Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753075AbcLBXKH (ORCPT <rfc822;w@1wt.eu>);
        Fri, 2 Dec 2016 18:10:07 -0500
Received: from mail-io0-f194.google.com ([209.85.223.194]:35887 "EHLO
        mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751307AbcLBXKG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 2 Dec 2016 18:10:06 -0500
MIME-Version: 1.0
In-Reply-To: <CALCETrWu2PE2BWLzy28Fn3AEov5PJi=XOqVgf7ZSda1m7b35MQ@mail.gmail.com>
References: <cover.1480638597.git.luto@kernel.org> <cover.1480536936.git.luto@kernel.org>
 <0a21157c2233ba7d0781bbf07866b3f2d7e7c25d.1480638597.git.luto@kernel.org>
 <CA+55aFw3P++jGbRhkrM3MyqwZZ3mxmxQTC1BfYS2rhw6P3LKNA@mail.gmail.com>
 <CALCETrXCLLW9pd=h7dZ0u2oBSiRBJOBkxvEq2iz=Z8aTVtrZ=w@mail.gmail.com>
 <20161202180343.gehqor7lgtmzwqq3@pd.tnic> <CA+55aFyHptQ3=gjXA_LGGkvOgsRB9FBXvCT56fG4UqcFV4wFsA@mail.gmail.com>
 <20161202185008.tdziqrzi4a3axord@pd.tnic> <CA+55aFxuhzE0woFyRjZ8=Ji1EPR1+MohrbDm=2AiQH50dsptjg@mail.gmail.com>
 <20161202192050.l5l3rcwems6hptub@pd.tnic> <CA+55aFydg4RDv8a-Wpf=TyzPN59kONcUdCkk1KcSNMW_2Uix_g@mail.gmail.com>
 <CALCETrVtEg256EPMbp1j8RkbaMJNtNge6-h0EoZ3HmRo6DZCLQ@mail.gmail.com>
 <CA+55aFwwa_A3RfodonHVDz+2xZ0+x+=MRPCVDqTkaG96SV5ZoQ@mail.gmail.com>
 <CALCETrXo1zLXcRX-tF-MQ5qa7sLrKoAYdn5ox-F-kp-3JhPaXg@mail.gmail.com>
 <CA+55aFzeri_owd61Y+8EO9OjO5XJxZhHHrU=evN8moaiR+atUQ@mail.gmail.com> <CALCETrWu2PE2BWLzy28Fn3AEov5PJi=XOqVgf7ZSda1m7b35MQ@mail.gmail.com>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Fri, 2 Dec 2016 15:09:57 -0800
X-Google-Sender-Auth: OuMo14R7BXBGI5TWNjaL5P0Ob1Q
Message-ID: <CA+55aFxMenPUpkFCKKmYpa-4RQnr6BvwD685W_bVT9da3ibFLg@mail.gmail.com>
Subject: Re: [PATCH v2 5/6] x86/xen: Add a Xen-specific sync_core() implementation
To: Andy Lutomirski <luto@amacapital.net>
Cc: Borislav Petkov <bp@alien8.de>, Borislav Petkov <bp@kernel.org>,
        Andy Lutomirski <luto@kernel.org>, Peter Anvin <hpa@zytor.com>,
        "the arch/x86 maintainers" <x86@kernel.org>,
        One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        Brian Gerst <brgerst@gmail.com>,
        Matthew Whitehead <tedheadster@gmail.com>,
        Henrique de Moraes Holschuh <hmh@hmh.eng.br>,
        Peter Zijlstra <peterz@infradead.org>,
        Andrew Cooper <andrew.cooper3@citrix.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2423
Lines: 56

On Fri, Dec 2, 2016 at 2:55 PM, Andy Lutomirski <luto@amacapital.net> wrote:
>>
>> Honestly, I think Intel should clean up their documentation.
>
> I'm not sure I follow.  If a user program gets migrated, it might end
> up doing cross-modification when it expects self-modification.  If
> that trips the program up, is that a user bug or a kernel bug?

Well, the user may not see it as a cross-modification.

Example: user compiles a program, and writes out the new binary. That
write goes to the page cache.

The user then immediately executes that program.

It's technically a "cross modification", because the build that wrote
the page cache ran on one CPU, and then it gets loaded on another.

Not, page faulting the binary does bring in a known serializing
instruction: iret.

But let's theorize that we have your "optimistic sysret" return path
because sometimes it can happen. So the "iret" isn't exactly
fundamental.

But we know we will write %cr2, which is a serializing instruction.

But that's not fundamental either, because we <i>could</i> just have a
program just load the object file into its own address space using the
dynamic linker. And if you don't unmap anything, there won't be any
TLB flushes.

Now, that is safe <i>too</I>, but by then we're not even relying on
simply the fact that the code couldn't even have been in any virtual
caches in the running environment, so it _must_ have come from the
physically indexed data cache. So no actual serializing instruction
even _needed_.

So there is no room for any cache I$ coherency issue at any point, but
note how we got to the point where we're now basically depending on
some fairly fundamental logic that is not in the Intel documentation?

THAT is what I don't like. I don't doubt for a moment that what we're
doing is entirely coherent, and we're fine. But the intel memory
ordering documentation simply doesn't cover this situation at all. The
"real" memory ordering documentation only covers the normal data
cache. And then they handwave the "self-modifying code" situation with
incomplete examples and just bullshit "you need a serializing
instruction", which clearly isn't actually the case, and is also
something that we very much don't even do.

It would be better if here was actual documentation, and we had some
nice clear "yeah, we don't need any stinking serializing instructions,
because we're already doing X".

              Linus