From: Jiri Kosina <jikos@kernel.org>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Tim Chen <tim.c.chen@linux.intel.com>,
Ingo Molnar <mingo@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
x86@kernel.org, Peter Zijlstra <peterz@infradead.org>,
Andy Lutomirski <luto@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Tom Lendacky <thomas.lendacky@amd.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Andrea Arcangeli <aarcange@redhat.com>,
David Woodhouse <dwmw@amazon.co.uk>,
Andi Kleen <ak@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Casey Schaufler <casey.schaufler@intel.com>,
Asit Mallick <asit.k.mallick@intel.com>,
Arjan van de Ven <arjan@linux.intel.com>,
Jon Masters <jcm@redhat.com>, Waiman Long <longman9394@gmail.com>,
Greg KH <gregkh@linuxfoundation.org>,
Dave Stewart <david.c.stewart@intel.com>,
Kees Cook <keescook@chromium.org>
Subject: Re: [patch 20/24] x86/speculation: Split out TIF update
Date: Tue, 27 Nov 2018 13:52:23 +0100 (CET) [thread overview]
Message-ID: <nycvar.YFH.7.76.1811271350590.21108@cbobk.fhfr.pm> (raw)
In-Reply-To: <nycvar.YFH.7.76.1811270820050.21108@cbobk.fhfr.pm>
On Tue, 27 Nov 2018, Jiri Kosina wrote:
> > That's racy and does not prevent the situation because the TIF flags are
> > updated befor the UPDATE bit is set.
>
> > So __speculation_ctrl_update() might see the new bits, but not
> > TIF_SPEC_UPDATE.
>
> Hm, right, scratch that. We'd need to do that before updating TIF_SPEC_IB
> in task_update_spec_tif(), but that has the opposite ordering issue.
I think this should do it (not yet fully tested).
From: Jiri Kosina <jkosina@suse.cz>
Subject: [PATCH] x86/speculation: Always properly update SPEC_CTRL MSR for remote SECCOMP tasks
If seccomp task is setting TIF_SPEC_IB for a task running on remote CPU,
the value of TIF_SPEC_IB becomes out-of-sync with the actual MSR value on
that CPU.
This becomes a problem when such task then context switches to another
task that has TIF_SPEC_IB set, as in such case the value of SPEC_CTRL MSR
is not updated and the next task starts running with stale value of
SPEC_CTRL, potentially unprotected by STIBP.
Fix that by "queuing" the needed flags update in 'spec_ctrl' shadow
variable, and populating proper TI flags with it on context switch to the
task that has the TIF_SPEC_UPDATE flag (indicating that syncing is
necessary) set.
Reported-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
arch/x86/include/asm/thread_info.h | 5 ++++-
arch/x86/kernel/cpu/bugs.c | 13 +++++++++++--
arch/x86/kernel/process.c | 15 +++++++++++++++
3 files changed, 30 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
index 6d201699c651..001b053067d7 100644
--- a/arch/x86/include/asm/thread_info.h
+++ b/arch/x86/include/asm/thread_info.h
@@ -55,6 +55,7 @@ struct task_struct;
struct thread_info {
unsigned long flags; /* low level flags */
+ unsigned long spec_flags; /* spec flags to sync on ctxsw */
u32 status; /* thread synchronous flags */
};
@@ -84,6 +85,7 @@ struct thread_info {
#define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */
#define TIF_SECCOMP 8 /* secure computing */
#define TIF_SPEC_IB 9 /* Indirect branch speculation mitigation */
+#define TIF_SPEC_UPDATE 10 /* SPEC_CTRL MSR sync needed on CTXSW */
#define TIF_USER_RETURN_NOTIFY 11 /* notify kernel of userspace return */
#define TIF_UPROBE 12 /* breakpointed or singlestepping */
#define TIF_PATCH_PENDING 13 /* pending live patching update */
@@ -112,6 +114,7 @@ struct thread_info {
#define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT)
#define _TIF_SECCOMP (1 << TIF_SECCOMP)
#define _TIF_SPEC_IB (1 << TIF_SPEC_IB)
+#define _TIF_SPEC_UPDATE (1 << TIF_SPEC_UPDATE)
#define _TIF_USER_RETURN_NOTIFY (1 << TIF_USER_RETURN_NOTIFY)
#define _TIF_UPROBE (1 << TIF_UPROBE)
#define _TIF_PATCH_PENDING (1 << TIF_PATCH_PENDING)
@@ -155,7 +158,7 @@ struct thread_info {
* Avoid calls to __switch_to_xtra() on UP as STIBP is not evaluated.
