arm64: cpufeature: Don't expose ZFR0 to userspace when SVE is not enabled

Message ID 20191014102113.16546-1-julien.grall@arm.com
State Accepted
Commit ec52c7134b1fcef0edfc56d55072fd4f261ef198
Headers show
Series
  • arm64: cpufeature: Don't expose ZFR0 to userspace when SVE is not enabled
Related show

Commit Message

Julien Grall Oct. 14, 2019, 10:21 a.m.
The kernel may not support SVE if CONFIG_ARM64_SVE is not set and
will hide the feature from the from userspace.

Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could
lead to undefined behavior in userspace.

The kernel should not used the register when CONFIG_SVE is disabled.
Therefore, we only need to hidden them from the userspace.

Signed-off-by: Julien Grall <julien.grall@arm.com>

Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace')
---
 arch/arm64/kernel/cpufeature.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

-- 
2.11.0

Comments

Dave Martin Oct. 14, 2019, 2:41 p.m. | #1
On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote:
> The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

> will hide the feature from the from userspace.

> 

> Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

> lead to undefined behavior in userspace.

> 

> The kernel should not used the register when CONFIG_SVE is disabled.

> Therefore, we only need to hidden them from the userspace.

> 

> Signed-off-by: Julien Grall <julien.grall@arm.com>

> Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace')


Reviewed-by: Dave Martin <Dave.Martin@arm.com>


> ---

>  arch/arm64/kernel/cpufeature.c | 15 ++++++++++-----

>  1 file changed, 10 insertions(+), 5 deletions(-)

> 

> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

> index cabebf1a7976..80f459ad0190 100644

> --- a/arch/arm64/kernel/cpufeature.c

> +++ b/arch/arm64/kernel/cpufeature.c

> @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = {

>  };

>  

>  static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = {

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),

>  	ARM64_FTR_END,

>  };

>  

> -- 

> 2.11.0

> 

> 

> _______________________________________________

> linux-arm-kernel mailing list

> linux-arm-kernel@lists.infradead.org

> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
Suzuki Kuruppassery Poulose Oct. 14, 2019, 3:30 p.m. | #2
Hi Julien,

Some minor nits in the description.

On 14/10/2019 11:21, Julien Grall wrote:
> The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

> will hide the feature from the from userspace.

> 

> Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

> lead to undefined behavior in userspace.

> 

> The kernel should not used the register when CONFIG_SVE is disabled.


s/used/use ?

> Therefore, we only need to hidden them from the userspace.


s/hidden/hide ?

With the above:

Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>


> 

> Signed-off-by: Julien Grall <julien.grall@arm.com>

> Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace')

> ---

>   arch/arm64/kernel/cpufeature.c | 15 ++++++++++-----

>   1 file changed, 10 insertions(+), 5 deletions(-)

> 

> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

> index cabebf1a7976..80f459ad0190 100644

> --- a/arch/arm64/kernel/cpufeature.c

> +++ b/arch/arm64/kernel/cpufeature.c

> @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = {

>   };

>   

>   static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = {

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),

>   	ARM64_FTR_END,

>   };

>   

>
Mark Rutland Oct. 14, 2019, 3:32 p.m. | #3
On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote:
> The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

> will hide the feature from the from userspace.


Nit: s/may not/will not/

> 

> Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

> lead to undefined behavior in userspace.

> 

> The kernel should not used the register when CONFIG_SVE is disabled.

> Therefore, we only need to hidden them from the userspace.

> 

> Signed-off-by: Julien Grall <julien.grall@arm.com>

> Fixes: 06a916feca2b ('arm64: Expose SVE2 features for userspace')


Reviewed-by: Mark Rutland <mark.rutland@arm.com>


Mark.

> ---

>  arch/arm64/kernel/cpufeature.c | 15 ++++++++++-----

>  1 file changed, 10 insertions(+), 5 deletions(-)

> 

> diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c

> index cabebf1a7976..80f459ad0190 100644

> --- a/arch/arm64/kernel/cpufeature.c

> +++ b/arch/arm64/kernel/cpufeature.c

> @@ -176,11 +176,16 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = {

>  };

>  

>  static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = {

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),

> -	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),

> +	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),

> +		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),

>  	ARM64_FTR_END,

>  };

>  

> -- 

> 2.11.0

> 

> 

> _______________________________________________

> linux-arm-kernel mailing list

> linux-arm-kernel@lists.infradead.org

> http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
Will Deacon Oct. 14, 2019, 4:43 p.m. | #4
On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote:
> The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

> will hide the feature from the from userspace.


I don't understand this sentence.

> Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

> lead to undefined behavior in userspace.


