Received: by 10.223.148.5 with SMTP id 5csp6325641wrq; Wed, 17 Jan 2018 12:16:34 -0800 (PST) X-Google-Smtp-Source: ACJfBoubaFtHhHdy9Url7K3h1gE/cJpBw3bHmfRmEbBc8mefl98BQcRFMxd7dOZzPjbbkTmM1YVN X-Received: by 10.84.211.3 with SMTP id b3mr11769334pli.24.1516220194646; Wed, 17 Jan 2018 12:16:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1516220194; cv=none; d=google.com; s=arc-20160816; b=hJHUjO8I4hiUSX8z/WF+lfMhR3TRjZs1y+bAUEz8OkU3FKQRW++RG8rvh25OuXmIzX Vltze/QPWWNdVPF1lxak2DqL1esyQujbFtx9ovq2FyVwKFoqog/U3cP2A7qKEHtirqYq RxeDV891sZQ6QAXY3YJiG8w/1MU7vkylK3SJecTPZWo6kgk7HvfNNDk77o5nGq6EWvo8 fHrbb2wGdIQ5XZwu0tLSilNVy1B7IKW/YfbOhcirSYHO7gk/xobeZ70ObvYWhFTIfLIb WafLfsrCTf4zxBQSFoQo8kA/TXch0BsJwMhcafckY4C3+mZRjbGJgYdQEBHGHgh8kEaz O3mw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=3kg1HJcw5mukCUN86ygKSu1CjosyUXmmEVCE3WmZUIE=; b=XA4wuJMZn6aagu6lR8LxinEepRDjS+apBxbOvQE4nSJRyApeh7iqMgt74ngckL3Asp RLpo95GADK1jQ9eeONJk8Dn1RKCHZCcDcZRVFbae8rHDgVInRUYwot49POxxwnIGe8yn 2e86Hgr1Bh7sbmGrrSFCX8ULu/qDDbye4yLc5IxjzN7Lw6EV8V8d0ldAhcEsDp5h7Lev tR/MGFaBixECWM5tnuyFTrtipU0213KYZuZlvuGu9rcrBKJejbD9t7amXIStUWb4E+Mb oeDua4PkXz+ILLRvEhyZixiCzSxOZsYzY7jCbaE2AJVfr6rlUC8Uebdl/iU3lEfLaQKG VJFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=QotAZK8Z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s80si4930746pfg.322.2018.01.17.12.16.19; Wed, 17 Jan 2018 12:16:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=QotAZK8Z; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752689AbeAQUO1 (ORCPT + 99 others); Wed, 17 Jan 2018 15:14:27 -0500 Received: from mail-ot0-f194.google.com ([74.125.82.194]:42853 "EHLO mail-ot0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751438AbeAQUOX (ORCPT ); Wed, 17 Jan 2018 15:14:23 -0500 Received: by mail-ot0-f194.google.com with SMTP id s3so17968804otc.9 for ; Wed, 17 Jan 2018 12:14:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3kg1HJcw5mukCUN86ygKSu1CjosyUXmmEVCE3WmZUIE=; b=QotAZK8ZjBsmfa7XL/7PrRMojVi00nXkici5zImz49InKqvfrt+c4IeD9i+E6xHeVV sP2ILJpfSW37uVWLz4ox1ZkuKOrOugdb6QZiszhL9v8pkjiZOT2ok8moMVRv2/Rp+rrt 5/d61IzqCs+Pee2GXzTm/uEgylPYBv/0Ceaj7PZvxtGwjDC0pRSG50AGBJTAEHZhrrgc nxf4rWXZlCXXBxNEDb1pdnAGZeb08jNyzBcWMKCcnIqNTfJ4sxn0I7T4c4wX+qYCRWjD gdsgELy1mMcF6fL+01LiTv2u1+gl9vH1TDYKSVJc27IBc6rK93+P/Sl6mBVkvCNIBMOe bxPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3kg1HJcw5mukCUN86ygKSu1CjosyUXmmEVCE3WmZUIE=; b=eIrQI+cRibieAwXBenTX+QZ/4/X6CljljTQ/fTs82h7TCc+ISA2t2aU0aJCz1gS7wo r3eZoSw0z0WTAedN/6F/zBQ6PpEMrhJIXgaV3uRtBEf3ZcFgscAWHbHQO+eOBwLUIwl1 