*/
#ifdef CONFIG_SMP
-# define _TIF_WORK_CTXSW (_TIF_WORK_CTXSW_BASE | _TIF_SPEC_IB)
+# define _TIF_WORK_CTXSW (_TIF_WORK_CTXSW_BASE | _TIF_SPEC_IB | _TIF_SPEC_UPDATE)
#else
# define _TIF_WORK_CTXSW (_TIF_WORK_CTXSW_BASE)
#endif
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index b5d2b36618a5..679946135789 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -761,9 +761,11 @@ static void task_update_spec_tif(struct task_struct *tsk, int tifbit, bool on)
bool update;
if (on)
- update = !test_and_set_tsk_thread_flag(tsk, tifbit);
+ update = !test_and_set_bit(tifbit,
+ &task_thread_info(tsk)->spec_flags);
else
- update = test_and_clear_tsk_thread_flag(tsk, tifbit);
+ update = test_and_clear_bit(tifbit,
+ &task_thread_info(tsk)->spec_flags);
/*
* Immediately update the speculation control MSRs for the current
@@ -772,9 +774,16 @@ static void task_update_spec_tif(struct task_struct *tsk, int tifbit, bool on)
*
* This can only happen for SECCOMP mitigation. For PRCTL it's
* always the current task.
+ *
+ * If we are updating non-current SECCOMP task, set a flag for it to
+ * always perform the MSR sync on a first context switch to it, in order
+ * to make sure the TIF_SPEC_IB above is not out of sync with the MSR value.
*/
if (tsk == current && update)
speculation_ctrl_update_current();
+ else
+ set_tsk_thread_flag(tsk, TIF_SPEC_UPDATE);
+
}
static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 3f5e351bdd37..6c4fcef52b19 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -474,6 +474,21 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p)
tifn = READ_ONCE(task_thread_info(next_p)->flags);
tifp = READ_ONCE(task_thread_info(prev_p)->flags);
+
+ /*
+ * SECCOMP tasks might have had their spec_ctrl flags updated during
+ * runtime from a different CPU.
+ *
+ * When switching to such a task, populate thread flags with the ones
+ * that have been temporarily saved in spec_flags by task_update_spec_tif()
+ * in order to make sure MSR value is always kept up to date.
+ *
+ * SECCOMP tasks never disable the mitigation for other threads, only enable.
+ */
+ if (IS_ENABLED(CONFIG_SECCOMP) &&
+ test_and_clear_tsk_thread_flag(next_p, TIF_SPEC_UPDATE))
+ tifp |= READ_ONCE(task_thread_info(next_p)->spec_flags);
+
switch_to_bitmap(prev, next, tifp, tifn);
propagate_user_return_notify(prev_p, next_p);
--
Jiri Kosina
SUSE Labs
next prev parent reply other threads:[~2018-11-27 12:52 UTC|newest]
Thread overview: 95+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-21 20:14 [patch 00/24] x86/speculation: Remedy the STIBP/IBPB overhead Thomas Gleixner
2018-11-21 20:14 ` [patch 01/24] x86/speculation: Update the TIF_SSBD comment Thomas Gleixner
2018-11-21 20:28 ` Linus Torvalds
2018-11-21 20:30 ` Thomas Gleixner
2018-11-21 20:33 ` Linus Torvalds
2018-11-21 22:48 ` Thomas Gleixner
2018-11-21 22:53 ` Borislav Petkov
2018-11-21 22:55 ` Thomas Gleixner
2018-11-21 22:55 ` Arjan van de Ven
2018-11-21 22:56 ` Borislav Petkov
2018-11-21 23:07 ` Borislav Petkov
2018-11-21 23:04 ` Josh Poimboeuf
2018-11-21 23:08 ` Borislav Petkov
2018-11-22 17:30 ` Josh Poimboeuf
2018-11-22 17:52 ` Borislav Petkov
2018-11-22 21:17 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 02/24] x86/speculation: Clean up spectre_v2_parse_cmdline() Thomas Gleixner
2018-11-21 20:14 ` [patch 03/24] x86/speculation: Remove unnecessary ret variable in cpu_show_common() Thomas Gleixner
2018-11-21 20:14 ` [patch 04/24] x86/speculation: Reorganize cpu_show_common() Thomas Gleixner
2018-11-21 20:14 ` [patch 05/24] x86/speculation: Disable STIBP when enhanced IBRS is in use Thomas Gleixner
2018-11-21 20:33 ` Borislav Petkov
2018-11-21 20:36 ` Thomas Gleixner
2018-11-21 22:01 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 06/24] x86/speculation: Rename SSBD update functions Thomas Gleixner
2018-11-21 20:14 ` [patch 07/24] x86/speculation: Reorganize speculation control MSRs update Thomas Gleixner
2018-11-21 20:14 ` [patch 08/24] sched/smt: Make sched_smt_present track topology Thomas Gleixner
2018-11-21 20:14 ` [patch 09/24] x86/Kconfig: Select SCHED_SMT if SMP enabled Thomas Gleixner
