Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751883AbeADBNq (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 3 Jan 2018 20:13:46 -0500
Received: from mail-ot0-f193.google.com ([74.125.82.193]:39927 "EHLO
        mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751512AbeADBNo (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Jan 2018 20:13:44 -0500
X-Google-Smtp-Source: ACJfBosdzkZXF96YAQ2lvd/G0qnsyvPJ3ORaWxJe/oxBvWtprapNmibbFV0UpuBfXdrKR6D/FnDeJxou436xQyXNyKM=
MIME-Version: 1.0
In-Reply-To: <20180104010754.22ca6a74@alans-desktop>
References: <20180103223827.39601-1-mark.rutland@arm.com> <151502463248.33513.5960736946233335087.stgit@dwillia2-desk3.amr.corp.intel.com>
 <CA+55aFzSYExr33w849=3o+2XGr9pUKpFucc5p-kKbEy20VVLPA@mail.gmail.com> <20180104010754.22ca6a74@alans-desktop>
From: Dan Williams <dan.j.williams@intel.com>
Date: Wed, 3 Jan 2018 17:13:42 -0800
Message-ID: <CAPcyv4ge14OPyfoQvXHLyXwqX7cjWvm4DouUOc=WrNo1Lr9Qyw@mail.gmail.com>
Subject: Re: [RFC PATCH] asm/generic: introduce if_nospec and nospec_barrier
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        linux-arch@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
        Greg KH <gregkh@linuxfoundation.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Elena Reshetova <elena.reshetova@intel.com>,
        Alan Cox <alan@linux.intel.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Julia Lawall <Julia.Lawall@lip6.fr>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

[ adding Julia and Dan ]

On Wed, Jan 3, 2018 at 5:07 PM, Alan Cox <gnomes@lxorguk.ukuu.org.uk> wrote:
> On Wed, 3 Jan 2018 16:39:31 -0800
> Linus Torvalds <torvalds@linux-foundation.org> wrote:
>
>> On Wed, Jan 3, 2018 at 4:15 PM, Dan Williams <dan.j.williams@intel.com> wrote:
>> > The 'if_nospec' primitive marks locations where the kernel is disabling
>> > speculative execution that could potentially access privileged data. It
>> > is expected to be paired with a 'nospec_{ptr,load}' where the user
>> > controlled value is actually consumed.
>>
>> I'm much less worried about these "nospec_load/if" macros, than I am
>> about having a sane way to determine when they should be needed.
>>
>> Is there such a sane model right now, or are we talking "people will
>> randomly add these based on strong feelings"?
>
> There are people trying to tune coverity and other tool rules to identify
> cases, and some of the work so far was done that way. For x86 we didn't
> find too many so far so either the needed pattern is uncommon or ....  8)
>
> Given you can execute over a hundred basic instructions in a speculation
> window it does need to be a tool that can explore not just in function
> but across functions. That's really tough for the compiler itself to do
> without help.
>
> What remains to be seen is if there are other patterns that affect
> different processors.
>
> In the longer term the compiler itself needs to know what is and isn't
> safe (ie you need to be able to write things like
>
> void foo(tainted __user int *x)
>
> and have the compiler figure out what level of speculation it can do and
> (on processors with those features like IA64) when it can and can't do
> various kinds of non-trapping loads.
>

It would be great if coccinelle and/or smatch could be taught to catch
some of these case at least as a first pass "please audit this code
block" type of notification.