Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Subject: Re: [RFC PATCH 2/2] x86/ibpb: Prevent missed IBPB flush
To:     David Woodhouse <dwmw2@infradead.org>, linux-kernel@vger.kernel.org
Cc:     KarimAllah Ahmed <karahmed@amazon.de>,
        Andi Kleen <ak@linux.intel.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        Andy Lutomirski <luto@kernel.org>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Ashok Raj <ashok.raj@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Borislav Petkov <bp@suse.de>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        "H . Peter Anvin" <hpa@zytor.com>, Ingo Molnar <mingo@redhat.com>,
        Janakarajan Natarajan <Janakarajan.Natarajan@amd.com>,
        Joerg Roedel <joro@8bytes.org>,
        Jun Nakajima <jun.nakajima@intel.com>,
        Laura Abbott <labbott@redhat.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Masami Hiramatsu <mhiramat@kernel.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>, rkrcmar@redhat.com,
        Thomas Gleixner <tglx@linutronix.de>,
        Tom Lendacky <thomas.lendacky@amd.com>, x86@kernel.org
References: <c5cc429013c2248ddebe0a8480b172ae70b29733.1516840211.git.tim.c.chen@linux.intel.com>
 <332d3ac8a7018b98d8182ec86b5fc41239c667c6.1516840211.git.tim.c.chen@linux.intel.com>
 <1516868406.30244.16.camel@infradead.org>
From:   Tim Chen <tim.c.chen@linux.intel.com>
Message-ID: <d9a6a417-4ec9-ddd2-de89-cb656a238c86@linux.intel.com>
Date:   Thu, 25 Jan 2018 08:56:57 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.1.0
MIME-Version: 1.0
In-Reply-To: <1516868406.30244.16.camel@infradead.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On 01/25/2018 12:20 AM, David Woodhouse wrote:
> On Wed, 2018-01-24 at 16:36 -0800, Tim Chen wrote:
>> It is possible that the last uesr mm that we recorded for a cpu was
>> released, and a new mm with identical address was allocated when we
>> check it again.  We could skip IBPB flush here for the process with
>> the new mm.
>>
>> It is a difficult to exploit case as we have to exit() a process on a
>> cpu, free the mm, and fork() the victim to use the mm pointer on that
>> cpu. The exploiter needs the old mm to get recycled to the
>> newly forked process and no other processes run on the target cpu.
> 
> That's what it takes to have the victim process leak information into
> the cache. In order to *harvest* that information, the attacker must
> then get run on the same CPU again? And since her first process had to
> exits, as described above, she needs a new process for that?
> 
> I confess, with all the other wildly theoretical loopholes that exist,
> I wasn't losing much sleep over this one.
> 
>> Nevertheless, the patch below is one way to close this hole by
>> adding a ref count to prevent the last user mm from being released.
>> It does add ref counting overhead, and extra memory cost of keeping an mm
>> (though not the VMAs and most of page tables) around longer than we will
>> otherwise need to. Any better solutions are welcomed.
> 
> This has no upper bound on the amount of time the user mm gets held,
> right? If a given CPU remains idle for ever (and what happens if it's
> taken offline?) we'll never do that mmdrop() ?
> 

The downside with this approach is we do hold on to the mm longer
than we needs to.

Yes, the offline path does need to be fixed up.

Tim