From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752577AbdLLTBZ (ORCPT ); Tue, 12 Dec 2017 14:01:25 -0500 Received: from mail-io0-f196.google.com ([209.85.223.196]:33619 "EHLO mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752306AbdLLTBU (ORCPT ); Tue, 12 Dec 2017 14:01:20 -0500 X-Google-Smtp-Source: ACJfBosIStRLnk4AUbNbhhDlYNrimUwhYDHNhBDSyOmBU7tHLOiXzyDlX/HukqaLMF8ABFrRrHUxecOR5XFgEnFQVjM= MIME-Version: 1.0 In-Reply-To: <20171212173334.345422294@linutronix.de> References: <20171212173221.496222173@linutronix.de> <20171212173334.345422294@linutronix.de> From: Linus Torvalds Date: Tue, 12 Dec 2017 11:01:18 -0800 X-Google-Sender-Auth: ycYn2yhpKQ6Q5X1YqrT4lLC69OU Message-ID: Subject: Re: [patch 13/16] x86/ldt: Introduce LDT write fault handler To: Thomas Gleixner Cc: LKML , "the arch/x86 maintainers" , Andy Lutomirsky , Peter Zijlstra , Dave Hansen , Borislav Petkov , Greg KH , Kees Cook , Hugh Dickins , Brian Gerst , Josh Poimboeuf , Denys Vlasenko , Boris Ostrovsky , Juergen Gross , David Laight , Eduardo Valentin , "Liguori, Anthony" , Will Deacon , linux-mm Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 12, 2017 at 9:32 AM, Thomas Gleixner wrote: > From: Thomas Gleixner > > When the LDT is mapped RO, the CPU will write fault the first time it uses > a segment descriptor in order to set the ACCESS bit (for some reason it > doesn't always observe that it already preset). Catch the fault and set the > ACCESS bit in the handler. This really scares me. We use segments in some critical code in the kernel, like the whole percpu data etc. Stuff that definitely shouldn't fault. Yes, those segments should damn well be already marked accessed when the segment is loaded, but apparently that isn't reliable. So it potentially takes faults in random and very critical places. It's probably dependent on microarchitecture on exactly when the cached segment copy has the accessed bit set or not. Also, I worry about crazy errata with TSS etc - this whole RO LDT thing also introduces lots of possible new fault points in microcode that nobody sane has ever done before, no? > + desc = (struct desc_struct *) ldt->entries; > + entry = (address - start) / LDT_ENTRY_SIZE; > + desc[entry].type |= 0x01; This is also pretty disgusting. Why isn't it just something like desc = (void *)(address & ~(LDT_ENTRY_SIZE-1)); desc->type != 0x01; since the ldt should all be aligned anyway. Linus From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) by kanga.kvack.org (Postfix) with ESMTP id B42976B0038 for ; Tue, 12 Dec 2017 14:01:21 -0500 (EST) Received: by mail-io0-f199.google.com with SMTP id k190so65875iok.2 for ; Tue, 12 Dec 2017 11:01:21 -0800 (PST) Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id 129sor6955095ion.161.2017.12.12.11.01.19 for (Google Transport Security); Tue, 12 Dec 2017 11:01:20 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <20171212173334.345422294@linutronix.de> References: <20171212173221.496222173@linutronix.de> <20171212173334.345422294@linutronix.de> From: Linus Torvalds Date: Tue, 12 Dec 2017 11:01:18 -0800 Message-ID: Subject: Re: [patch 13/16] x86/ldt: Introduce LDT write fault handler Content-Type: text/plain; charset="UTF-8" Sender: owner-linux-mm@kvack.org List-ID: To: Thomas Gleixner Cc: LKML , the arch/x86 maintainers , Andy Lutomirsky , Peter Zijlstra , Dave Hansen , Borislav Petkov , Greg KH , Kees Cook , Hugh Dickins , Brian Gerst , Josh Poimboeuf , Denys Vlasenko , Boris Ostrovsky , Juergen Gross , David Laight , Eduardo Valentin , "Liguori, Anthony" , Will Deacon , linux-mm On Tue, Dec 12, 2017 at 9:32 AM, Thomas Gleixner wrote: > From: Thomas Gleixner > > When the LDT is mapped RO, the CPU will write fault the first time it uses > a segment descriptor in order to set the ACCESS bit (for some reason it > doesn't always observe that it already preset). Catch the fault and set the > ACCESS bit in the handler. This really scares me. We use segments in some critical code in the kernel, like the whole percpu data etc. Stuff that definitely shouldn't fault. Yes, those segments should damn well be already marked accessed when the segment is loaded, but apparently that isn't reliable. So it potentially takes faults in random and very critical places. It's probably dependent on microarchitecture on exactly when the cached segment copy has the accessed bit set or not. Also, I worry about crazy errata with TSS etc - this whole RO LDT thing also introduces lots of possible new fault points in microcode that nobody sane has ever done before, no? > + desc = (struct desc_struct *) ldt->entries; > + entry = (address - start) / LDT_ENTRY_SIZE; > + desc[entry].type |= 0x01; This is also pretty disgusting. Why isn't it just something like desc = (void *)(address & ~(LDT_ENTRY_SIZE-1)); desc->type != 0x01; since the ldt should all be aligned anyway. Linus -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org