Le 22/06/2025 à 18:20, David Laight a écrit :
On Sun, 22 Jun 2025 11:52:38 +0200
Christophe Leroy <christophe.le...@csgroup.eu> wrote:
Masked user access avoids the address/size verification by access_ok().
Allthough its main purpose is to skip the speculation in the
verification of user address and size hence avoid the need of spec
mitigation, it also has the advantage to reduce the amount of
instructions needed so it also benefits to platforms that don't
need speculation mitigation, especially when the size of the copy is
not know at build time.
It also removes a conditional branch that is quite likely to be
statically predicted 'the wrong way'.
But include/asm-generic/access_ok.h defines access_ok() as:
#define access_ok(addr, size) likely(__access_ok(addr, size))
So GCC uses the 'unlikely' variant of the branch instruction to force
the correct prediction, doesn't it ?
Unlike x86_64 which masks the address to 'all bits set' when the
user address is invalid, here the address is set to an address in
the gap. It avoids relying on the zero page to catch offseted
accesses. On book3s/32 it makes sure the opening remains on user
segment. The overcost is a single instruction in the masking.
That isn't true (any more).
Linus changed the check to (approx):
if (uaddr > TASK_SIZE)
uaddr = TASK_SIZE;
(Implemented with a conditional move)
Ah ok, I overlooked that, I didn't know the cmove instruction, seem
similar to the isel instruction on powerpc e500.
Christophe
