Re: [patch 20/24] x86/speculation: Split out TIF update

From: Thomas Gleixner <tglx@linutronix.de>
To: Jiri Kosina <jikos@kernel.org>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
	Ingo Molnar <mingo@kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	x86@kernel.org, Peter Zijlstra <peterz@infradead.org>,
	Andy Lutomirski <luto@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Tom Lendacky <thomas.lendacky@amd.com>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Andi Kleen <ak@linux.intel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Casey Schaufler <casey.schaufler@intel.com>,
	Asit Mallick <asit.k.mallick@intel.com>,
	Arjan van de Ven <arjan@linux.intel.com>,
	Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Dave Stewart <david.c.stewart@intel.com>,
	Kees Cook <keescook@chromium.org>
Subject: Re: [patch 20/24] x86/speculation: Split out TIF update
Date: Tue, 27 Nov 2018 08:13:48 +0100 (CET)	[thread overview]
Message-ID: <alpine.DEB.2.21.1811270809450.1682@nanos.tec.linutronix.de> (raw)
In-Reply-To: <nycvar.YFH.7.76.1811270800090.21108@cbobk.fhfr.pm>

On Tue, 27 Nov 2018, Jiri Kosina wrote:
> On Mon, 26 Nov 2018, Thomas Gleixner wrote:
> 
> How about the minimalistic aproach below? (only compile tested so far, 
> applies on top of your latest WIP.x86/pti branch). The downside of course 
> is wasting another TIF bit.

We need to waste another TIF bit in any case.

>  	 *
>  	 * This can only happen for SECCOMP mitigation. For PRCTL it's
>  	 * always the current task.
> +	 *
> +	 * If we are updating non-current task, set a flag for it to always
> +	 * perform the MSR sync on a first context switch, to make sure
> +	 * the TIF_SPEC_IB above is not out of sync with the MSR value during
> +	 * task's runtime.
>  	 */
>  	if (tsk == current && update)
>  		speculation_ctrl_update_current();
> +	else
> +		set_tsk_thread_flag(tsk, TIF_SPEC_UPDATE);
> +
>  }
>  
>  static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
> diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
> index 3f5e351bdd37..78208234e63e 100644
> --- a/arch/x86/kernel/process.c
> +++ b/arch/x86/kernel/process.c
> @@ -449,8 +449,20 @@ static __always_inline void __speculation_ctrl_update(unsigned long tifp,
>  	 * otherwise avoid the MSR write.
>  	 */
>  	if (IS_ENABLED(CONFIG_SMP) &&
> -	    static_branch_unlikely(&switch_to_cond_stibp))
> +	    static_branch_unlikely(&switch_to_cond_stibp)) {
>  		updmsr |= !!(tif_diff & _TIF_SPEC_IB);
> +		/*
> +		 * We need to update the MSR if remote task did set
> +		 * TIF_SPEC_UPDATE on us, and therefore MSR value and
> +		 * the TIF_SPEC_IB values might be out of sync.
> +		 *
> +		 * This can only happen if seccomp task has updated
> +		 * one of its remote threads.
> +		 */
> +		if (IS_ENABLED(CONFIG_SECCOMP) && !updmsr &&
> +				(tifn & TIF_SPEC_UPDATE))
> +			updmsr = true;
> +	}
>  
>  	if (updmsr)
>  		spec_ctrl_update_msr(tifn);
> @@ -496,6 +508,8 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p)
>  		set_cpuid_faulting(!!(tifn & _TIF_NOCPUID));
>  
>  	__speculation_ctrl_update(tifp, tifn);
> +	if (IS_ENABLED(CONFIG_SECCOMP))
> +		clear_tsk_thread_flag(next_p, TIF_SPEC_UPDATE);

That's racy and does not prevent the situation because the TIF flags are
updated befor the UPDATE bit is set. So __speculation_ctrl_update() might
see the new bits, but not TIF_SPEC_UPDATE. You really need shadow storage
to avoid that.

Thanks,

	tglx