Received: by 10.213.65.68 with SMTP id h4csp702674imn; Tue, 20 Mar 2018 13:09:37 -0700 (PDT) X-Google-Smtp-Source: AG47ELvEiVFUTsgy6f0AMfgz2j+zEQ6tO90rDS+K5xcT0YNVdlCI7fIJaV8o89PGFnjOIcbDZI8n X-Received: by 10.101.88.130 with SMTP id d2mr12942346pgu.383.1521576577187; Tue, 20 Mar 2018 13:09:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521576577; cv=none; d=google.com; s=arc-20160816; b=FevDHSMb+xQLLvwJSktvqZ9nhhA4QrjVwaNkx5LF7aicmBPBntg7K3+E/ru2UfA9EY u0gqdHK5luYXaJDUsJEqBbmqhFlCn1ZvbDRzTOVBnbWok5CP4CiCHdz+213g8ffI6nd5 LuuDrmJ2G+mffoMz8WT1Z0JGiUskmjAuW+zUOLlcuWnzoS/i/e2rFZCMmvT6HzArjZ+T yTWF3xqCPy5qSWS/HGHGNlL0O/g4PTmZUEBs1jbwZ4Kfbo5D3rgIArQgE95b88Jx/szn pIHnecqtzNSk23Q28KA25jMqRQVg6Gfn2FXQhumsrM9rKu/yDxbJq8o2msLXijjYh1bY lI6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:arc-authentication-results; bh=dfnxIAb/D/r1nJLgSaB8oc5kB6Qsv+Gawlwf3UZW+FQ=; b=wlDNlsNi6L4+wDAn+P3bDiKNzjUH7D6bxphB2yyct+4+GQkXWL+ap0EmJGSffUxuyW AZh/WSKPQuCGSYexw8NPtcwCCpZesb/4i97iabsNgYHng2c+x7ATGCP38KWom3ZYPHTi iNa4KjBernye2kR0AgDOw7OVJHsH9vcdxXWK36jgHNFL5UR/ycl+E9Z7lsuqSnJCGSnH tachcRtceuI8V+7HcPH7y+W5wJels6KqCQjBarSo74ZWysNLtWjC2Vu9dRY1S5fVz+RB WbsdrdunBdCKHxXBUIPt7+wAUjbjlkUr9jVHocrArBbSEYSGNsus+Yaih4IxcPD5CCyb Z91A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a124si1638443pgc.610.2018.03.20.13.09.22; Tue, 20 Mar 2018 13:09:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751514AbeCTUHj (ORCPT + 99 others); Tue, 20 Mar 2018 16:07:39 -0400 Received: from terminus.zytor.com ([198.137.202.136]:58705 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751348AbeCTUHg (ORCPT ); Tue, 20 Mar 2018 16:07:36 -0400 Received: from hanvin-mobl2.amr.corp.intel.com (fmdmzpr04-ext.fm.intel.com [192.55.54.39]) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id w2KK7C0V001110 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Tue, 20 Mar 2018 13:07:13 -0700 Subject: Re: [PATCH 13/15] x86/fsgsbase/64: With FSGSBASE, compare GS bases on paranoid_entry To: David Laight , "'Chang S. Bae'" , "x86@kernel.org" Cc: "luto@kernel.org" , "ak@linux.intel.com" , "markus.t.metzger@intel.com" , "tony.luck@intel.com" , "ravi.v.shankar@intel.com" , "linux-kernel@vger.kernel.org" , Dave Hansen References: <1521481767-22113-1-git-send-email-chang.seok.bae@intel.com> <1521481767-22113-14-git-send-email-chang.seok.bae@intel.com> From: "H. Peter Anvin" Message-ID: <191d8212-6740-3131-1653-d057f522843c@zytor.com> Date: Tue, 20 Mar 2018 13:07:05 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/20/18 03:16, David Laight wrote: > From: Chang S. Bae >> Sent: 19 March 2018 17:49 > ... >> When FSGSBASE is enabled, SWAPGS needs if and only if (current) >> GS base is not the kernel's. >> >> FSGSBASE instructions allow user to write any value on GS base; >> even negative. Sign check on the current GS base is not >> sufficient. Fortunately, reading GS base is fast. Kernel GS >> base is also known from the offset table with the CPU number. > ... > > Use code might want to put a negative value into GSBASE. > While it is normal to put a valid address into GSBASE there > is no reason why the code can't put an offset into GSBASE, > in which case it might be negative. > > Yes, I know you can't put arbitrary 64bit values into GSBASE. > But the difference between 2 user pointers will always be valid. > You don't have a choice: you can't control what userspace puts in there. Anything that depends on a specific value is inherently unsafe. But we also don't need swapgs when we have rdgsbase/wrgsbase available. We can indeed just unconditionally save it (via rdgsbase) into the stack frame and wrgsbase the correct percpu value. In that case it might be necessary in order to avoid insane complexity to also save/restore the gs selector. Is it going to be faster? *Probably* not as swapgs is designed to be fast; it does, however, eliminate the need to RDMSR/WRMSR inside the kernel task switch as the user space gsbase will simply live on the stack. (This is assuming we do this unconditionally on every method of kernel entry, including non-paranoid. I'm not sure if we ever care about the userspace GS/GSBASE inside a paranoid handler, but if we do it would be rather messy to find if we do this conditionally. Now... + ALTERNATIVE "jmp .Lparanoid_entry_no_fsgsbase", \ + "RDGSBASE %rdx", X86_FEATURE_FSGSBASE + READ_KERNEL_GSBASE %rax READ_KERNEL_GSBASE here seems like a Really Bad Name[TM] for this macro, since it seems to imply reading MSR_KERNEL_GS_BASE, rather than finding the current percpu offset. I would prefer calling it something like FIND_PERCPU_BASE or something like that. -hpa