From: Will Deacon <will.deacon@arm.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: jpoimboe@redhat.com, dvlasenk@redhat.com, brgerst@gmail.com,
Julien Thierry <julien.thierry@arm.com>,
catalin.marinas@arm.com, valentin.schneider@arm.com,
linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
mingo@redhat.com, james.morse@arm.com, luto@kernel.org,
"H. Peter Anvin" <hpa@zytor.com>,
bp@alien8.de, tglx@linutronix.de, torvalds@linux-foundation.org,
Ingo Molnar <mingo@kernel.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH] sched/x86: Save [ER]FLAGS on context switch
Date: Tue, 19 Feb 2019 12:48:08 +0000 [thread overview]
Message-ID: <20190219124808.GG8501@fuggles.cambridge.arm.com> (raw)
In-Reply-To: <20190219090409.GW32494@hirez.programming.kicks-ass.net>
On Tue, Feb 19, 2019 at 10:04:09AM +0100, Peter Zijlstra wrote:
> On Mon, Feb 18, 2019 at 02:30:21PM -0800, H. Peter Anvin wrote:
> > On 2/16/19 2:30 AM, Peter Zijlstra wrote:
> > > On Fri, Feb 15, 2019 at 08:06:56PM -0800, hpa@zytor.com wrote:
> > >> This implies we invoke schedule -- a restricted operation (consider
> > >> may_sleep) during execution of STAC-enabled code, but *not* as an
> > >> exception or interrupt, since those preserve the flags.
> > >
> > > Meet preempt_enable().
> >
> > I believe this falls under "doctor, it hurts when I do that." And it hurts for
> > very good reasons. See below.
>
> I disagree; the basic rule is that if you're preemptible you must also
> be able to schedule and vice-versa. These AC regions violate this.
>
> And, like illustrated, it is _very_ easy to get all sorts inside that AC
> crap.
>
> > >> I have serious concerns about this. This is more or less saying that
> > >> we have left an unlimited gap and have had AC escape.
> > >
> > > Yes; by allowing normal C in between STAC and CLAC this is so.
> > >
> > >> Does *anyone* see a need to allow this? I got a question at LPC from
> > >> someone about this, and what they were trying to do once all the
> > >> layers had been unwound was so far down the wrong track for a root
> > >> problem that actually has a very simple solution.
> > >
> > > Have you read the rest of the thread?
> > >
> > > All it takes for this to explode is a call to a C function that has
> > > tracing on it in between the user_access_begin() and user_access_end()
> > > things. That is a _very_ easy thing to do.
> > >
> > > Heck, GCC is allowed to generate that broken code compiling
> > > lib/strnlen_user.c; it doesn't _have_ to inline do_strnlen_user (esp.
> > > with CONFIG_OPTIMIZE_INLINING), and making that a function call would
> > > get us fentry hooks and ftrace and *BOOM*.
> > >
> > > (Now, of course, its a static function with a single caller, and GCC
> > > isn't _THAT_ stupid, but it could, if it wanted to)
> > >
> > > Since the bar is _that_ low for mistakes, I figure we'd better fix it.
> > >
> >
> > The question is what "fix it" means.
>
> It means that when we do schedule, the next task doesn't have AC set,
> and when we schedule back, we'll restore our AC when we had it. Unlike
> the current situation, where the next task will run with AC set.
>
> IOW, it confines AC to the task context where it was set.
>
> > I'm really concerned about AC escapes,
> > and everyone else should be, too.
>
> Then _that_ should be asserted.
>
> > For an issue specific to tracing, it would be more appropriate to do the
> > appropriate things in the tracing entry/exit than in schedule. Otherwise, we
> > don't want to silently paper over mistakes which could mean that we run a
> > large portion of the kernel without protection we thought we had.
> >
> > In that sense, calling schedule() with AC set is in fact a great place to have
> > a WARN() or even BUG(), because such an event really could imply that the
> > kernel has been security compromised.
>
> It is not specific to tracing, tracing is just one of the most trivial
> and non-obvious ways to make it go splat.
>
> There's lot of fairly innocent stuff that does preempt_disable() /
> preempt_enable(). And just a warning in schedule() isn't sufficient,
> you'd have to actually trigger a reschedule before you know your code is
> bad.
>
> And like I said; the invariant is: if you're preemptible you can
> schedule and v.v.
>
> Now, clearly you don't want to mark these whole regions as !preemptible,
> because then you can also not take faults, but somehow you're not
> worried about the whole fault handler, but you are worried about the
> scheduler ?!? How does that work? The fault handler can touch a _ton_
> more code. Heck, the fault handler can schedule.
>
> So either pre-fault, and run the whole AC crap with preemption disabled
> and retry, or accept that we have to schedule.
I think you'll still hate this, but could we not disable preemption during
the uaccess-enabled region, re-enabling it on the fault path after we've
toggled uaccess off and disable it again when we return back to the
uaccess-enabled region? Doesn't help with tracing, but it should at least
handle the common case.
