RISC-V: Enable Zicbom in usermode

Message ID	20241025091527.57825-1-cuiyunhui@bytedance.com (mailing list archive)
State	New
Headers	show Return-Path: <linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org> From: Yunhui Cui <cuiyunhui@bytedance.com> To: punit.agrawal@bytedance.com, paul.walmsley@sifive.com, palmer@dabbelt.com, aou@eecs.berkeley.edu, conor@kernel.org, cleger@rivosinc.com, charlie@rivosinc.com, evan@rivosinc.com, samuel.holland@sifive.com, andybnac@gmail.com, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Cc: Yunhui Cui <cuiyunhui@bytedance.com> Subject: [PATCH] RISC-V: Enable Zicbom in usermode Date: Fri, 25 Oct 2024 17:15:27 +0800 Message-Id: <20241025091527.57825-1-cuiyunhui@bytedance.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-riscv" <linux-riscv-bounces@lists.infradead.org> Errors-To: linux-riscv-bounces+linux-riscv=archiver.kernel.org@lists.infradead.org
Series	RISC-V: Enable Zicbom in usermode \| expand RISC-V: Enable Zicbom in usermode

Context	Check	Description
conchuod/vmtest-for-next-PR	success	PR summary
conchuod/patch-1-test-1	success	.github/scripts/patches/tests/build_rv32_defconfig.sh took 135.41s
conchuod/patch-1-test-2	success	.github/scripts/patches/tests/build_rv64_clang_allmodconfig.sh took 1298.54s
conchuod/patch-1-test-3	success	.github/scripts/patches/tests/build_rv64_gcc_allmodconfig.sh took 1592.67s
conchuod/patch-1-test-4	success	.github/scripts/patches/tests/build_rv64_nommu_k210_defconfig.sh took 20.46s
conchuod/patch-1-test-5	success	.github/scripts/patches/tests/build_rv64_nommu_virt_defconfig.sh took 22.54s
conchuod/patch-1-test-6	success	.github/scripts/patches/tests/checkpatch.sh took 0.43s
conchuod/patch-1-test-7	success	.github/scripts/patches/tests/dtb_warn_rv64.sh took 43.27s
conchuod/patch-1-test-8	success	.github/scripts/patches/tests/header_inline.sh took 0.00s
conchuod/patch-1-test-9	success	.github/scripts/patches/tests/kdoc.sh took 0.54s
conchuod/patch-1-test-10	success	.github/scripts/patches/tests/module_param.sh took 0.01s
conchuod/patch-1-test-11	success	.github/scripts/patches/tests/verify_fixes.sh took 0.00s
conchuod/patch-1-test-12	success	.github/scripts/patches/tests/verify_signedoff.sh took 0.03s

Yunhui Cui Oct. 25, 2024, 9:15 a.m. UTC

Like Zicboz, by enabling the corresponding bits of senvcfg,
the instructions cbo.clean, cbo.flush, and cbo.inval can be
executed normally in user mode.

Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
---
 arch/riscv/kernel/cpufeature.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Conor Dooley Oct. 25, 2024, 10:16 a.m. UTC | #1

On Fri, Oct 25, 2024 at 05:15:27PM +0800, Yunhui Cui wrote:
> Like Zicboz, by enabling the corresponding bits of senvcfg,
> the instructions cbo.clean, cbo.flush, and cbo.inval can be
> executed normally in user mode.
> 
> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
> ---
>  arch/riscv/kernel/cpufeature.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
> index 1992ea64786e..bc850518ab41 100644
> --- a/arch/riscv/kernel/cpufeature.c
> +++ b/arch/riscv/kernel/cpufeature.c
> @@ -924,7 +924,7 @@ unsigned long riscv_get_elf_hwcap(void)
>  void __init riscv_user_isa_enable(void)
>  {
>  	if (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZICBOZ))
> -		current->thread.envcfg |= ENVCFG_CBZE;
> +		current->thread.envcfg |= ENVCFG_CBIE | ENVCFG_CBCFE | ENVCFG_CBZE;

I believe we previously decided that userspace should not be allowed to
use zicbom, but that not withstanding - this is wrong. It should be
checking for Zicbom, not Zicboz.

Jessica Clarke Oct. 25, 2024, 4:32 p.m. UTC | #2

On 25 Oct 2024, at 11:16, Conor Dooley <conor@kernel.org> wrote:
> On Fri, Oct 25, 2024 at 05:15:27PM +0800, Yunhui Cui wrote:
>> Like Zicboz, by enabling the corresponding bits of senvcfg,
>> the instructions cbo.clean, cbo.flush, and cbo.inval can be
>> executed normally in user mode.
>> 
>> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
>> ---
>> arch/riscv/kernel/cpufeature.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
>> index 1992ea64786e..bc850518ab41 100644
>> --- a/arch/riscv/kernel/cpufeature.c
>> +++ b/arch/riscv/kernel/cpufeature.c
>> @@ -924,7 +924,7 @@ unsigned long riscv_get_elf_hwcap(void)
>> void __init riscv_user_isa_enable(void)
>> {
>> if (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZICBOZ))
>> - current->thread.envcfg |= ENVCFG_CBZE;
>> + current->thread.envcfg |= ENVCFG_CBIE | ENVCFG_CBCFE | ENVCFG_CBZE;
> 
> I believe we previously decided that userspace should not be allowed to
> use zicbom, but that not withstanding - this is wrong. It should be
> checking for Zicbom, not Zicboz.

