Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753600AbeAFUJU (ORCPT + 1 other); Sat, 6 Jan 2018 15:09:20 -0500 Received: from mail-pg0-f54.google.com ([74.125.83.54]:40360 "EHLO mail-pg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752550AbeAFUJS (ORCPT ); Sat, 6 Jan 2018 15:09:18 -0500 X-Google-Smtp-Source: ACJfBouaAs9clCQAhzNDGU3+9G9xqccSbruUcY1BonN2E7mK/gdrQMlbr86mOvST0t32lSy28vA70A== Date: Sat, 6 Jan 2018 12:09:13 -0800 From: Alexei Starovoitov To: Alan Cox Cc: Linus Torvalds , Dan Williams , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, Andi Kleen , Arnd Bergmann , Greg Kroah-Hartman , Peter Zijlstra , netdev@vger.kernel.org, Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner Subject: Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok Message-ID: <20180106200912.zhzdt4qmfrojeeqe@ast-mbp> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520102670.32271.8447983009852138826.stgit@dwillia2-desk3.amr.corp.intel.com> <20180106123242.77f4d860@alans-desktop> <20180106181331.mmrqwwbu2jcjj2si@ast-mbp> <20180106183859.1ad9ae37@alans-desktop> <20180106185134.dzn2en4vw2hj3p6h@ast-mbp> <20180106195551.3207f75d@alans-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180106195551.3207f75d@alans-desktop> User-Agent: NeoMutt/20170421 (1.8.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sat, Jan 06, 2018 at 07:55:51PM +0000, Alan Cox wrote: > > cpus execute what they see. speculative execution does the same > > except results are not committed to visible registers and stay > > in renanmed/shadow set. There is no 'undo' of the speculative execution. > > The whole issue is that cache and branch predictor don't have > > a shadow unlike registers. > > Can I suggest you read something like "Exploitig Value Locaity to Exceed > The Dataflow Limit" by Lipasti and Shen 1996. thanks for the pointer. A quote from above paper: "Value prediction consists of predicting entire 32- and 64-bit register values based on previously-seen values" > In other words there are at least two problems with Linus proposal > > 1. The ffff/0000 mask has to be generated and that has to involve > speculative flows. to answer above and Thomas's "For one particular architecture and that's not a solution for generic code." The following: #define array_access(base, idx, max) ({ \ union { typeof(base[0]) _val; unsigned long _bit; } __u;\ unsigned long _i = (idx); \ unsigned long _m = (max); \ unsigned long _mask = ~(long)(_m - 1 - _i) >> 63; \ __u._val = base[_i & _mask]; \ __u._bit &= _mask; \ __u._val; }) is generic and no speculative flows. > 2. There are processors on the planet that may speculate not just what > instruction to execute but faced with a stall on an input continue by > using an educated guess at the value that will appear at the input in > future. correct. that's why earlier I mentioned that "if 'mask' cannot be influenced by attacker". Even if 'mask' in 'index & mask' example is a stall the educated guess will come from the prior value (according to the quoted paper) To be honest I haven't read that particular paper in the past, but abstracts fits my understanding and this array_access() proposal. Thanks for the pointer. Will read it fully to make sure I didn't miss anything.