On Fri, Aug 23, 2024 at 07:40:52PM +0100, Catalin Marinas wrote:

On Fri, Aug 23, 2024 at 06:08:36PM +0100, Will Deacon wrote:

quoted

On Fri, Aug 23, 2024 at 05:41:06PM +0100, Catalin Marinas wrote:

quoted

On Fri, Aug 23, 2024 at 03:45:32PM +0100, Will Deacon wrote:

quoted

On Thu, Aug 22, 2024 at 04:10:49PM +0100, Joey Gouly wrote:

quoted

+static void permission_overlay_switch(struct task_struct *next)
+{
+	if (!system_supports_poe())
+		return;
+
+	current->thread.por_el0 = read_sysreg_s(SYS_POR_EL0);
+	if (current->thread.por_el0 != next->thread.por_el0) {
+		write_sysreg_s(next->thread.por_el0, SYS_POR_EL0);
+		/* ISB required for kernel uaccess routines when chaning POR_EL0 */

nit: typo "chaning".

But more substantially, is this just to prevent spurious faults in the
context of a new thread using a stale value for POR_EL0?

Not just prevent faults but enforce the permissions from the new
thread's POR_EL0. The kernel may continue with a uaccess routine from
here, we can't tell.

Hmm, I wondered if that was the case. It's a bit weird though, because:

  - There's a window between switch_mm() and switch_to() where you might
    reasonably expect to be able to execute uaccess routines

I don't think we can have any uaccess between these two switches (a
uaccess could fault, that's a pretty weird state between these two).

quoted

  - kthread_use_mm() doesn't/can't look at this at all

No, but a kthread would have it's own, most permissive, POR_EL0.

quoted

  - GUP obviously doesn't care

So what do we actually gain by having the uaccess routines honour this?

I guess where it matters is more like not accidentally faulting because
the previous thread had more restrictive permissions.

That's what I wondered initially, but won't the fault handler retry in
that case?

Will