Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753532AbeAIVl4 (ORCPT + 1 other); Tue, 9 Jan 2018 16:41:56 -0500 Received: from mx1.redhat.com ([209.132.183.28]:13310 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753373AbeAIVlx (ORCPT ); Tue, 9 Jan 2018 16:41:53 -0500 Date: Tue, 9 Jan 2018 15:41:49 -0600 From: Josh Poimboeuf To: Linus Torvalds Cc: Dan Williams , Linux Kernel Mailing List , linux-arch@vger.kernel.org, Andi Kleen , Arnd Bergmann , Greg Kroah-Hartman , Peter Zijlstra , Network Development , the arch/x86 maintainers , Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner , Alan Cox Subject: Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok Message-ID: <20180109214149.yo3tnjesezgz63x4@treble> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520102670.32271.8447983009852138826.stgit@dwillia2-desk3.amr.corp.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Tue, 09 Jan 2018 21:41:53 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Fri, Jan 05, 2018 at 06:52:07PM -0800, Linus Torvalds wrote: > On Fri, Jan 5, 2018 at 5:10 PM, Dan Williams wrote: > > From: Andi Kleen > > > > When access_ok fails we should always stop speculating. > > Add the required barriers to the x86 access_ok macro. > > Honestly, this seems completely bogus. > > The description is pure garbage afaik. > > The fact is, we have to stop speculating when access_ok() does *not* > fail - because that's when we'll actually do the access. And it's that > access that needs to be non-speculative. > > That actually seems to be what the code does (it stops speculation > when __range_not_ok() returns false, but access_ok() is > !__range_not_ok()). But the explanation is crap, and dangerous. The description also seems to be missing the "why", as it's not self-evident (to me, at least). Isn't this (access_ok/uaccess_begin/ASM_STAC) too early for the lfence? i.e., wouldn't the pattern be: get_user(uval, uptr); if (uval < array_size) { lfence(); foo = a2[a1[uval] * 256]; } Shouldn't the lfence come much later, *after* reading the variable and comparing it and branching accordingly? -- Josh