From: Jakob Koschel <jakobkoschel@gmail.com>
To: Vladimir Oltean <olteanv@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Andrew Lunn <andrew@lunn.ch>,
Vivien Didelot <vivien.didelot@gmail.com>,
Florian Fainelli <f.fainelli@gmail.com>,
Lars Povlsen <lars.povlsen@microchip.com>,
Steen Hegelund <Steen.Hegelund@microchip.com>,
UNGLinuxDriver@microchip.com, Ariel Elior <aelior@marvell.com>,
Manish Chopra <manishc@marvell.com>,
Edward Cree <ecree.xilinx@gmail.com>,
Martin Habets <habetsm.xilinx@gmail.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>, Jiri Pirko <jiri@resnulli.us>,
Casper Andersson <casper.casan@gmail.com>,
Bjarni Jonasson <bjarni.jonasson@microchip.com>,
Colin Ian King <colin.king@intel.com>,
Michael Walle <michael@walle.cc>,
Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
Arnd Bergmann <arnd@arndb.de>, Eric Dumazet <edumazet@google.com>,
Di Zhu <zhudi21@huawei.com>, Xu Wang <vulab@iscas.ac.cn>,
Netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
Mike Rapoport <rppt@kernel.org>,
Brian Johannesmeyer <bjohannesmeyer@gmail.com>,
Cristiano Giuffrida <c.giuffrida@vu.nl>,
"Bos, H.J." <h.j.bos@vu.nl>
Subject: Re: [PATCH net-next 02/15] net: dsa: sja1105: Remove usage of iterator for list_add() after loop
Date: Sun, 10 Apr 2022 20:24:37 +0200 [thread overview]
Message-ID: <C88FE232-417C-4029-A79E-9A7E807D2FE7@gmail.com> (raw)
In-Reply-To: <935062D0-C657-4C79-A0BE-70141D052EC0@gmail.com>
> On 10. Apr 2022, at 14:39, Jakob Koschel <jakobkoschel@gmail.com> wrote:
>
>
>
>> On 10. Apr 2022, at 13:05, Vladimir Oltean <olteanv@gmail.com> wrote:
>>
>> On Sun, Apr 10, 2022 at 12:51:56PM +0200, Jakob Koschel wrote:
>>> I've just looked at this again in a bit more detail while integrating it into the patch series.
>>>
>>> I realized that this just shifts the 'problem' to using the 'pos' iterator variable after the loop.
>>> If the scope of the list iterator would be lowered to the list traversal loop it would also make sense
>>> to also do it for list_for_each().
>>
>> Yes, but list_for_each() was never formulated as being problematic in
>> the same way as list_for_each_entry(), was it? I guess I'm starting to
>> not understand what is the true purpose of the changes.
>
> Sorry for having caused the confusion. Let me elaborate a bit to give more context.
>
> There are two main benefits of this entire effort.
>
> 1) fix the architectural bugs and avoid any missuse of the list iterator after the loop
> by construction. This only concerns the list_for_each_entry_*() macros and your change
> will allow lowering the scope for all of those. It might be debatable that it would be
> more consistent to lower the scope for list_for_each() as well, but it wouldn't be
> strictly necessary.
>
> 2) fix *possible* speculative bugs. In our project, Kasper [1], we were able to show
> that this can be an issue for the list traversal macros (and this is how the entire
> effort started).
> The reason is that the processor might run an additional loop iteration in speculative
> execution with the iterator variable computed based on the head element. This can
> (and we have verified this) happen if the CPU incorrectly
> assumes !list_entry_is_head(pos, head, member).
>
> If this happens, all memory accesses based on the iterator variable *potentially* open
> the chance for spectre [2] gadgets. The proposed mitigation was setting the iterator variable
> to NULL when the terminating condition is reached (in speculative safe way). Then,
> the additional speculative list iteration would still execute but won't access any
> potential secret data.
