Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757438AbeAIWfv (ORCPT + 1 other); Tue, 9 Jan 2018 17:35:51 -0500 Received: from mail-oi0-f47.google.com ([209.85.218.47]:40740 "EHLO mail-oi0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755735AbeAIWft (ORCPT ); Tue, 9 Jan 2018 17:35:49 -0500 X-Google-Smtp-Source: ACJfBovOo1578Jhj37Wn0cB4au0c6scxQzOdgWT/5zHbexm+tkIqPDtfBctMeO2Xll30EtQIq+4wCU0MUzvVMxNBoio= MIME-Version: 1.0 In-Reply-To: <20180109222348.twmw62qwfhefqpoe@treble> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> <151520102670.32271.8447983009852138826.stgit@dwillia2-desk3.amr.corp.intel.com> <20180109214149.yo3tnjesezgz63x4@treble> <20180109214902.2d4ptkld2bof3js7@treble> <20180109222348.twmw62qwfhefqpoe@treble> From: Dan Williams Date: Tue, 9 Jan 2018 14:35:48 -0800 Message-ID: Subject: Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok To: Josh Poimboeuf Cc: Linus Torvalds , Linux Kernel Mailing List , linux-arch@vger.kernel.org, Andi Kleen , Arnd Bergmann , Greg Kroah-Hartman , Peter Zijlstra , Network Development , "the arch/x86 maintainers" , Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner , Alan Cox Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Tue, Jan 9, 2018 at 2:23 PM, Josh Poimboeuf wrote: > On Tue, Jan 09, 2018 at 01:59:04PM -0800, Dan Williams wrote: >> > Right, but what's the purpose of preventing speculation past >> > access_ok()? >> >> Caution. It's the same rationale for the nospec_array_ptr() patches. >> If we, kernel community, can identify any possible speculation past a >> bounds check we should inject a speculation mitigation. Unless there's >> a way to be 100% certain that the first unwanted speculation can be >> turned into a gadget later on in the instruction stream, err on the >> side of shutting it down early. > > I'm all for being cautious. The nospec_array_ptr() patches are fine, > and they make sense in light of the variant 1 CVE. > > But that still doesn't answer my question. I haven't seen *any* > rationale for this patch. It would be helpful to at least describe > what's being protected against, even if it's hypothetical. How can we > review it if the commit log doesn't describe its purpose? Certainly the changelog needs improvement, I'll roll these concerns into v2 and we can go from there.