Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756602AbeAHKqN (ORCPT + 1 other); Mon, 8 Jan 2018 05:46:13 -0500 Received: from mail-ua0-f196.google.com ([209.85.217.196]:39888 "EHLO mail-ua0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756587AbeAHKqL (ORCPT ); Mon, 8 Jan 2018 05:46:11 -0500 X-Google-Smtp-Source: ACJfBosg7c4a2y8G2CGCOuseQAiXddG+mh0xzlG3PmHDGfVUveEJEyvEaQbJvkC3TomaKNDANPxe9ivaU5KqW5oYosA= MIME-Version: 1.0 In-Reply-To: References: <1515363085-4219-1-git-send-email-dwmw@amazon.co.uk> From: Paul Turner Date: Mon, 8 Jan 2018 02:45:40 -0800 Message-ID: Subject: Re: [PATCH v6 00/10] Retpoline: Avoid speculative indirect calls in kernel To: Jiri Kosina Cc: David Woodhouse , Andi Kleen , LKML , Linus Torvalds , Greg Kroah-Hartman , Tim Chen , Dave Hansen , Thomas Gleixner , Kees Cook , Rik van Riel , Peter Zijlstra , Andy Lutomirski , One Thousand Gnomes Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Mon, Jan 8, 2018 at 2:38 AM, Jiri Kosina wrote: > On Mon, 8 Jan 2018, Paul Turner wrote: > >> user->kernel in the absence of SMEP: >> In the absence of SMEP, we must worry about user-generated RSB entries >> being consumable by kernel execution. >> Generally speaking, for synchronous execution this will not occur (e.g. >> syscall, interrupt), however, one important case remains. >> When we context switch between two threads, we should flush the RSB so that >> execution generated from the unbalanced return path on the thread that we >> just scheduled into, cannot consume RSB entries potentially installed by >> the prior thread. > > I am still unclear whether this closes it completely, as when HT is on, > the RSB is shared between the threads, right? Therefore one thread can > poision it for the other without even context switch happening. > See 2.6.1.1 [Replicated resources]: "The return stack predictor is replicated to improve branch prediction of return instructions" (This is part of the reason that the sequence is attractive; its use of the RSB to control prediction naturally prevents cross-sibling attack.) > -- > Jiri Kosina > SUSE Labs >