bxV0R+6a0fSthvtI1z6by4p4a17Nhl52x8YW8ZgpwFyre3hqJPFOTJoAP2lkqHFB5nqC tOs0myTKJRVVnvmRiJrYbf8xfzG5nCpxUdE/TzBvRI9IUNgTKM6lUhemM71WPweh4JOC BPxRmhA9FajwU17B9UlvFutT6g8c7Xm/5rhRH6W8jJmx1dkwH4ujBS86wAblAWSjFiRG mwZg== X-Gm-Message-State: AKwxyteTeeDp85BVLCeCIBosg4sL94Da8nn+s3L2LQ9QXXhqKxJuhFYU rIOdi3NZe2RLeOYLqQBa0DxEu0sLvTdMZfep71kPQg== X-Received: by 10.157.20.137 with SMTP id d9mr2071839ote.46.1516220062973; Wed, 17 Jan 2018 12:14:22 -0800 (PST) MIME-Version: 1.0 Received: by 10.157.59.70 with HTTP; Wed, 17 Jan 2018 12:14:22 -0800 (PST) In-Reply-To: <20180117200532.GX13338@ZenIV.linux.org.uk> References: <151586744180.5820.13215059696964205856.stgit@dwillia2-desk3.amr.corp.intel.com> <151586748981.5820.14559543798744763404.stgit@dwillia2-desk3.amr.corp.intel.com> <1516198646.4184.13.camel@linux.intel.com> <20180117185232.GW13338@ZenIV.linux.org.uk> <20180117200532.GX13338@ZenIV.linux.org.uk> From: Dan Williams Date: Wed, 17 Jan 2018 12:14:22 -0800 Message-ID: Subject: Re: [PATCH v3 8/9] x86: use __uaccess_begin_nospec and ASM_IFENCE in get_user paths To: Al Viro Cc: Alan Cox , Linus Torvalds , Linux Kernel Mailing List , linux-arch@vger.kernel.org, Andi Kleen , Kees Cook , kernel-hardening@lists.openwall.com, Greg Kroah-Hartman , "the arch/x86 maintainers" , Ingo Molnar , "H. Peter Anvin" , Thomas Gleixner , Andrew Morton Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jan 17, 2018 at 12:05 PM, Al Viro wrote: > On Wed, Jan 17, 2018 at 11:54:12AM -0800, Dan Williams wrote: >> On Wed, Jan 17, 2018 at 10:52 AM, Al Viro wrote: >> > On Wed, Jan 17, 2018 at 02:17:26PM +0000, Alan Cox wrote: >> [..] >> > Incidentally, what about copy_to_iter() and friends? They >> > check iov_iter flavour and go either into the "copy to kernel buffer" >> > or "copy to userland" paths. Do we need to deal with mispredictions >> > there? We are calling a bunch of those on read()... >> > >> >> Those should be protected by the conversion of __uaccess_begin to >> __uaccess_begin_nospec that includes the lfence. > > Huh? What the hell does it do to speculative execution of "memcpy those > suckers" branch? 'raw_copy_from_user 'is changed to use 'uaccess_begin_nospec' instead of plain 'uacess_begin'. The only difference between those being that the former includes an lfence. So with this sequence. if (access_ok(VERIFY_READ, from, n)) { kasan_check_write(to, n); n = raw_copy_from_user(to, from, n); } return n; ...'from' is guaranteed to be within the address limit with respect to speculative execution, or otherwise never de-referenced.