2018-11-21 20:14 ` [patch 10/24] sched/smt: Expose sched_smt_present static key Thomas Gleixner
2018-11-21 20:41 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 11/24] x86/speculation: Rework SMT state change Thomas Gleixner
2018-11-21 20:14 ` [patch 12/24] x86/l1tf: Show actual SMT state Thomas Gleixner
2018-11-21 20:14 ` [patch 13/24] x86/speculation: Reorder the spec_v2 code Thomas Gleixner
2018-11-21 20:14 ` [patch 14/24] x86/speculation: Unify conditional spectre v2 print functions Thomas Gleixner
2018-11-22 7:59 ` Ingo Molnar
2018-11-21 20:14 ` [patch 15/24] x86/speculation: Add command line control for indirect branch speculation Thomas Gleixner
2018-11-21 23:43 ` Borislav Petkov
2018-11-22 8:14 ` Thomas Gleixner
2018-11-22 9:07 ` Thomas Gleixner
2018-11-22 9:18 ` Peter Zijlstra
2018-11-22 10:10 ` Borislav Petkov
2018-11-22 10:48 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 16/24] x86/speculation: Prepare for per task indirect branch speculation control Thomas Gleixner
2018-11-22 7:57 ` Ingo Molnar
2018-11-21 20:14 ` [patch 17/24] x86/speculation: Move IBPB control out of switch_mm() Thomas Gleixner
2018-11-22 0:01 ` Andi Kleen
2018-11-22 7:42 ` Jiri Kosina
2018-11-22 9:18 ` Thomas Gleixner
2018-11-22 1:40 ` Tim Chen
2018-11-22 7:52 ` Ingo Molnar
2018-11-22 22:29 ` Thomas Gleixner
2018-11-21 20:14 ` [patch 18/24] x86/speculation: Avoid __switch_to_xtra() calls Thomas Gleixner
2018-11-22 1:23 ` Tim Chen
2018-11-22 7:44 ` Ingo Molnar
2018-11-21 20:14 ` [patch 19/24] ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS Thomas Gleixner
2018-11-21 20:14 ` [patch 20/24] x86/speculation: Split out TIF update Thomas Gleixner
2018-11-22 2:13 ` Tim Chen
2018-11-22 23:00 ` Thomas Gleixner
2018-11-23 7:37 ` Ingo Molnar
2018-11-26 18:35 ` Tim Chen
2018-11-26 21:55 ` Thomas Gleixner
2018-11-27 7:05 ` Jiri Kosina
2018-11-27 7:13 ` Thomas Gleixner
2018-11-27 7:30 ` Jiri Kosina
2018-11-27 12:52 ` Jiri Kosina [this message]
2018-11-27 13:18 ` Jiri Kosina
2018-11-27 21:57 ` Thomas Gleixner
2018-11-27 22:07 ` Jiri Kosina
2018-11-27 22:20 ` Jiri Kosina
2018-11-27 22:36 ` Thomas Gleixner
2018-11-28 1:50 ` Tim Chen
2018-11-28 10:43 ` Thomas Gleixner
2018-11-28 6:05 ` Jiri Kosina
2018-11-28 14:33 ` [tip:x86/pti] x86/speculation: Prevent stale SPEC_CTRL msr content tip-bot for Thomas Gleixner
2018-11-22 7:43 ` [patch 20/24] x86/speculation: Split out TIF update Ingo Molnar
2018-11-22 23:04 ` Thomas Gleixner
2018-11-23 7:37 ` Ingo Molnar
2018-11-21 20:14 ` [patch 21/24] x86/speculation: Prepare arch_smt_update() for PRCTL mode Thomas Gleixner
2018-11-22 7:34 ` Ingo Molnar
2018-11-22 23:17 ` Thomas Gleixner
2018-11-22 23:28 ` Jiri Kosina
2018-11-21 20:14 ` [patch 22/24] x86/speculation: Create PRCTL interface to restrict indirect branch speculation Thomas Gleixner
2018-11-22 7:10 ` Ingo Molnar
2018-11-22 9:03 ` Peter Zijlstra
2018-11-22 9:08 ` Thomas Gleixner
2018-11-22 12:26 ` Borislav Petkov
2018-11-22 12:33 ` Peter Zijlstra
2018-11-21 20:14 ` [patch 23/24] x86/speculation: Enable PRCTL mode for spectre_v2_app2app Thomas Gleixner
2018-11-22 7:17 ` Ingo Molnar
2018-11-21 20:14 ` [patch 24/24] x86/speculation: Add seccomp Spectre v2 app to app protection mode Thomas Gleixner
2018-11-22 2:24 ` Tim Chen
2018-11-22 7:26 ` Ingo Molnar
2018-11-22 23:45 ` Thomas Gleixner
2018-11-21 23:48 ` [patch 00/24] x86/speculation: Remedy the STIBP/IBPB overhead Tim Chen
2018-11-22 9:55 ` Thomas Gleixner
2018-11-22 9:45 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YFH.7.76.1811271350590.21108@cbobk.fhfr.pm \
--to=jikos@kernel.org \
--cc=aarcange@redhat.com \
--cc=ak@linux.intel.com \
--cc=arjan@linux.intel.com \
--cc=asit.k.mallick@intel.com \
--cc=casey.schaufler@intel.com \
--cc=dave.hansen@intel.com \
--cc=david.c.stewart@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jcm@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longman9394@gmail.com \
--cc=luto@kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=tim.c.chen@linux.intel.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).