From nobody Wed Aug 6 17:38:00 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxyDm3j3fz641Bk; Wed, 06 Aug 2025 17:38:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bxyDm2YvXz3cY3; Wed, 06 Aug 2025 17:38:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754501880; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4GUSE9Fn5eMHeYCpIf+zsZZPLH8th6styJMY15F0UV4=; b=TmmFQhIf5Cd/p24ZLl/AeUx82tL4RDYSL5TPKMFF7PSnXsHkcMn11gPzJ8IZAIcgY+2oBl 9hu4oX7wN+w9Nl4zFtQGAjjU1f8MIurMYjAc7jEBDngcacnT8uF3IsJA+0nXcCzUdcsz5G pZaFIlnewhxhiII51x1E/vxyvBh4qsJv3KuGCl6eWtPHywNzjf0iKK2jQf1U98ZK8PBLqB 3CvHeQB2dExkkm3CL7iXPU/+s30f8bzURB64PlsFXAwGJ/Q+L4kQhzzwmpF8b4mUrNtjQ4 PMpjcmZAnVQzkmXl+xyVAn+ZxV52SFDWegZ5rqctrLRYjcSKechXmv3tZdy+hA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754501880; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4GUSE9Fn5eMHeYCpIf+zsZZPLH8th6styJMY15F0UV4=; b=R7WBn2UNo9oaqPuSUORCqp9RQf/YV9K7xOE1JuXE1xVkKUSWlQgJr2etigMXJFl1hQxGXX DYfoixy4FFfsKnWhz0KleeLYEgfXq7u+hlvZ8jjqJL+X4ynoV7sLxP57dOFoY2VqMDQhYU 74rw1fA1TzLP3n9sxAgaGJsUdcURlf3OQfsUi+EY//MR0fGe3lxli3AcqdifW6/TljCveC JSaIFe6ieZMgimN4ves7+9Hn4U3dhk327r3LPohDtQYd3pFuJ9Aur6w+LuEfw3uGt4jxk5 O4neRR8QWZdNBcehoIWJwPHxUNQ537isgPwCP/9otCkwLAC6nGJcJvm0T0PnTQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754501880; a=rsa-sha256; cv=none; b=lQ0gWCBPiIMcP6WPm73D1LoBpyitj8AB4zlDt3+ETUmypMzxEerUIZiZyrpiOO0A72wRNF wTAQ/7ShkGBTu0ADa6xOJx/ltDpQfWD/9qQKo6vmCIq36gv8v6r2uv1HXWXZKB3hzo+L25 RMrJmTaj94kHPLn/MOOC2qsg2LWL6w3ikepYIFzOjw9afVlXvvgIpfEE++0rWhqQOdLdJW KDHBv6LwGMQDYbpx+E1mK4eVUYKqq78GUqgRKFVKKZgO5Zwchwc7/WtDlZCS2wtMOE82bc IlAiRTDOZdJvNlWMpT3A0Lzt+xzaOBuGcTyJoet5fBI3WYVwwxK561RTtynqQw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bxyDm29Y9zVcG; Wed, 06 Aug 2025 17:38:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 576Hc01d076622; Wed, 6 Aug 2025 17:38:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 576Hc0wZ076618; Wed, 6 Aug 2025 17:38:00 GMT (envelope-from git) Date: Wed, 6 Aug 2025 17:38:00 GMT Message-Id: <202508061738.576Hc0wZ076618@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Andrew Turner Subject: git: 81f07332c03f - main - arm64: tidy up Top-Byte-Ignore (TBI) in the kernel List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: andrew X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 81f07332c03fd2ac6efa8e15b1659a573d250329 Auto-Submitted: auto-generated The branch main has been updated by andrew: URL: https://cgit.FreeBSD.org/src/commit/?id=81f07332c03fd2ac6efa8e15b1659a573d250329 commit 81f07332c03fd2ac6efa8e15b1659a573d250329 Author: Harry Moulton AuthorDate: 2025-07-31 14:10:57 +0000 Commit: Andrew Turner CommitDate: 2025-07-31 14:27:06 +0000 arm64: tidy up Top-Byte-Ignore (TBI) in the kernel In preparation for TBI to be enabled for processes from 15.0 we need to clean up copying data between userspace and the kernel. These functions will check the address is within the valid userspace range, however as the userspace and kernel ranges may overlap when TBI is enabled