Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp6680129imm; Wed, 27 Jun 2018 11:24:05 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe3JOAsoVT4alVaDGcUBcLfR6KlruOhcQvZ2eE775c5FpUpg6oIt+yrmZKt+YcC5Jgwm0M7 X-Received: by 2002:aa7:82d9:: with SMTP id f25-v6mr6937580pfn.218.1530123845668; Wed, 27 Jun 2018 11:24:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530123845; cv=none; d=google.com; s=arc-20160816; b=ITIUFD9VWDN/D4M/6VLq6RBXBUSe0nS9za/+rUepK/PNYd6ugpGsK65/nDxinn0kqB zYQ//JX/6i7qFkEBdGdfNnWxy6Akw+4dz1Sp5VAlA2KHu1Q4glRFr3u6bu3cky0n19Ep YztE0tT2Qg2B/oHtKNTX/ZVFkBf2zLP80bJHzB33ZdwEZRXGUXO+V3h4ay3f29IBWSGX 6qdH7d0G0bYT1zh1p/6yFwkATOm4bpwG9GVcnHywV/x/LOtlR8M3Xr7hKiv9E+PI8o3K 7sEKX/mYr6+O8XOubKSY5boQuVFUHBcOBol6Af8Nt+yqJ0CvkeWc6YmzbsfQ2g2pUnk3 lJ7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:from:cc:to:subject :content-transfer-encoding:mime-version:references:in-reply-to :user-agent:date:arc-authentication-results; bh=eIVmLzME13ydC5ZVq78a+kibkzl2FHIS0vnYzlWZikU=; b=tSKO7xw//L7vUDtdftUD7JLcR+r2t5pHyu7wy3N3d6/5sU6kKzqKSjWaYF2xyn7R2N KdH8/zGbOHX/vawJbRJabV7BwdJBgvntZk6r292e8hGWn2QU4s2/fbephgv7zwKcfCJJ eMiCt0P9bxu19b53m5GsvJpbX/tHbULpXDPWHuT3Nd+aQ/FhLjXAHouqZquYF+V0/zVx 33GVnM993YWpJMbd3Q6bxpBlYAeBbDTVLSgNXDwkiP89O77lCucs92+cAYBWJo+9MSoU NoPQRmoxeFnDseG1R4HgwIL1ojzQ2WnXIbDYiUHr9rMTFt0uohKXil7Zm5mXxSlWUb1U 5Cng== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c17-v6si4391108pfi.102.2018.06.27.11.23.51; Wed, 27 Jun 2018 11:24:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965779AbeF0SXG convert rfc822-to-8bit (ORCPT + 99 others); Wed, 27 Jun 2018 14:23:06 -0400 Received: from terminus.zytor.com ([198.137.202.136]:41601 "EHLO mail.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752686AbeF0SXF (ORCPT ); Wed, 27 Jun 2018 14:23:05 -0400 Received: from [IPv6:2607:fb90:a499:54e8:9c2f:b614:be0b:6380] ([172.58.33.215]) (authenticated bits=0) by mail.zytor.com (8.15.2/8.15.2) with ESMTPSA id w5RIMMV22169628 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 27 Jun 2018 11:22:58 -0700 Date: Wed, 27 Jun 2018 11:22:14 -0700 User-Agent: K-9 Mail for Android In-Reply-To: References: <20180621211754.12757-1-h.peter.anvin@intel.com> <20180621211754.12757-2-h.peter.anvin@intel.com> <408ed97a-c64d-c523-c403-4e066d1f34c3@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Subject: Re: [PATCH v3 1/7] x86/ldt: refresh %fs and %gs in refresh_ldt_segments() To: Andy Lutomirski , "H. Peter Anvin" CC: LKML , "H. Peter Anvin" , Ingo Molnar , Thomas Gleixner , "Bae, Chang Seok" , "Metzger, Markus T" From: hpa@zytor.com Message-ID: <27F6CB18-8E20-487B-B55B-1DAEF9DF9E2C@zytor.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On June 27, 2018 11:19:12 AM PDT, Andy Lutomirski wrote: >On Fri, Jun 22, 2018 at 11:47 AM, Andy Lutomirski >wrote: >> >> >> >>> On Jun 22, 2018, at 11:29 AM, H. Peter Anvin > wrote: >>> >>>> On 06/22/18 07:24, Andy Lutomirski wrote: >>>> >>>> That RPL3 part is false. The following program does: >>>> >>>> #include >>>> >>>> int main() >>>> { >>>> unsigned short sel; >>>> asm volatile ("mov %%ss, %0" : "=rm" (sel)); >>>> sel &= ~3; >>>> printf("Will write 0x%hx to GS\n", sel); >>>> asm volatile ("mov %0, %%gs" :: "rm" (sel & ~3)); >>>> asm volatile ("mov %%gs, %0" : "=rm" (sel)); >>>> printf("GS = 0x%hx\n", sel); >>>> return 0; >>>> } >>>> >>>> prints: >>>> >>>> Will write 0x28 to GS >>>> GS = 0x28 >>>> >>>> The x86 architecture is *insane*. >>>> >>>> Other than that, this patch seems generally sensible. But my >>>> objection that it's incorrect with FSGSBASE enabled for %fs and %gs >>>> still applies. >>>> >>> >>> Ugh, you're right... I misremembered. The CPL simply overrides the >RPL >>> rather than trapping. >>> >>> We still need to give legacy applications which have zero idea about >the >>> separate bases that apply only to 64-bit mode a way to DTRT. >Requiring >>> these old crufty applications to do something new is not an option. >> >>> >>> As ugly as it is, I'm thinking the Right Thing is to simply make it >a >>> part of the Linux ABI that if the FS or GS selector registers point >into >>> the LDT then we will requalify them; if a 64-bit app does that then >they >>> get that behavior. This isn't something that will happen >>> asynchronously, and if a 64-bit process loads an LDT value into FS >or >>> GS, they are considered to have opted in to that behavior. >> >> But the old and crusty apps don’t depend on requalification because >we never used to do it. >> >> I’m not convinced we ever need to refresh the base. In fact, we could >start preserving the base of LDT-referencing FS/GS across context >switches even without FSGSBASE at some minor performance cost, but I >don’t really see the point. I still think my proposed semantics are >easy to implement and preserve the ABI even if they have the sad >property that the FSGSBASE behavior and the non-FSGSBASE behavior end >up different. >> > >There's another reasonable solution: do exactly what your patch does, >minus the bugs. We would need to get the RPL != 3 case right (easy) >and the case where there's a non-running thread using the selector in >question. The latter is probably best handled by adding a flag to >thread_struct that says "fsbase needs reloading from the descriptor >table" and only applies if the selector is in the LDT or TLS area. Or >we could hijack a high bit in the selector. Then we'd need to update >everything that uses the fields. Obviously fix the bugs. How would you control this bit? -- Sent from my Android device with K-9 Mail. Please excuse my brevity.