Will
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-02-19 12:48 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-15 13:58 [PATCH v3 0/4] uaccess: Add unsafe accessors for arm64 Julien Thierry
2019-01-15 13:58 ` [PATCH v3 1/4] arm64: uaccess: Cleanup get/put_user() Julien Thierry
2019-01-15 13:58 ` [PATCH v3 2/4] arm64: uaccess: Implement unsafe accessors Julien Thierry
2019-01-15 13:58 ` [PATCH v3 3/4] uaccess: Check no rescheduling function is called in unsafe region Julien Thierry
2019-01-30 16:58 ` Valentin Schneider
2019-02-04 13:27 ` Julien Thierry
2019-02-11 13:45 ` Ingo Molnar
2019-02-11 13:51 ` Peter Zijlstra
2019-02-12 9:15 ` Julien Thierry
2019-02-13 8:21 ` Ingo Molnar
2019-02-13 10:35 ` Peter Zijlstra
2019-02-13 10:50 ` Julien Thierry
2019-02-13 13:17 ` Peter Zijlstra
2019-02-13 13:20 ` Peter Zijlstra
2019-02-13 14:00 ` Will Deacon
2019-02-13 14:07 ` Julien Thierry
2019-02-13 14:17 ` Peter Zijlstra
2019-02-13 14:24 ` Julien Thierry
2019-02-13 14:40 ` Peter Zijlstra
2019-02-13 15:08 ` Peter Zijlstra
2019-02-13 14:25 ` Peter Zijlstra
2019-02-13 14:39 ` Julien Thierry
2019-02-13 14:41 ` Peter Zijlstra
2019-02-13 15:45 ` Peter Zijlstra
2019-02-13 18:54 ` Peter Zijlstra
[not found] ` <D61C430D-4321-4114-AB85-671A3C7B8EAE@amacapital.net>
2019-02-13 22:21 ` Peter Zijlstra
2019-02-13 22:49 ` Andy Lutomirski
2019-02-14 10:14 ` [PATCH] sched/x86: Save [ER]FLAGS on context switch Peter Zijlstra
2019-02-14 16:18 ` Brian Gerst
2019-02-14 19:34 ` Peter Zijlstra
2019-02-15 14:34 ` Brian Gerst
2019-02-15 17:18 ` Linus Torvalds
2019-02-15 17:40 ` Peter Zijlstra
2019-02-15 18:28 ` Andy Lutomirski
2019-02-15 23:34 ` Peter Zijlstra
2019-02-16 0:21 ` Linus Torvalds
2019-02-16 10:32 ` Peter Zijlstra
2019-02-16 4:06 ` hpa
2019-02-16 10:30 ` Peter Zijlstra
2019-02-18 22:30 ` H. Peter Anvin
2019-02-19 0:24 ` Linus Torvalds
2019-02-19 2:20 ` Andy Lutomirski
2019-02-19 2:46 ` H. Peter Anvin
2019-02-19 9:07 ` Julien Thierry
2019-02-19 8:53 ` Julien Thierry
2019-02-19 9:15 ` Peter Zijlstra
2019-02-19 9:19 ` Peter Zijlstra
2019-02-19 9:04 ` Peter Zijlstra
2019-02-19 9:21 ` hpa
2019-02-19 9:44 ` Peter Zijlstra
2019-02-19 11:38 ` Thomas Gleixner
2019-02-19 11:58 ` Peter Zijlstra
2019-02-19 12:48 ` Will Deacon [this message]
2019-02-20 22:55 ` H. Peter Anvin
2019-02-21 12:06 ` Julien Thierry
2019-02-21 21:35 ` Thomas Gleixner
2019-02-21 22:08 ` Linus Torvalds
2019-02-22 12:58 ` Peter Zijlstra
2019-02-22 18:10 ` Thomas Gleixner
2019-02-22 22:26 ` [RFC][PATCH] objtool: STAC/CLAC validation Peter Zijlstra
2019-02-22 23:34 ` Linus Torvalds
2019-02-23 8:43 ` Peter Zijlstra
2019-02-22 23:39 ` hpa
2019-02-23 8:39 ` Peter Zijlstra
2019-02-25 8:47 ` hpa
2019-02-25 13:21 ` Peter Zijlstra
2019-03-01 15:07 ` Peter Zijlstra
2019-02-25 8:49 ` hpa
2019-02-22 23:55 ` Andy Lutomirski
2019-02-23 8:37 ` Peter Zijlstra
2019-02-23 10:52 ` Peter Zijlstra
2019-02-25 10:51 ` Peter Zijlstra
2019-02-25 11:53 ` Peter Zijlstra
2019-02-25 15:36 ` Andy Lutomirski
2019-02-23 0:34 ` Andy Lutomirski
2019-02-23 1:12 ` Linus Torvalds
2019-02-23 1:16 ` Andy Lutomirski
2019-02-23 1:33 ` Linus Torvalds
2019-02-23 1:40 ` Linus Torvalds
2019-02-25 8:33 ` Julien Thierry
2019-02-25 11:55 ` Peter Zijlstra
2019-02-21 12:46 ` [PATCH] sched/x86: Save [ER]FLAGS on context switch Will Deacon
2019-02-21 22:06 ` Andy Lutomirski
2019-02-18 9:03 ` [PATCH v2] " Peter Zijlstra
2019-02-13 23:19 ` [PATCH v3 3/4] uaccess: Check no rescheduling function is called in unsafe region Linus Torvalds
2019-01-15 13:58 ` [PATCH v3 4/4] arm64: uaccess: Implement user_access_region_active Julien Thierry
2019-01-25 14:27 ` [PATCH v3 0/4] uaccess: Add unsafe accessors for arm64 Catalin Marinas
2019-01-30 16:17 ` Julien Thierry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190219124808.GG8501@fuggles.cambridge.arm.com \
--to=will.deacon@arm.com \
--cc=bp@alien8.de \
--cc=brgerst@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=dvlasenk@redhat.com \
--cc=hpa@zytor.com \
--cc=james.morse@arm.com \
--cc=jpoimboe@redhat.com \
--cc=julien.thierry@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=mingo@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=valentin.schneider@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).