From: "Luck, Tony" <tony.luck@intel.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>, X86 ML <x86@kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Oleg Nesterov <oleg@redhat.com>, Andi Kleen <andi@firstfloor.org>
Subject: RE: [RFC PATCH] x86, entry: Switch stacks on a paranoid entry from userspace
Date: Wed, 12 Nov 2014 01:06:06 +0000 [thread overview]
Message-ID: <3908561D78D1C84285E8C5FCA982C28F3292A157@ORSMSX114.amr.corp.intel.com> (raw)
In-Reply-To: <CALCETrUU3vSLBVMpsma=8OqOZLRKUYBM19_94tkeZ7aWCEyhog@mail.gmail.com>
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="utf-8", Size: 1643 bytes --]
> I've thought about one sneaky option. If we can reliably determine
> that we're an innocent bystander of a broadcast #MC, can we send an
> IPI-to-self and return without clearing MCIP? Then we get another
> interrupt as soon as interrupts are enabled, and we can clear MCIP at
> a time when we're definitely not running on the IST stack.
Innocent bystanders have RIPV=1, EIPV=0 in MCG_STATUS ... so they
are quite easy to spot. Perhaps we might look at subverting the silly
broadcast by just having them immediately clear MCG_STATUS and iret
(i.e. not go to do_machine_check() at all). That would require lots of
surgery to do_machine_check() and friends - now it wouldn't be sure
how many processors to expect to show up. It also opens a different
window - once they are back running normal code they might trip another
machine check while the victims of the first are still processing - so
another "boom, you're dead". The advantage of hitting everyone
with the machine check is that it lessens the chance that another will
happen as everyone is running looking at a few pages of kernel code
& data.
The worrying part in that is "as soon as interrupts are enabled". Until
we do clear MCIP we're sitting in a mode where another machine check
means instant death no saving throw. Nominally better than the "we'll
mess the stack up for you" that we are trying to avoid - but the old window
is quite short and known to be bounded. The new one might be a lot bigger.
-Tony
ÿôèº{.nÇ+·®+%Ëÿ±éݶ\x17¥wÿº{.nÇ+·¥{±þG«éÿ{ayº\x1dÊÚë,j\a¢f£¢·hïêÿêçz_è®\x03(éÝ¢j"ú\x1a¶^[m§ÿÿ¾\a«þG«éÿ¢¸?¨èÚ&£ø§~á¶iOæ¬z·vØ^\x14\x04\x1a¶^[m§ÿÿÃ\fÿ¶ìÿ¢¸?I¥
next prev parent reply other threads:[~2014-11-12 1:07 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-11 20:56 [RFC PATCH] x86, entry: Switch stacks on a paranoid entry from userspace Andy Lutomirski
2014-11-11 21:36 ` Borislav Petkov
2014-11-11 22:00 ` Luck, Tony
2014-11-11 22:15 ` Andy Lutomirski
2014-11-11 22:12 ` Andy Lutomirski
2014-11-11 22:33 ` Borislav Petkov
2014-11-11 22:40 ` Andy Lutomirski
2014-11-11 23:09 ` Borislav Petkov
2014-11-11 23:21 ` Andy Lutomirski
2014-11-12 0:22 ` Luck, Tony
2014-11-12 0:40 ` Andy Lutomirski
2014-11-12 1:06 ` Luck, Tony [this message]
2014-11-12 2:01 ` Andy Lutomirski
2014-11-12 2:06 ` Tony Luck
2014-11-12 10:30 ` Borislav Petkov
2014-11-12 15:48 ` Andy Lutomirski
2014-11-12 16:22 ` Borislav Petkov
2014-11-12 17:17 ` Luck, Tony
2014-11-12 17:30 ` Borislav Petkov
2014-11-13 18:04 ` Borislav Petkov
2014-11-14 21:56 ` Luck, Tony
2014-11-14 22:07 ` Andy Lutomirski
2014-11-17 18:50 ` Borislav Petkov
2014-11-17 19:57 ` Andy Lutomirski
2014-11-17 20:03 ` Borislav Petkov
2014-11-17 20:05 ` Andy Lutomirski
2014-11-17 21:55 ` Luck, Tony
2014-11-17 22:26 ` Andy Lutomirski
2014-11-17 23:16 ` Luck, Tony
2014-11-18 0:05 ` Andy Lutomirski
2014-11-18 0:22 ` Luck, Tony
2014-11-18 0:55 ` Andy Lutomirski
2014-11-18 18:30 ` Luck, Tony
2014-11-18 23:04 ` Andy Lutomirski
2014-11-18 23:26 ` Luck, Tony
2014-11-18 16:12 ` Borislav Petkov
2014-11-12 22:00 ` Oleg Nesterov
2014-11-12 23:17 ` Andy Lutomirski
2014-11-12 23:41 ` Luck, Tony
2014-11-13 0:02 ` Andy Lutomirski
2014-11-13 0:31 ` Luck, Tony
2014-11-13 1:34 ` Andy Lutomirski
2014-11-13 3:03 ` Andy Lutomirski
2014-11-13 18:43 ` Luck, Tony
2014-11-13 22:23 ` Andy Lutomirski
2014-11-13 22:25 ` Andy Lutomirski
2014-11-13 22:33 ` Luck, Tony
2014-11-13 22:47 ` Andy Lutomirski
2014-11-13 23:13 ` Andy Lutomirski
2014-11-14 0:50 ` Andy Lutomirski
2014-11-14 1:20 ` Luck, Tony
2014-11-14 1:36 ` Andy Lutomirski
2014-11-14 17:49 ` Luck, Tony
2014-11-14 19:10 ` Andy Lutomirski
2014-11-14 19:37 ` Luck, Tony
2014-11-14 18:27 ` Luck, Tony
2014-11-14 10:34 ` Borislav Petkov
2014-11-14 17:18 ` Andy Lutomirski
2014-11-14 17:24 ` Borislav Petkov
2014-11-14 17:26 ` Andy Lutomirski
2014-11-14 18:53 ` Borislav Petkov
2014-11-13 10:59 ` Borislav Petkov
2014-11-13 21:23 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3908561D78D1C84285E8C5FCA982C28F3292A157@ORSMSX114.amr.corp.intel.com \
--to=tony.luck@intel.com \
--cc=andi@firstfloor.org \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).