From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A3F28C4360F for ; Fri, 5 Apr 2019 14:41:43 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 374CF218A6 for ; Fri, 5 Apr 2019 14:41:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 374CF218A6 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 83E0D6B0269; Fri, 5 Apr 2019 10:41:42 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 7F0A26B026A; Fri, 5 Apr 2019 10:41:42 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 68FCA6B026B; Fri, 5 Apr 2019 10:41:42 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com [209.85.215.198]) by kanga.kvack.org (Postfix) with ESMTP id 31D036B0269 for ; Fri, 5 Apr 2019 10:41:42 -0400 (EDT) Received: by mail-pg1-f198.google.com with SMTP id o1so847087pgv.15 for ; Fri, 05 Apr 2019 07:41:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:subject:to:cc :references:from:openpgp:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Ooy7iAC4ALGf6XHn32Is09SGJsmtFSz/uv52Tkvhw0Y=; b=lK0LKxhgj6ZL8BfJ7e6816lHHWo1Dy8Y0RUDIjm2eJF/93uYqz/Luu0FQMmQCBndSQ OJ8cAVSsIgJ6XbMJ31cNL6GgEJgROYPP0Rt5RQhblkufzAhxgiLbW78XfVJtmhr8ouCu nlAy7IsSujjytbyDGCn04BwzewacpvqvS8YTdSAZX+aIwy2isRy2DDI7bRVDIgIH5fmm NNy2YvsTsplyYi4nAFWwecb/eWhLbspkw86GrEoX5T2hPYL35BIqna/vkhiy9htEizAv IIE+T1UZCl4RYZsqT+HsvJhoeswxcyzF54yYqUZ5oAyAJfdjkDQ4ALNfR7RDPDDIQkxA 4oQg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of dave.hansen@intel.com designates 134.134.136.126 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Gm-Message-State: APjAAAXW2uFCVEw/Bt7zillA4/D9obQcuMtHXGSkHNwQ6mfclG15rW/7 OTVIgWYXLz/bUELSfXIDLOoi73KwUK0UL0lJ/avSexynLU8nDuK2wl78m7mjTBtxoiDgFSsNRca 4g1LXbjdECOdBWpmBpYXEx5dEktDUr57q3HJ10oYy0MnT5Ds8t7lbR3EMC2RVUE8thA== X-Received: by 2002:a63:79c3:: with SMTP id u186mr12152295pgc.20.1554475301655; Fri, 05 Apr 2019 07:41:41 -0700 (PDT) X-Google-Smtp-Source: APXvYqzmodV0/Ihfz4gabMvsbtC3N0yF++cfdx9Ut0vnBgjlGAv9Cg3EL8Bc5WAM+1eaSrEFnt7S X-Received: by 2002:a63:79c3:: with SMTP id u186mr12152211pgc.20.1554475300672; Fri, 05 Apr 2019 07:41:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554475300; cv=none; d=google.com; s=arc-20160816; b=r18er56cRHHOCIS+uHqzq/my6JSmvOSqPt4dntjNyHUL+rOfSkryySRqw0+oxTlw5v OG0B8wxXlJZAwfx0BwX8E86HUkERWnzr5IyUAB4/X/9TtjNn06p4N1aIZ2ciQhLYQ8Ul T4Al+0rmp56NXNy5qaVLULNw8FnvEo2mYD07AXyfPHQsDPQhWBhjWJkjtDU91s1wuYwG EXOH8WnHwxxpxdcHxD4Jfywwm3w1a3fB2ZmwsYTvVvDmAE1em0Qx/QLI7WxSvNTy3iv0 7FQEslp2ctn306bbLiFgS5PDU0tDwCPxalNxnY6spqpIqGAvIpsCVh1DDZhO2+WVsEHv 6Gbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:autocrypt:openpgp:from:references:cc:to :subject; bh=Ooy7iAC4ALGf6XHn32Is09SGJsmtFSz/uv52Tkvhw0Y=; b=aguybvobaL16jFyZWWpx8KukZtOHEDLex1JrNkt/3AaKu9nwL+NLf8BLh9S2NdrU/H yMVve/Od02+JDAWaVfZGMjsnl0rRTNAV1kYQzTW4jnEbdTqtcUy0O6nfnaX7hGTb8D5B DqJt4JCmi9bj8V/ZHAqSkoryUGgwoR6/izUrXL1/g1V/gm3B7k+ASJMf+ci2nMFIxo+E PnvgJQjYmGlBpVsBS4xPKz1H4njmBO6dXd1aTqoOcSE1egEHqzRUm5vRU6S4650hvR5x gFxdCgQa6PmCjtI47+f8oYiNE1m4DnQtLSNd4TEpk70TprRVvQGzwq4jUN/BIPczXxv/ RVHQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of dave.hansen@intel.com designates 134.134.136.126 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from mga18.intel.com (mga18.intel.com. [134.134.136.126]) by mx.google.com with ESMTPS id e14si19060483pff.76.2019.04.05.07.41.