From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from shelob.surriel.com (shelob.surriel.com [96.67.55.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 896031D5AC2 for ; Fri, 17 Jul 2026 17:00:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=96.67.55.147 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784307643; cv=none; b=IABIBPioRr6NiCvP3E9G7juX3Y6EiPf62VMiOLJDt5ZQMK/KyStk4fWzRCw2c+QXvBampb7Zb08lA4PHOoJ66R1bsFW1Q3pV4zgoGFD/uE//skNxZs+tVCM6uAz0lTn8nuIX/wyOwJMCf00FSaPp+qGDfAAdNo1x13bFxBG9/kA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1784307643; c=relaxed/simple; bh=EeJ07cY6gkA+GwLF4HHimoxU8v/e5tuVt9GlEyF2xds=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=R2Ik2IF5JmHGNblSIiQtwReb+XIVc2GAAgdJeVBU9pdRHzhRJeySPAekX2sQ4WjM8cSZJK7TkHpFBSIZnq3zhwSXYAHNXbh5+svkyVcz3o4B3yhsQKsS5X8SDrt4bzfRVwIE2yyU6MWfLldRskx91D4TSREvXXutp7QdZLwrNWU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com; spf=pass smtp.mailfrom=surriel.com; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b=XMjTuISn; arc=none smtp.client-ip=96.67.55.147 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=surriel.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=surriel.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=surriel.com header.i=@surriel.com header.b="XMjTuISn" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=surriel.com ; s=mail; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g3vbKYZxRsDMfVpHBxPVOyxjBlSbaKA9GcdBzuhy8/M=; b=XMjTuISn/VdlNzVWcRsravLbi+ hkm1J4NIe32NGtJ/rpWfaJWjH8D3byPUvCx2Ep3/yG+yt2xCVZMtqVpq8gZpHQsbh9iym/67wN+lA AkBJFCYjoPUHE2exwMEyZUSMaW6xyxpezzSRV60t6ynJO4+YvOrGE33wfARHZm/ZxrvkfrcJr/H+w AbBMHegmNPgTO24/Zh3o/6OKRsqZ5Q2svwFm82Ln5N9ol24MwTbvJ8pvmCZ1vrqnVqFrgXmtuKCnw 9i8ALaPLZqrixvZNaZsMgrrdjRL4569xiHMD+rtQKmSgjeKoTq7zLx2RCPLv5nJvr4iC//wmWo9qS v9oLlYZg==; Received: from fangorn.home.surriel.com ([10.0.13.7]) by shelob.surriel.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.97.1) (envelope-from ) id 1wklvS-000000001w4-0K81; Fri, 17 Jul 2026 13:00:38 -0400 From: Rik van Riel To: linux-kernel@vger.kernel.org, Andrew Morton Cc: kernel-team@meta.com, Rik van Riel , David Hildenbrand , Lorenzo Stoakes , "Liam R. Howlett" , Vlastimil Babka , Mike Rapoport , Suren Baghdasaryan , Michal Hocko , linux-mm@kvack.org, Paul Walmsley , Palmer Dabbelt , Albert Ou , Alexandre Ghiti , linux-riscv@lists.infradead.org Subject: [PATCH RFC v3 2/6] riscv/mm: add untagged_addr_remote_unlocked() Date: Fri, 17 Jul 2026 13:00:32 -0400 Message-ID: <20260717170036.743149-3-riel@surriel.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260717170036.743149-1-riel@surriel.com> References: <20260717170036.743149-1-riel@surriel.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit __access_remote_vm() untags the remote address before looking up the VMA, now without holding the mmap lock. riscv defines untagged_addr_remote() but not untagged_addr_remote_unlocked(), so it falls back to the generic version, which untags with untagged_addr(). That reads current->mm, not the target mm, so a remote access to a process using pointer masking would untag with the wrong mask. mm->context.pmlen is set only through PR_SET_TAGGED_ADDR_CTRL and is stable afterwards, so it can be read without the mmap lock, as it already is from untagged_addr() and mm_untag_mask(). Add untagged_addr_remote_unlocked(), which