Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5034097imm;
        Sun, 22 Jul 2018 11:29:06 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpexZB81MhHOy5WJlu3A6DG5U2pWG56Qocg4Q7rDXvYvf0iJtH5kQzx7XjWje3+u9cdYRIgI
X-Received: by 2002:aa7:88d3:: with SMTP id p19-v6mr10216060pfo.160.1532284146006;
        Sun, 22 Jul 2018 11:29:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532284145; cv=none;
        d=google.com; s=arc-20160816;
        b=PvINqkAzPViuaiDgtJL9M3fFo4AD3jN39LG8Ae9LlkEGrqd+nGdgRDLNYUguDoi/Pj
         6csj+jkiCeS1dYWcnSPfIsla6jNasEz70X7yey/dc+V36/YYaY+59WYA1u/Wbm0IjqIA
         A/aVWS7NEL9BxMgoiKodqdeqsIMhcku2NIuGRYzaTekRPbM9K6r846+nNGKMdlkEJ5tD
         rH0zqllcgrD8iOs594nUSYJumcK3S5z3I2Yli4kenBc2xr6v8PGT0RQbIn2pWcmj0FAv
         6KAgJx88eczSuK117k0sGv87MRcGKozo6tiNIxY1KTO8rcqwaj+ijr8bKGfir2RfaX70
         vHsw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=4H2b//X01nwgyuSxluobo3FDtc6XUHdPLtYQoFidPx8=;
        b=APe9+V8Jhaire8w7gCjJ+9oGFeS118udxQdpOZKp9VAvzpLfZltHM69YHK8d1gF6xn
         RyX31ZsGDvefxIqwBKtWcudu8f9AwiQdLfpE2E2DrqpR3P+b2x/NR9JagR0bKoXWoOdT
         hU7IPUqMoYY2guljbpvdOZi30u6anlY67mJE2yjA18d8iMupUQuj1gBRdb38bImY5BC1
         fTK2AlDDyRi2lVG/ACGtmxTbTEeKh4ZFoSNqMj02jJx5A12D0PzuAYmTRqM4kTb9W3AH
         zc0cBm2LOD4GamPLsCiw/B3fJYlA1XkJ6z1kleRzZ/dydg7jkr5eNfrdynXT3XOAccFg
         c/ZA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=U+nZ7naY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x5-v6si7512908pgx.310.2018.07.22.11.28.51;
        Sun, 22 Jul 2018 11:29:05 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b=U+nZ7naY;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730683AbeGVTZg (ORCPT <rfc822;ivid.suvarna@gmail.com>
        + 99 others); Sun, 22 Jul 2018 15:25:36 -0400
Received: from mail-io0-f193.google.com ([209.85.223.193]:35529 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730506AbeGVTZf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 22 Jul 2018 15:25:35 -0400
Received: by mail-io0-f193.google.com with SMTP id w11-v6so8270885iob.2
        for <linux-kernel@vger.kernel.org>; Sun, 22 Jul 2018 11:28:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=4H2b//X01nwgyuSxluobo3FDtc6XUHdPLtYQoFidPx8=;
        b=U+nZ7naYLlC0d6IlaaTva3lKNP6u/O+IcIBkRrspvxvyVqcpNYNTcwWD8F8VkY+CR2
         BtTwqutABSZE47Aq8yIjfgJwntdeW+l/3X1+Qg4goy9wlZIcKL2A2TQtW3x+C4WlrYTP
         IR7MqFipQPaLxm0lWi2fgHoyhUGOoDtfaJIPQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=4H2b//X01nwgyuSxluobo3FDtc6XUHdPLtYQoFidPx8=;
        b=gXLKCys1peSbea+3mvc2ipe3VPWWR4t90gy9veQ5HMPUmRaP5W/7FFpv4pPPL2Z2dK
         YBTWCiQ/F40R1XCddV8pjlO/jpIdMhngb/4KdZ6m5p8/Q5MUBeJWPegncsmPLIqw8n33
         igThvCMqzxweo3Z7BhrbPZLmeB//13S/mmnXfy2YHmWDVoKJ9hMqZIwnXgGcPzDyFnlq
         0l3TSeogSqOnmJx1ovMp2/sA3TRdCnZNcN5f5JPawQQtg0jlalAX2UWcYTbJLGORYtYn
         EeoU3cb7J158tclrb1RuqnfHtqwCmR6qEl6oEjFrJqOLKWx7IcT8QeeFdw1aloChzEe3
         QaIA==
X-Gm-Message-State: AOUpUlHLfXpxxqoWJkxBbWM0ZwzN9MvfrAAS+3VTg+CshzXMlLLsHo0B
        HbnPDyYWqCR89KiNAXSPN9kQwYGzmmZIl8u6Hh8=
X-Received: by 2002:a6b:f612:: with SMTP id n18-v6mr8200579ioh.259.1532284081511;
 Sun, 22 Jul 2018 11:28:01 -0700 (PDT)
MIME-Version: 1.0
References: <cover.1532281180.git.luto@kernel.org> <1e3d01ce04315218d3f8ee269528bb774a4d1d60.1532281180.git.luto@kernel.org>
In-Reply-To: <1e3d01ce04315218d3f8ee269528bb774a4d1d60.1532281180.git.luto@kernel.org>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sun, 22 Jul 2018 11:27:50 -0700
Message-ID: <CA+55aFz1ne3KTzni2Yvsp8ZRFzk+s78ZhKyGeLZvmRivBhFMfA@mail.gmail.com>
Subject: Re: [RFC 2/2] x86/pti/64: Remove the SYSCALL64 entry trampoline
To:     Andrew Lutomirski <luto@kernel.org>
Cc:     "the arch/x86 maintainers" <x86@kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Dave Hansen <dave.hansen@linux.intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Jul 22, 2018 at 10:45 AM Andy Lutomirski <luto@kernel.org> wrote:
>
> This patch changes the code to map the percpu TSS into the user page
> tables to allow the non-trampoline SYSCALL64 path to work under PTI.

Me likey.

However:

> This does not add a new direct information leak, since the TSS is
> readable by Meltdown from the cpu_entry_area alias regardless.

Afaik, it does now potentially expose through meltdown the per-thread
entry stack info, which is new.

But I don't think that's a show-stopper.

>  static void __init pti_clone_user_shared(void)
>  {
> +       for_each_possible_cpu(cpu) {

But this code is pretty disgusting and seems wrong.

Do you really want to do all trhe _possible_ cpu's, not just the
online ones? I'd rather expose less (think MAXCPU) and then have the
CPU hotplug code expose the page as the CPU comes up?

> +               unsigned long va = (unsigned long)&per_cpu(cpu_tss_rw, cpu);
> +               phys_addr_t pa = per_cpu_ptr_to_phys((void *)va);
> +               pte_t *target_pte;
> +
> +               target_pte = pti_user_pagetable_walk_pte(va);

This function only exists if CONFIG_X86_VSYSCALL_EMULATION, so it
won't even compile under (very unusual) configurations.

The "disgusting" part is that I think it could/should share more code
with the vsyscall case, and the whole target-pte checking and setting
should be shared too.

Beause not being shared, I react to this:

> +               set_pte(target_pte, pfn_pte(pa >> PAGE_SHIFT, PAGE_KERNEL));

Hmm. The vsyscall code just does

        *target_pte = ..

without any set_pte() stuff. Do we want/need the PVOP cases, and if
so, why doesn't the vsyscall case need it?

Anyway, I love the approach, and how this gets rid of the nasty
trampoline, so no real complaints, just "this needs some fixups".

                Linus