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 05 Apr 2019 07:41:40 -0700 (PDT) Received-SPF: pass (google.com: domain of dave.hansen@intel.com designates 134.134.136.126 as permitted sender) client-ip=134.134.136.126; Authentication-Results: mx.google.com; spf=pass (google.com: domain of dave.hansen@intel.com designates 134.134.136.126 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Apr 2019 07:41:39 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,313,1549958400"; d="scan'208";a="146879397" Received: from skchinnx-mobl.amr.corp.intel.com (HELO [10.254.86.198]) ([10.254.86.198]) by FMSMGA003.fm.intel.com with ESMTP; 05 Apr 2019 07:41:32 -0700 Subject: Re: [RFC PATCH v9 12/13] xpfo, mm: Defer TLB flushes for non-current CPUs (x86 only) To: Thomas Gleixner , Khalid Aziz Cc: Andy Lutomirski , Juerg Haefliger , Tycho Andersen , jsteckli@amazon.de, Andi Kleen , liran.alon@oracle.com, Kees Cook , Konrad Rzeszutek Wilk , deepa.srinivasan@oracle.com, chris hyser , Tyler Hicks , "Woodhouse, David" , Andrew Cooper , Jon Masters , Boris Ostrovsky , kanth.ghatraju@oracle.com, Joao Martins , Jim Mattson , pradeep.vincent@oracle.com, John Haxby , "Kirill A. Shutemov" , Christoph Hellwig , steven.sistare@oracle.com, Laura Abbott , Peter Zijlstra , Aaron Lu , Andrew Morton , alexander.h.duyck@linux.intel.com, Amir Goldstein , Andrey Konovalov , aneesh.kumar@linux.ibm.com, anthony.yznaga@oracle.com, Ard Biesheuvel , Arnd Bergmann , arunks@codeaurora.org, Ben Hutchings , Sebastian Andrzej Siewior , Borislav Petkov , brgl@bgdev.pl, Catalin Marinas , Jonathan Corbet , cpandya@codeaurora.org, Daniel Vetter , Dan Williams , Greg KH , Roman Gushchin , Johannes Weiner , "H. Peter Anvin" , Joonsoo Kim , James Morse , Jann Horn , Juergen Gross , Jiri Kosina , James Morris , Joe Perches , Souptick Joarder , Joerg Roedel , Keith Busch , Konstantin Khlebnikov , Logan Gunthorpe , marco.antonio.780@gmail.com, Mark Rutland , Mel Gorman , Michal Hocko , Michal Hocko , Mike Kravetz , Ingo Molnar , "Michael S. Tsirkin" , Marek Szyprowski , Nicholas Piggin , osalvador@suse.de, "Paul E. McKenney" , pavel.tatashin@microsoft.com, Randy Dunlap , richard.weiyang@gmail.com, Rik van Riel , David Rientjes , Robin Murphy , Steven Rostedt , Mike Rapoport , Sai Praneeth Prakhya , "Serge E. Hallyn" , Steve Capper , thymovanbeers@gmail.com, Vlastimil Babka , Will Deacon , Matthew Wilcox , yang.shi@linux.alibaba.com, yaojun8558363@gmail.com, Huang Ying , zhangshaokun@hisilicon.com, iommu@lists.linux-foundation.org, X86 ML , linux-arm-kernel , "open list:DOCUMENTATION" , LKML , Linux-MM , LSM List , Khalid Aziz References: <4495dda4bfc4a06b3312cc4063915b306ecfaecb.1554248002.git.khalid.aziz@oracle.com> <91f1dbce-332e-25d1-15f6-0e9cfc8b797b@oracle.com> From: Dave Hansen Openpgp: preference=signencrypt Autocrypt: addr=dave.hansen@intel.com; keydata= mQINBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABtEVEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gKEludGVsIFdvcmsgQWRkcmVzcykgPGRhdmUuaGFuc2VuQGludGVs LmNvbT6JAjgEEwECACIFAlQ+9J0CGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGg1 lTBwyZKwLZUP/0dnbhDc229u2u6WtK1s1cSd9WsflGXGagkR6liJ4um3XCfYWDHvIdkHYC1t MNcVHFBwmQkawxsYvgO8kXT3SaFZe4ISfB4K4CL2qp4JO+nJdlFUbZI7cz/Td9z8nHjMcWYF IQuTsWOLs/LBMTs+ANumibtw6UkiGVD3dfHJAOPNApjVr+M0P/lVmTeP8w0uVcd2syiaU5jB aht9CYATn+ytFGWZnBEEQFnqcibIaOrmoBLu2b3fKJEd8Jp7NHDSIdrvrMjYynmc6sZKUqH2 I1qOevaa8jUg7wlLJAWGfIqnu85kkqrVOkbNbk4TPub7VOqA6qG5GCNEIv6ZY7HLYd/vAkVY E8Plzq/NwLAuOWxvGrOl7OPuwVeR4hBDfcrNb990MFPpjGgACzAZyjdmYoMu8j3/MAEW4P0z F5+EYJAOZ+z212y1pchNNauehORXgjrNKsZwxwKpPY9qb84E3O9KYpwfATsqOoQ6tTgr+1BR CCwP712H+E9U5HJ0iibN/CDZFVPL1bRerHziuwuQuvE0qWg0+0SChFe9oq0KAwEkVs6ZDMB2 P16MieEEQ6StQRlvy2YBv80L1TMl3T90Bo1UUn6ARXEpcbFE0/aORH/jEXcRteb+vuik5UGY 5TsyLYdPur3TXm7XDBdmmyQVJjnJKYK9AQxj95KlXLVO38lcuQINBFRjzmoBEACyAxbvUEhd GDGNg0JhDdezyTdN8C9BFsdxyTLnSH31NRiyp1QtuxvcqGZjb2trDVuCbIzRrgMZLVgo3upr MIOx1CXEgmn23Zhh0EpdVHM8IKx9Z7V0r+rrpRWFE8/wQZngKYVi49PGoZj50ZEifEJ5qn/H Nsp2+Y+bTUjDdgWMATg9DiFMyv8fvoqgNsNyrrZTnSgoLzdxr89FGHZCoSoAK8gfgFHuO54B lI8QOfPDG9WDPJ66HCodjTlBEr/Cwq6GruxS5i2Y33YVqxvFvDa1tUtl+iJ2SWKS9kCai2DR 3BwVONJEYSDQaven/EHMlY1q8Vln3lGPsS11vSUK3QcNJjmrgYxH5KsVsf6PNRj9mp8Z1kIG qjRx08+nnyStWC0gZH6NrYyS9rpqH3j+hA2WcI7De51L4Rv9pFwzp161mvtc6eC/GxaiUGuH BNAVP0PY0fqvIC68p3rLIAW3f97uv4ce2RSQ7LbsPsimOeCo/5vgS6YQsj83E+AipPr09Caj 0hloj+hFoqiticNpmsxdWKoOsV0PftcQvBCCYuhKbZV9s5hjt9qn8CE86A5g5KqDf83Fxqm/ vXKgHNFHE5zgXGZnrmaf6resQzbvJHO0Fb0CcIohzrpPaL3YepcLDoCCgElGMGQjdCcSQ+Ci FCRl0Bvyj1YZUql+ZkptgGjikQARAQABiQIfBBgBAgAJBQJUY85qAhsMAAoJEGg1lTBwyZKw l4IQAIKHs/9po4spZDFyfDjunimEhVHqlUt7ggR1Hsl/tkvTSze8pI1P6dGp2XW6AnH1iayn yRcoyT0ZJ+Zmm4xAH1zqKjWplzqdb/dO28qk0bPso8+1oPO8oDhLm1+tY+cOvufXkBTm+whm +AyNTjaCRt6aSMnA/QHVGSJ8grrTJCoACVNhnXg/R0g90g8iV8Q+IBZyDkG0tBThaDdw1B2l asInUTeb9EiVfL/Zjdg5VWiF9LL7iS+9hTeVdR09vThQ/DhVbCNxVk+DtyBHsjOKifrVsYep WpRGBIAu3bK8eXtyvrw1igWTNs2wazJ71+0z2jMzbclKAyRHKU9JdN6Hkkgr2nPb561yjcB8 sIq1pFXKyO+nKy6SZYxOvHxCcjk2fkw6UmPU6/j/nQlj2lfOAgNVKuDLothIxzi8pndB8Jju KktE5HJqUUMXePkAYIxEQ0mMc8Po7tuXdejgPMwgP7x65xtfEqI0RuzbUioFltsp1jUaRwQZ MTsCeQDdjpgHsj+P2ZDeEKCbma4m6Ez/YWs4+zDm1X8uZDkZcfQlD9NldbKDJEXLIjYWo1PH hYepSffIWPyvBMBTW2W5FRjJ4vLRrJSUoEfJuPQ3vW9Y73foyo/qFoURHO48AinGPZ7PC7TF vUaNOTjKedrqHkaOcqB185ahG2had0xnFsDPlx5y Message-ID: <26b00051-b03c-9fce-1446-52f0d6ed52f8@intel.com> Date: Fri, 5 Apr 2019 07:44:09 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 4/5/19 12:17 AM, Thomas Gleixner wrote: >> process. Is that an acceptable trade-off? > You are not seriously asking whether creating a user controllable ret2dir > attack window is a acceptable trade-off? April 1st was a few days ago. Well, let's not forget that this set at least takes us from "always vulnerable to ret2dir" to