>
> And this would also be required for list_for_each() since combined with the list_entry()
> within the loop it basically is semantically identical to list_for_each_entry()
> for the additional speculative iteration.
>
> Now, I have no strong opinion on going all the way and since 2) is not the main motivation
> for this I'm also fine with sticking to your proposed solution, but it would mean that implementing
> a "speculative safe" list_for_each() will be more difficult in the future since it is using
> the iterator of list_for_each() past the loop.
>
> I hope this explains the background a bit better.
>
>>
>>> What do you think about doing it this way:
>>>
>>> diff --git a/drivers/net/dsa/sja1105/sja1105_vl.c b/drivers/net/dsa/sja1105/sja1105_vl.c
>>> index b7e95d60a6e4..f5b0502c1098 100644
>>> --- a/drivers/net/dsa/sja1105/sja1105_vl.c
>>> +++ b/drivers/net/dsa/sja1105/sja1105_vl.c
>>> @@ -28,6 +28,7 @@ static int sja1105_insert_gate_entry(struct sja1105_gating_config *gating_cfg,
>>> list_add(&e->list, &gating_cfg->entries);
>>> } else {
>>> struct sja1105_gate_entry *p;
>>> + struct list_head *pos = NULL;
>>>
>>> list_for_each_entry(p, &gating_cfg->entries, list) {
>>> if (p->interval == e->interval) {
>>> @@ -37,10 +38,14 @@ static int sja1105_insert_gate_entry(struct sja1105_gating_config *gating_cfg,
>>> goto err;
>>> }
>>>
>>> - if (e->interval < p->interval)
>>> + if (e->interval < p->interval) {
>>> + pos = &p->list;
>>> break;
>>> + }
>>> }
>>> - list_add(&e->list, p->list.prev);
>>> + if (!pos)
>>> + pos = &gating_cfg->entries;
>>> + list_add(&e->list, pos->prev);
>>> }
>>>
>>> gating_cfg->num_entries++;
>>> --
>>>
>>>>
>>>> Thanks for the suggestion.
>>>>
>>>>> }
>>>>>
>>>>> gating_cfg->num_entries++;
>>>>> -----------------------------[ cut here ]-----------------------------
>>>>
>>>> [1] https://lore.kernel.org/linux-kernel/20220407102900.3086255-12-jakobkoschel@gmail.com/
>>>>
>>>> Jakob
>>>
>>> Thanks,
>>> Jakob
>
> Thanks,
> Jakob
>
> [1] https://www.vusec.net/projects/kasper/
> [2] https://spectreattack.com/spectre.pdf
Btw, I just realized that the if (!pos) is not necessary. This should simply do it:
diff --git a/drivers/net/dsa/sja1105/sja1105_vl.c b/drivers/net/dsa/sja1105/sja1105_vl.c
index b7e95d60a6e4..2d59e75a9e3d 100644
--- a/drivers/net/dsa/sja1105/sja1105_vl.c
+++ b/drivers/net/dsa/sja1105/sja1105_vl.c
@@ -28,6 +28,7 @@ static int sja1105_insert_gate_entry(struct sja1105_gating_config *gating_cfg,
list_add(&e->list, &gating_cfg->entries);
} else {
+ struct list_head *pos = &gating_cfg->entries;
struct sja1105_gate_entry *p;
list_for_each_entry(p, &gating_cfg->entries, list) {
if (p->interval == e->interval) {
@@ -37,10 +38,12 @@ static int sja1105_insert_gate_entry(struct sja1105_gating_config *gating_cfg,
goto err;
}
- if (e->interval < p->interval)
+ if (e->interval < p->interval) {
+ pos = &p->list;
break;
+ }
}
- list_add(&e->list, p->list.prev);
+ list_add(&e->list, pos->prev);
}
gating_cfg->num_entries++;
--
2.25.1
Thanks,
Jakob
next prev parent reply other threads:[~2022-04-10 18:24 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-07 10:28 [PATCH net-next 00/15] net: Remove use of list iterator after loop body Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 01/15] connector: Replace usage of found with dedicated list iterator variable Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 02/15] net: dsa: sja1105: Remove usage of iterator for list_add() after loop Jakob Koschel