Allowing clean/flush is safe but has the same problems as fence.i with
regards to migrating between harts. Allowing invalidate, unless mapped
to flush, is not safe in general unless the kernel does a lot of
flushing to avoid userspace accessing data it shouldn’t be able to see.

Also, ENVCFG_CBIE is a mask for a multi-bit field, which happens to
have the same value as ENVCFG_CBIE_INV (i.e. really is making cbo.inval
be an invalidate). I note that the KVM code, which this likely copied
from(?), makes the same mistake, but there that is the intended
behaviour, if misleading about what the field really is.

So, with suitable caveats, allowing clean/flush could be a reasonable
thing to do (maybe useful for userspace drivers so long as they pin
themselves to a specific hart?), but invalidate should only ever be
allowed if mapped to flush.

Jess

Deepak Gupta Oct. 29, 2024, 7:20 p.m. UTC | #3

On Fri, Oct 25, 2024 at 11:16:44AM +0100, Conor Dooley wrote:
>On Fri, Oct 25, 2024 at 05:15:27PM +0800, Yunhui Cui wrote:
>> Like Zicboz, by enabling the corresponding bits of senvcfg,
>> the instructions cbo.clean, cbo.flush, and cbo.inval can be
>> executed normally in user mode.
>>
>> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
>> ---
>>  arch/riscv/kernel/cpufeature.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
>> index 1992ea64786e..bc850518ab41 100644
>> --- a/arch/riscv/kernel/cpufeature.c
>> +++ b/arch/riscv/kernel/cpufeature.c
>> @@ -924,7 +924,7 @@ unsigned long riscv_get_elf_hwcap(void)
>>  void __init riscv_user_isa_enable(void)
>>  {
>>  	if (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZICBOZ))
>> -		current->thread.envcfg |= ENVCFG_CBZE;
>> +		current->thread.envcfg |= ENVCFG_CBIE | ENVCFG_CBCFE | ENVCFG_CBZE;
>
>I believe we previously decided that userspace should not be allowed to
>use zicbom, but that not withstanding - this is wrong. It should be
>checking for Zicbom, not Zicboz.

Additional comment:

It would be good to have this (flush/clean/inval) disabled for seccomped
process or at least some sort of user abi to disable it (whenever use decides
to seccomp current task). So either

- by default disable when task is strict seccomped

OR

- introduce user abi (prctl) to disable it. so that any task trying to
   lockdown itself should be able to do that.

This is particularly useful for sandbox hosting in same address space.

Yunhui Cui Oct. 31, 2024, 8:29 a.m. UTC | #4

Hi Jessica,

On Sat, Oct 26, 2024 at 12:32 AM Jessica Clarke <jrtc27@jrtc27.com> wrote:
>
> On 25 Oct 2024, at 11:16, Conor Dooley <conor@kernel.org> wrote:
> > On Fri, Oct 25, 2024 at 05:15:27PM +0800, Yunhui Cui wrote:
> >> Like Zicboz, by enabling the corresponding bits of senvcfg,
> >> the instructions cbo.clean, cbo.flush, and cbo.inval can be
> >> executed normally in user mode.
> >>
> >> Signed-off-by: Yunhui Cui <cuiyunhui@bytedance.com>
> >> ---
> >> arch/riscv/kernel/cpufeature.c | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
> >> index 1992ea64786e..bc850518ab41 100644
> >> --- a/arch/riscv/kernel/cpufeature.c
> >> +++ b/arch/riscv/kernel/cpufeature.c
> >> @@ -924,7 +924,7 @@ unsigned long riscv_get_elf_hwcap(void)
> >> void __init riscv_user_isa_enable(void)
> >> {
> >> if (riscv_has_extension_unlikely(RISCV_ISA_EXT_ZICBOZ))
> >> - current->thread.envcfg |= ENVCFG_CBZE;
> >> + current->thread.envcfg |= ENVCFG_CBIE | ENVCFG_CBCFE | ENVCFG_CBZE;
> >
> > I believe we previously decided that userspace should not be allowed to
> > use zicbom, but that not withstanding - this is wrong. It should be
> > checking for Zicbom, not Zicboz.
>
> Allowing clean/flush is safe but has the same problems as fence.i with
> regards to migrating between harts. Allowing invalidate, unless mapped
> to flush, is not safe in general unless the kernel does a lot of
> flushing to avoid userspace accessing data it shouldn’t be able to see.
>
> Also, ENVCFG_CBIE is a mask for a multi-bit field, which happens to
> have the same value as ENVCFG_CBIE_INV (i.e. really is making cbo.inval
> be an invalidate). I note that the KVM code, which this likely copied
> from(?), makes the same mistake, but there that is the intended
> behaviour, if misleading about what the field really is.
>
> So, with suitable caveats, allowing clean/flush could be a reasonable
> thing to do (maybe useful for userspace drivers so long as they pin
> themselves to a specific hart?), but invalidate should only ever be
> allowed if mapped to flush.
>
> Jess
>
Yes. The original intention is to enable clean/flush/invalid. So
ENVCFG_CBIE | ENVCFG_CBCFE is added. When one core initiates an
invalidation, other cores will also invalidate the corresponding cache
line. So do we not need to worry about this problem? Moreover,
invalidation is not found in the logic of disabling preemption in the
kernel. Or perhaps binding cores belongs to the user-space's own
logic. Can this patch be fixed as RISCV_ISA_EXT_ZICBOM and then a v2
be sent?

Thanks,
Yunhui

RISC-V: Enable Zicbom in usermode

Checks

Commit Message

Comments

Patch