Undefined in what way? Generally, we can't stop exposing things that
we've exposed previously in case somebody has started relying on them, so
this needs better justification.

Will
Suzuki Kuruppassery Poulose Oct. 14, 2019, 4:57 p.m. | #5
On 14/10/2019 17:43, Will Deacon wrote:
> On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote:

>> The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

>> will hide the feature from the from userspace.

> 

> I don't understand this sentence.

> 

>> Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

>> lead to undefined behavior in userspace.

> 

> Undefined in what way? Generally, we can't stop exposing things that

> we've exposed previously in case somebody has started relying on them, so

> this needs better justification.


We still expose them with this patch, but zero them out, if the SVE is not
supported. When SVE is enabled, we expose them as usual.

Cheers
Suzuki
Will Deacon Oct. 14, 2019, 5:20 p.m. | #6
On Mon, Oct 14, 2019 at 05:57:46PM +0100, Suzuki K Poulose wrote:
> On 14/10/2019 17:43, Will Deacon wrote:

> > On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote:

> > > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

> > > will hide the feature from the from userspace.

> > 

> > I don't understand this sentence.

> > 

> > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

> > > lead to undefined behavior in userspace.

> > 

> > Undefined in what way? Generally, we can't stop exposing things that

> > we've exposed previously in case somebody has started relying on them, so

> > this needs better justification.

> 

> We still expose them with this patch, but zero them out, if the SVE is not

> supported. When SVE is enabled, we expose them as usual.


Sure, but if userspace was relying on the non-zero values, it's now broken.

What's missing from the patch description is the fact that this register is
RAZ is SVE is not supported. Given that we get both the SVE HWCAP and
PFR0.SVE field correct when the CONFIG option is disabled, then it's only
very dodgy userspace which would parse the information in ZFR0 for this
configuration and I think we can make this change as a bug fix. I'll try to
write something sensible.

Will
Dave Martin Oct. 15, 2019, 9:45 a.m. | #7
On Mon, Oct 14, 2019 at 06:20:17PM +0100, Will Deacon wrote:
> On Mon, Oct 14, 2019 at 05:57:46PM +0100, Suzuki K Poulose wrote:

> > On 14/10/2019 17:43, Will Deacon wrote:

> > > On Mon, Oct 14, 2019 at 11:21:13AM +0100, Julien Grall wrote:

> > > > The kernel may not support SVE if CONFIG_ARM64_SVE is not set and

> > > > will hide the feature from the from userspace.

> > > 

> > > I don't understand this sentence.

> > > 

> > > > Unfortunately, the fields of ID_AA64ZFR0_EL1 are still exposed and could

> > > > lead to undefined behavior in userspace.

> > > 

> > > Undefined in what way? Generally, we can't stop exposing things that

> > > we've exposed previously in case somebody has started relying on them, so

> > > this needs better justification.

> > 

> > We still expose them with this patch, but zero them out, if the SVE is not

> > supported. When SVE is enabled, we expose them as usual.

> 

> Sure, but if userspace was relying on the non-zero values, it's now broken.

> 

> What's missing from the patch description is the fact that this register is

> RAZ is SVE is not supported. Given that we get both the SVE HWCAP and

> PFR0.SVE field correct when the CONFIG option is disabled, then it's only

> very dodgy userspace which would parse the information in ZFR0 for this

> configuration and I think we can make this change as a bug fix. I'll try to

> write something sensible.


There is no SVE2 hardware yet.  On SVE(1) hardware, ZFR0 is still
reserved and all zero.

In theory userspace could look at the ZFR0 fields and deduce that SVE2 is 
valiable even when the kernel was built with SVE, but I think it highly
unlikely that any software is doing this today.

i.e., I'm pretty sure this horse is still in the stable, and I'd like to
see the door closed ;)

Cheers
---Dave

Patch

diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index cabebf1a7976..80f459ad0190 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -176,11 +176,16 @@  static const struct arm64_ftr_bits ftr_id_aa64pfr1[] = {
 };
 
 static const struct arm64_ftr_bits ftr_id_aa64zfr0[] = {
-	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),
-	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),
-	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),
-	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),
-	ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),
+	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),
+		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SM4_SHIFT, 4, 0),
+	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),
+		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SHA3_SHIFT, 4, 0),
+	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),
+		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_BITPERM_SHIFT, 4, 0),
+	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),
+		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_AES_SHIFT, 4, 0),
+	ARM64_FTR_BITS(FTR_VISIBLE_IF_IS_ENABLED(CONFIG_ARM64_SVE),
+		       FTR_STRICT, FTR_LOWER_SAFE, ID_AA64ZFR0_SVEVER_SHIFT, 4, 0),
 	ARM64_FTR_END,
 };