2022-04-08 3:54 ` Jakub Kicinski
2022-04-08 23:58 ` Jakob Koschel
2022-04-09 0:04 ` Jakub Kicinski
2022-04-09 0:08 ` Vladimir Oltean
2022-04-08 7:47 ` Christophe Leroy
2022-04-08 23:49 ` Jakob Koschel
2022-04-08 11:41 ` Vladimir Oltean
2022-04-08 23:54 ` Jakob Koschel
2022-04-10 10:51 ` Jakob Koschel
2022-04-10 11:05 ` Vladimir Oltean
2022-04-10 12:39 ` Jakob Koschel
2022-04-10 18:24 ` Jakob Koschel [this message]
2022-04-10 20:02 ` Vladimir Oltean
2022-04-10 20:30 ` Jakob Koschel
2022-04-10 20:34 ` Vladimir Oltean
2022-04-07 10:28 ` [PATCH net-next 03/15] net: dsa: mv88e6xxx: Replace usage of found with dedicated iterator Jakob Koschel
2022-04-08 12:31 ` Vladimir Oltean
2022-04-08 23:44 ` Jakob Koschel
2022-04-08 23:50 ` Vladimir Oltean
2022-04-09 0:00 ` Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 04/15] net: dsa: Replace usage of found with dedicated list iterator variable Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 05/15] net: sparx5: " Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 06/15] qed: Use " Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 07/15] qed: Replace usage of found with " Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 08/15] qed: Remove usage of list iterator variable after the loop Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 09/15] net: qede: Replace usage of found with dedicated list iterator variable Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 10/15] net: qede: Remove check of list iterator against head past the loop body Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 11/15] sfc: Remove usage of list iterator for list_add() after " Jakob Koschel
2022-04-07 17:42 ` Edward Cree
2022-04-09 0:10 ` Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 12/15] net: netcp: Remove usage of list iterator for list_add() after " Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 13/15] ps3_gelic: Replace usage of found with dedicated list iterator variable Jakob Koschel
2022-04-07 10:28 ` [PATCH net-next 14/15] ipvlan: Remove usage of list iterator variable for the loop body Jakob Koschel
2022-04-07 10:29 ` [PATCH net-next 15/15] team: Remove use of list iterator variable for list_for_each_entry_from() Jakob Koschel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C88FE232-417C-4029-A79E-9A7E807D2FE7@gmail.com \
--to=jakobkoschel@gmail.com \
--cc=Steen.Hegelund@microchip.com \
--cc=UNGLinuxDriver@microchip.com \
--cc=aelior@marvell.com \
--cc=andrew@lunn.ch \
--cc=arnd@arndb.de \
--cc=benh@kernel.crashing.org \
--cc=bjarni.jonasson@microchip.com \
--cc=bjohannesmeyer@gmail.com \
--cc=c.giuffrida@vu.nl \
--cc=casper.casan@gmail.com \
--cc=christophe.jaillet@wanadoo.fr \
--cc=colin.king@intel.com \
--cc=davem@davemloft.net \
--cc=ecree.xilinx@gmail.com \
--cc=edumazet@google.com \
--cc=f.fainelli@gmail.com \
--cc=h.j.bos@vu.nl \
--cc=habetsm.xilinx@gmail.com \
--cc=jiri@resnulli.us \
--cc=kuba@kernel.org \
--cc=lars.povlsen@microchip.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=manishc@marvell.com \
--cc=michael@walle.cc \
--cc=mpe@ellerman.id.au \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=pabeni@redhat.com \
--cc=paulus@samba.org \
--cc=rppt@kernel.org \
--cc=vivien.didelot@gmail.com \
--cc=vulab@iscas.ac.cn \
--cc=zhudi21@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).