untags against the target mm, and annotate context.pmlen accesses with READ_ONCE() and WRITE_ONCE() so the lockless reads are explicit and KCSAN-clean. untagged_addr_remote() keeps its mmap_assert_locked() and shares the code. Assisted-by: Claude:claude-opus-4.8 Signed-off-by: Rik van Riel --- arch/riscv/include/asm/mmu_context.h | 4 ++-- arch/riscv/include/asm/uaccess.h | 10 +++++++--- arch/riscv/kernel/process.c | 12 +++++++----- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/arch/riscv/include/asm/mmu_context.h b/arch/riscv/include/asm/mmu_context.h index dbf27a78df6c..3ce16796e5a2 100644 --- a/arch/riscv/include/asm/mmu_context.h +++ b/arch/riscv/include/asm/mmu_context.h @@ -21,7 +21,7 @@ static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next) { #ifdef CONFIG_RISCV_ISA_SUPM - next->context.pmlen = 0; + WRITE_ONCE(next->context.pmlen, 0); #endif switch_mm(prev, next, NULL); } @@ -44,7 +44,7 @@ DECLARE_STATIC_KEY_FALSE(use_asid_allocator); #define mm_untag_mask mm_untag_mask static inline unsigned long mm_untag_mask(struct mm_struct *mm) { - return -1UL >> mm->context.pmlen; + return -1UL >> READ_ONCE(mm->context.pmlen); } #endif diff --git a/arch/riscv/include/asm/uaccess.h b/arch/riscv/include/asm/uaccess.h index 5d4ec15584cf..53806e0f7dcf 100644 --- a/arch/riscv/include/asm/uaccess.h +++ b/arch/riscv/include/asm/uaccess.h @@ -16,7 +16,7 @@ static inline unsigned long __untagged_addr_remote(struct mm_struct *mm, unsigned long addr) { if (riscv_has_extension_unlikely(RISCV_ISA_EXT_SUPM)) { - u8 pmlen = mm->context.pmlen; + u8 pmlen = READ_ONCE(mm->context.pmlen); /* Virtual addresses are sign-extended; physical addresses are zero-extended. */ if (IS_ENABLED(CONFIG_MMU)) @@ -33,12 +33,16 @@ static inline unsigned long __untagged_addr_remote(struct mm_struct *mm, unsigne (__force __typeof__(addr))__untagged_addr_remote(current->mm, __addr); \ }) -#define untagged_addr_remote(mm, addr) ({ \ +#define untagged_addr_remote_unlocked(mm, addr) ({ \ unsigned long __addr = (__force unsigned long)(addr); \ - mmap_assert_locked(mm); \ (__force __typeof__(addr))__untagged_addr_remote(mm, __addr); \ }) +#define untagged_addr_remote(mm, addr) ({ \ + mmap_assert_locked(mm); \ + untagged_addr_remote_unlocked(mm, addr); \ +}) + #define access_ok(addr, size) likely(__access_ok(untagged_addr(addr), size)) #else #define untagged_addr(addr) (addr) diff --git a/arch/riscv/kernel/process.c b/arch/riscv/kernel/process.c index b2df7f72241a..6ae7552fed09 100644 --- a/arch/riscv/kernel/process.c +++ b/arch/riscv/kernel/process.c @@ -357,13 +357,15 @@ long set_tagged_addr_ctrl(struct task_struct *task, unsigned long arg) if (mmap_write_lock_killable(mm)) return -EINTR; - if (test_bit(MM_CONTEXT_LOCK_PMLEN, &mm->context.flags) && mm->context.pmlen != pmlen) { - mmap_write_unlock(mm); - return -EBUSY; + if (test_bit(MM_CONTEXT_LOCK_PMLEN, &mm->context.flags)) { + if (READ_ONCE(mm->context.pmlen) != pmlen) { + mmap_write_unlock(mm); + return -EBUSY; + } } envcfg_update_bits(task, ENVCFG_PMM, pmm); - mm->context.pmlen = pmlen; + WRITE_ONCE(mm->context.pmlen, pmlen); mmap_write_unlock(mm); @@ -394,7 +396,7 @@ long get_tagged_addr_ctrl(struct task_struct *task) break; } - if (task->mm->context.pmlen) + if (READ_ONCE(task->mm->context.pmlen)) ret |= PR_TAGGED_ADDR_ENABLE; return ret; -- 2.53.0-Meta