we need to mask off the top 8 bits. Processes not using TBI are unaffected as the hardware will still check all bits in the address, however this will happen at the first load/store instruction. Reviewed by: andrew Sponsored by: Arm Ltd Differential Revision: https://reviews.freebsd.org/D49119 --- sys/arm64/arm64/copyinout.S | 18 ++++++++++++++++-- sys/arm64/arm64/support.S | 9 ++++++++- sys/arm64/include/vmparam.h | 3 +++ 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/sys/arm64/arm64/copyinout.S b/sys/arm64/arm64/copyinout.S index 26dd0b4cf14f..e41c4b5f6734 100644 --- a/sys/arm64/arm64/copyinout.S +++ b/sys/arm64/arm64/copyinout.S @@ -37,7 +37,14 @@ #include "assym.inc" .macro check_user_access user_arg, size_arg, bad_access_func - adds x6, x\user_arg, x\size_arg + /* + * TBI is enabled from 15.0. Clear the top byte of the userspace + * address before checking whether it's within the given limit. + * The later load/store instructions will fault if TBI is disabled + * for the current process. + */ + and x6, x\user_arg, #(~TBI_ADDR_MASK) + adds x6, x6, x\size_arg b.cs \bad_access_func ldr x7, =VM_MAXUSER_ADDRESS cmp x6, x7 @@ -100,13 +107,20 @@ ENTRY(copyinstr) adr x6, copyio_fault /* Get the handler address */ SET_FAULT_HANDLER(x6, x7) /* Set the handler */ + /* + * As in check_user_access mask off the TBI bits for the cmp + * instruction. The load will fail trap if TBI is disabled, but we + * need to check the address didn't wrap. + */ + and x6, x0, #(~TBI_ADDR_MASK) ldr x7, =VM_MAXUSER_ADDRESS -1: cmp x0, x7 +1: cmp x6, x7 b.cs copyio_fault ldtrb w4, [x0] /* Load from uaddr */ add x0, x0, #1 /* Next char */ strb w4, [x1], #1 /* Store in kaddr */ add x5, x5, #1 /* count++ */ + add x6, x6, #1 /* Increment masked address */ cbz w4, 2f /* Break when NUL-terminated */ sub x2, x2, #1 /* len-- */ cbnz x2, 1b diff --git a/sys/arm64/arm64/support.S b/sys/arm64/arm64/support.S index 2d067c7f7730..bf6fc931e4b0 100644 --- a/sys/arm64/arm64/support.S +++ b/sys/arm64/arm64/support.S @@ -39,8 +39,15 @@ #include "assym.inc" .macro check_user_access user_arg, limit, bad_addr_func + /* + * TBI is enabled from 15.0. Clear the top byte of the userspace + * address before checking whether it's within the given limit. + * The later load/store instructions will fault if TBI is disabled + * for the current process. + */ + and x6, x\user_arg, #(~TBI_ADDR_MASK) ldr x7, =(\limit) - cmp x\user_arg, x7 + cmp x6, x7 b.cs \bad_addr_func .endm diff --git a/sys/arm64/include/vmparam.h b/sys/arm64/include/vmparam.h index db3af1881282..c30ca1b2bff4 100644 --- a/sys/arm64/include/vmparam.h +++ b/sys/arm64/include/vmparam.h @@ -211,6 +211,9 @@ /* The address bits that hold a pointer authentication code */ #define PAC_ADDR_MASK (0xff7f000000000000UL) +/* The top-byte ignore address bits */ +#define TBI_ADDR_MASK 0xff00000000000000UL + /* If true addr is in the kernel address space */ #define ADDR_IS_KERNEL(addr) (((addr) & (1ul << 55)) == (1ul << 55)) /* If true addr is in the user address space */