Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1434880AbdDZEpy (ORCPT <rfc822;w@1wt.eu>);
        Wed, 26 Apr 2017 00:45:54 -0400
Received: from mx2.suse.de ([195.135.220.15]:54819 "EHLO mx1.suse.de"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1430559AbdDZEpq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 26 Apr 2017 00:45:46 -0400
Subject: Re: [PATCH] x86/amd: don't set X86_BUG_SYSRET_SS_ATTRS if forced to
 zero
To: Borislav Petkov <bp@alien8.de>
References: <20170425180014.7533-1-jgross@suse.com>
 <20170425182443.3ab75tkfosol2yk4@pd.tnic>
 <f3cf034d-1a26-cfce-cf67-ebaa3b377cfc@suse.com>
 <20170425191809.uvdt4jimnbvqbyf2@pd.tnic>
Cc: linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org,
        x86@kernel.org, boris.ostrovsky@oracle.com, hpa@zytor.com,
        tglx@linutronix.de, mingo@redhat.com
From: Juergen Gross <jgross@suse.com>
Message-ID: <24b7ab61-69e6-192e-5bb7-2ef5cdaa28c3@suse.com>
Date: Wed, 26 Apr 2017 06:45:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170425191809.uvdt4jimnbvqbyf2@pd.tnic>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1159
Lines: 35

On 25/04/17 21:18, Borislav Petkov wrote:
> On Tue, Apr 25, 2017 at 08:34:34PM +0200, Juergen Gross wrote:
>> And what happens when there is a scheduling event right here?
>> __switch_to() will see X86_BUG_SYSRET_SS_ATTRS set and take a wrong
>> path.
> 
> So the whole thing we're doing right now is wrong: set bit and then
> clear bit.

Right. And this is handled by my patch.

The really clean solution would be to add this test to set_cpu_bug()
et al. Don't set/clear the bit if anyone selected to force a value.
The force variants would be capable to overwrite, the normal variants
wouldn't. This would require a lot of research to avoid pitfalls with
today's handling, though. OTOH one could remove all the calls to
apply_forced_caps().

> 
> We should not set the bit at all and there won't be any window to get it
> wrong.
> 
> So can we do something like this instead:
> 
> 	if (!cpu_has(c, X86_FEATURE_XENPV))
> 		set_cpu_bug(c, X86_BUG_SYSRET_SS_ATTRS);
> 
> or is XENPV the wrong thing to test?

This would work. OTOH I'd prefer to test whether the bit should be
forced to remain zero than use the knowledge _who_ is trying to force
it.


Juergen