.c > @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = { > }; > > static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = { > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), > - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), > + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), > + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), > ARM64_FTR_END, > }; > > -- > 2.11.0 > > > _______________________________________________ > linux-arm-kernel mailing list > linux-arm-kernel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote: > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and > will hide the feature from the from userspace. I don't understand this sentence. > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could > lead to undefined behavior in userspace. Undefined in what way? Generally, we can't stop exposing things that we've exposed previously in case somebody has started relying on them, so this needs better justification. Will
On 14/10/2019 17:43, Will Deacon wrote: > On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote: >> The kernel may not support SVE if CONFIG_ARM64_SVE is not set and >> will hide the feature from the from userspace. > > I don't understand this sentence. > >> Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could >> lead to undefined behavior in userspace. > > Undefined in what way? Generally, we can't stop exposing things that > we've exposed previously in case somebody has started relying on them, so > this needs better justification. We still expose them with this patch, but zero them out, if the SVE is not supported. When SVE is enabled, we expose them as usual. Cheers Suzuki
On Mon, Oct 14, 2019 at 05:57:46PM +0100, Suzuki K Poulose wrote: > On 14/10/2019 17:43, Will Deacon wrote: > > On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote: > > > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and > > > will hide the feature from the from userspace. > > > > I don't understand this sentence. > > > > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could > > > lead to undefined behavior in userspace. > > > > Undefined in what way? Generally, we can't stop exposing things that > > we've exposed previously in case somebody has started relying on them, so > > this needs better justification. > > We still expose them with this patch, but zero them out, if the SVE is not > supported. When SVE is enabled, we expose them as usual. Sure, but if userspace was relying on the non-zero values, it's now broken. What's missing from the patch description is the fact that this register is RAZ is SVE is not supported. Given that we get both the SVE HWCAP and PFR0.SVE field correct when the CONFIG option is disabled, then it's only very dodgy userspace which would parse the information in ZFR0 for this configuration and I think we can make this change as a bug fix. I'll try to write something sensible. Will
On Mon, Oct 14, 2019 at 06:20:17PM +0100, Will Deacon wrote: > On Mon, Oct 14, 2019 at 05:57:46PM +0100, Suzuki K Poulose wrote: > > On 14/10/2019 17:43, Will Deacon wrote: > > > On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote: > > > > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and > > > > will hide the feature from the from userspace. > > > > > > I don't understand this sentence. > > > > > > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could > > > > lead to undefined behavior in userspace. > > > > > > Undefined in what way? Generally, we can't stop exposing things that > > > we've exposed previously in case somebody has started relying on them, so > > > this needs better justification. > > > > We still expose them with this patch, but zero them out, if the SVE is not > > supported. When SVE is enabled, we expose them as usual. > > Sure, but if userspace was relying on the non-zero values, it's now broken. > > What's missing from the patch description is the fact that this register is > RAZ is SVE is not supported. Given that we get both the SVE HWCAP and > PFR0.SVE field correct when the CONFIG option is disabled, then it's only > very dodgy userspace which would parse the information in ZFR0 for this > configuration and I think we can make this change as a bug fix. I'll try to > write something sensible. There is no SVE2 hardware yet. On SVE(1) hardware, ZFR0 is still reserved and all zero. In theory userspace could look at the ZFR0 fields and deduce that SVE2 is valiable even when the kernel was built with SVE, but I think it highly unlikely that any software is doing this today. i.e., I'm pretty sure this horse is still in the stable, and I'd like to see the door closed ;) Cheers ---Dave
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c index cabebf1a7976..80f459ad0190 100644 --- a/arch/arm64/kernel/cpufeature.c +++ b/arch/arm64/kernel/cpufeature.c @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = { }; static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = { - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), - ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0), + ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE), + FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0), ARM64_FTR_END, };
The kernel may not support SVE if CONFIG_ARM64_SVE is not set and will hide the feature from the from userspace. Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could lead to undefined behavior in userspace. The kernel should not used the register when CONFIG_SVE is disabled. Therefore, we only need to hidden them from the userspace. Signed-off-by: Julien Grall <julien.grall@arm.com> Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace') --- arch/arm64/kernel/cpufeature.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) -- 2.11.0