Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5636298imm;
        Mon, 27 Aug 2018 01:15:33 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdbS11tiEHQ5LNEQB5WLguHZBEs8IqqfM/gur3pwVZ3KNCzUwjUoF3f8vg2XSx6Qm+It20zV
X-Received: by 2002:a62:398c:: with SMTP id u12-v6mr13448233pfj.9.1535357733675;
        Mon, 27 Aug 2018 01:15:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1535357733; cv=none;
        d=google.com; s=arc-20160816;
        b=tAEEVSU/edgQIiRmdVj569WyWvASW3rsVge42HzjEd3lPgZkZ3dqzme5lOq2NR9VdD
         gIgQynNQTnB5+PTv/VOi7qEdVgoq9KQ0Rij2Mv6MkXWCHKEplXrOOprPfsOtw8+DgLY3
         HxG/QXjbn9Xo0vO4LAeZH3bBbM3MpAPR3Qj/gGRpbVp5YRNnu/dRF2OJro/y59hnJHRB
         7AMXn9EHvIUI2046HCbU0B++eryA4idmOPQuSQdlhg2tl7fNpHSjPq+NUwDN9ctXVAU5
         NZIPP6CAM0SD+srmAV4Qa+xvvkjhXXmytz+X05CBEYAIbsmIhIoIyHjvQwKSW+faJNjn
         GOlw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature:arc-authentication-results;
        bh=R4XLgZxIEeetxse3cGbQmpC5HMsrrsc0HLlgHIwbagw=;
        b=D4mDqkZ8FAFM5ZMjFeIWeDUikc32tWoFjrrW1gfENEX7Dr1Jt6gBsg4TLfXamAxDYd
         g9+DMHWvH5iwO8fHnrczC5MEgOdNxLF6T1xLBmfXRnVN5FtSK2tM2UzchKWAr0wnuYAD
         nxByfsuObyFx0JFXjG2BEQQ4S3UDQl9Ybmd4+1tMhUVHJ/Q9TaXWBT/n1pGIDDdNHg4u
         3EM8iRwV7B1cqITxVP2y93xp2tSJZNND0+eLAmRk2xrHEeoBz9CTXz0r9U7wBLRkeC3D
         oiUCCW2ypI0o8s/LyxTq/13lyyFz2HnnUEN7ASiSlM4Dy4oQG6CB3qXv/r48ngiAJ9+i
         srcg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=Ll3JnYyJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p61-v6si14065414plb.55.2018.08.27.01.15.15;
        Mon, 27 Aug 2018 01:15:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=Ll3JnYyJ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726911AbeH0L7j (ORCPT <rfc822;sbrunau@gmail.com> + 99 others);
        Mon, 27 Aug 2018 07:59:39 -0400
Received: from merlin.infradead.org ([205.233.59.134]:59258 "EHLO
        merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726826AbeH0L7i (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Aug 2018 07:59:38 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=R4XLgZxIEeetxse3cGbQmpC5HMsrrsc0HLlgHIwbagw=; b=Ll3JnYyJBVNBLJNr/LfsTj+/t
        Vzcr/ATNuLuNDSIxL6gq248LwoaBTQq90JG0uy/dy4rJfo81fSpxFNk4L8C7gx7kGQlS3CM78HYIE
        PxzM2kod6F38lSbQQpR45t+ihNkXXyTl/B4n4+YoqJpHRoUFuiCfxIuEr8KYkx/w8Hl9fCr9Zkjvc
        rARysP8GjXXnuj3+NabtiVihFLk3uM6x3E9GtBwvCvSWjMO4dwH1P5TkbUmyhh4EDrSnXUUo//n6W
        AGQfHh7ezq2y3c7XdchVdFrfkDGBcv6+LLM3m+soExK3VnHSJi6SDXR2epEAL6jkHqqVfTCwle5fN
        uGJbzq6+g==;
Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net)
        by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux))
        id 1fuCeR-0000qB-Ev; Mon, 27 Aug 2018 08:13:31 +0000
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000)
        id EB3112024EFCD; Mon, 27 Aug 2018 10:13:29 +0200 (CEST)
Date:   Mon, 27 Aug 2018 10:13:29 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     Masami Hiramatsu <mhiramat@kernel.org>
Cc:     Andy Lutomirski <luto@kernel.org>,
        Kees Cook <keescook@chromium.org>,
        Nadav Amit <nadav.amit@gmail.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Paolo Bonzini <pbonzini@redhat.com>,
        Jiri Kosina <jkosina@suse.cz>,
        Will Deacon <will.deacon@arm.com>,
        Benjamin Herrenschmidt <benh@au1.ibm.com>,
        Nick Piggin <npiggin@gmail.com>,
        the arch/x86 maintainers <x86@kernel.org>,
        Borislav Petkov <bp@alien8.de>,
        Rik van Riel <riel@surriel.com>,
        Jann Horn <jannh@google.com>,
        Adin Scannell <ascannell@google.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        linux-mm <linux-mm@kvack.org>,
        David Miller <davem@davemloft.net>,
        Martin Schwidefsky <schwidefsky@de.ibm.com>,
        Michael Ellerman <mpe@ellerman.id.au>
Subject: Re: TLB flushes on fixmap changes
Message-ID: <20180827081329.GZ24124@hirez.programming.kicks-ass.net>
References: <56A9902F-44BE-4520-A17C-26650FCC3A11@gmail.com>
 <CA+55aFzerzTPm94jugheVmWg8dJre94yu+GyZGT9NNZanNx_qw@mail.gmail.com>
 <9A38D3F4-2F75-401D-8B4D-83A844C9061B@gmail.com>
 <CA+55aFz1KYT7fRRG98wei24spiVg7u1Ec66piWY5359ykFmezw@mail.gmail.com>
 <8E0D8C66-6F21-4890-8984-B6B3082D4CC5@gmail.com>
 <CALCETrWdeKBcEs7zAbpEM1YdYiT2UBXwPtF0mMTvcDX_KRpz1A@mail.gmail.com>
 <20180826112341.f77a528763e297cbc36058fa@kernel.org>
 <CALCETrXPaX-+R6Z9LqZp0uOVmq-TUX_ksPbUL7mnfbdqo6z2AA@mail.gmail.com>
 <20180826090958.GT24124@hirez.programming.kicks-ass.net>
 <20180827120305.01a6f26267c64610cadec5d8@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180827120305.01a6f26267c64610cadec5d8@kernel.org>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Aug 27, 2018 at 12:03:05PM +0900, Masami Hiramatsu wrote:
> On Sun, 26 Aug 2018 11:09:58 +0200
> Peter Zijlstra <peterz@infradead.org> wrote:

> > FWIW, before text_poke_bp(), text_poke() would only be used from
> > stop_machine, so all the other CPUs would be stuck busy-waiting with
> > IRQs disabled. These days, yeah, that's lots more dodgy, but yes
> > text_mutex should be serializing all that.
> 
> I'm still not sure that speculative page-table walk can be done
> over the mutex. Also, if the fixmap area is for aliasing
> pages (which always mapped to memory), what kind of
> security issue can happen?

So suppose CPU-A is doing the text_poke (let's say through text_poke_bp,
such that other CPUs get to continue with whatever they're doing).

While at that point, CPU-B gets an interrupt, and the CPU's
branch-trace-buffer for the IRET points to / near our fixmap. Then the
CPU could do a speculative TLB fill based on the BTB value, either
directly or indirectly (through speculative driven fault-ahead) of
whatever is in te fixmap at the time.

Then CPU-A completes the text_poke and only does a local TLB invalidate
on CPU-A, leaving CPU-B with an active translation.

*FAIL*