a choice between: 1. fast-ish and "vulnerable to ret2dir for a user-controllable window" 2. slow and "mitigated against ret2dir" Sounds like we need a mechanism that will do the deferred XPFO TLB flushes whenever the kernel is entered, and not _just_ at context switch time. This permits an app to run in userspace with stale kernel TLB entries as long as it wants... that's harmless. But, if it enters the kernel, we could process the deferred flush there. The concern would be catching all the kernel entry paths (PTI does this today obviously, but I don't think we want to muck with the PTI code for this). The other concern would be that the code between kernel entry and the flush would be vulnerable. But, that seems like a reasonable trade-off to me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Hansen Subject: Re: [RFC PATCH v9 12/13] xpfo, mm: Defer TLB flushes for non-current CPUs (x86 only) Date: Fri, 5 Apr 2019 07:44:09 -0700 Message-ID: <26b00051-b03c-9fce-1446-52f0d6ed52f8@intel.com> References: <4495dda4bfc4a06b3312cc4063915b306ecfaecb.1554248002.git.khalid.aziz@oracle.com> <91f1dbce-332e-25d1-15f6-0e9cfc8b797b@oracle.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: iommu-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Thomas Gleixner , Khalid Aziz Cc: Catalin Marinas , Will Deacon , steven.sistare-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org, Christoph Hellwig , Tycho Andersen , Andi Kleen , aneesh.kumar-tEXmvtCZX7AybS5Ee8rs3A@public.gmane.org, James Morris , David Rientjes , anthony.yznaga-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org, Rik van Riel , Nicholas Piggin , Mike Rapoport , Andy Lutomirski , Greg KH , Randy Dunlap , LKML , Souptick Joarder , Jiri Kosina , Joe Perches , arunks-sgV2jX0FEOL9JmXXK+q4OQ@public.gmane.org, Andrew Morton , "Woodhouse, David" , Mark Rutland , "open list:DOCUMENTATION" List-Id: iommu@lists.linux-foundation.org On 4/5/19 12:17 AM, Thomas Gleixner wrote: >> process. Is that an acceptable trade-off? > You are not seriously asking whether creating a user controllable ret2dir > attack window is a acceptable trade-off? April 1st was a few days ago. Well, let's not forget that this set at least takes us from "always vulnerable to ret2dir" to a choice between: 1. fast-ish and "vulnerable to ret2dir for a user-controllable window" 2. slow and "mitigated against ret2dir" Sounds like we need a mechanism that will do the deferred XPFO TLB flushes whenever the kernel is entered, and not _just_ at context switch time. This permits an app to run in userspace with stale kernel TLB entries as long as it wants... that's harmless. But, if it enters the kernel, we could process the deferred flush there. The concern would be catching all the kernel entry paths (PTI does this today obviously, but I don't think we want to muck with the PTI code for this). The other concern would be that the code between kernel entry and the flush would be vulnerable. But, that seems like a reasonable trade-off to me.