Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756585AbcLBTDy (ORCPT ); Fri, 2 Dec 2016 14:03:54 -0500 Received: from mail-io0-f193.google.com ([209.85.223.193]:33427 "EHLO mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756164AbcLBTDv (ORCPT ); Fri, 2 Dec 2016 14:03:51 -0500 MIME-Version: 1.0 In-Reply-To: <20161202185008.tdziqrzi4a3axord@pd.tnic> References: <0a21157c2233ba7d0781bbf07866b3f2d7e7c25d.1480638597.git.luto@kernel.org> <20161202180343.gehqor7lgtmzwqq3@pd.tnic> <20161202185008.tdziqrzi4a3axord@pd.tnic> From: Linus Torvalds Date: Fri, 2 Dec 2016 11:03:50 -0800 X-Google-Sender-Auth: F9arx4qXPuDi8bTVvuQnzbyR2_U Message-ID: Subject: Re: [PATCH v2 5/6] x86/xen: Add a Xen-specific sync_core() implementation To: Borislav Petkov Cc: Andy Lutomirski , Peter Anvin , "the arch/x86 maintainers" , One Thousand Gnomes , Borislav Petkov , "linux-kernel@vger.kernel.org" , Brian Gerst , Matthew Whitehead , Henrique de Moraes Holschuh , Peter Zijlstra , Andrew Cooper Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1865 Lines: 45 On Fri, Dec 2, 2016 at 10:50 AM, Borislav Petkov wrote: > > Right, we can try to do something like invalidate_icache() or so in > there with the JMP so that the BSP refetches modified code and see where > it gets us. I'd really rather rjust mark it noinline with a comment. That way the return from the function acts as the control flow change. > The good thing is, the early patching paths run before SMP is > up but from looking at load_module(), for example, which does > post_relocation()->module_finalize()->apply_alternatives(), this can > happen late. > > Now there I'd like to avoid other cores walking into that address being > patched. Or are we "safe" there in the sense that load_module() happens > on one CPU only sequentially? (I haven't looked at that code to see > what's going on there, actually). 'sync_core()' doesn't help for other CPU's anyway, you need to do the cross-call IPI. So worrying about other CPU's is *not* a valid reason to keep a "sync_core()" call. Seriously, the only reason I can see for "sync_core()" really is: - some deep non-serialized MSR access or similar (ie things like firmware loading etc really might want it, and a mchine check might want it) - writing to one virtual address, and then executing from another. We do this for (a) user mode (of course) and (b) text_poke(), but text_poke() is a whole different dance. but I may have forgotten some other case. The issues with modifying code while another CPU may be just about to access it is a separate issue. And as noted, "sync_core()" is not sufficient for that, you have to do a whole careful dance with single-byte debug instruction writes and then a final cross-call. See the whole "text_poke_bp()" and "text_poke()" for *that* whole dance. That's a much more complex thing from the normal apply_alternatives(). Linus