Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp5636298imm; Mon, 27 Aug 2018 01:15:33 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbS11tiEHQ5LNEQB5WLguHZBEs8IqqfM/gur3pwVZ3KNCzUwjUoF3f8vg2XSx6Qm+It20zV X-Received: by 2002:a62:398c:: with SMTP id u12-v6mr13448233pfj.9.1535357733675; Mon, 27 Aug 2018 01:15:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535357733; cv=none; d=google.com; s=arc-20160816; b=tAEEVSU/edgQIiRmdVj569WyWvASW3rsVge42HzjEd3lPgZkZ3dqzme5lOq2NR9VdD gIgQynNQTnB5+PTv/VOi7qEdVgoq9KQ0Rij2Mv6MkXWCHKEplXrOOprPfsOtw8+DgLY3 HxG/QXjbn9Xo0vO4LAeZH3bBbM3MpAPR3Qj/gGRpbVp5YRNnu/dRF2OJro/y59hnJHRB 7AMXn9EHvIUI2046HCbU0B++eryA4idmOPQuSQdlhg2tl7fNpHSjPq+NUwDN9ctXVAU5 NZIPP6CAM0SD+srmAV4Qa+xvvkjhXXmytz+X05CBEYAIbsmIhIoIyHjvQwKSW+faJNjn GOlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=R4XLgZxIEeetxse3cGbQmpC5HMsrrsc0HLlgHIwbagw=; b=D4mDqkZ8FAFM5ZMjFeIWeDUikc32tWoFjrrW1gfENEX7Dr1Jt6gBsg4TLfXamAxDYd g9+DMHWvH5iwO8fHnrczC5MEgOdNxLF6T1xLBmfXRnVN5FtSK2tM2UzchKWAr0wnuYAD nxByfsuObyFx0JFXjG2BEQQ4S3UDQl9Ybmd4+1tMhUVHJ/Q9TaXWBT/n1pGIDDdNHg4u 3EM8iRwV7B1cqITxVP2y93xp2tSJZNND0+eLAmRk2xrHEeoBz9CTXz0r9U7wBLRkeC3D oiUCCW2ypI0o8s/LyxTq/13lyyFz2HnnUEN7ASiSlM4Dy4oQG6CB3qXv/r48ngiAJ9+i srcg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=Ll3JnYyJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p61-v6si14065414plb.55.2018.08.27.01.15.15; Mon, 27 Aug 2018 01:15:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=Ll3JnYyJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726911AbeH0L7j (ORCPT + 99 others); Mon, 27 Aug 2018 07:59:39 -0400 Received: from merlin.infradead.org ([205.233.59.134]:59258 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726826AbeH0L7i (ORCPT ); Mon, 27 Aug 2018 07:59:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=R4XLgZxIEeetxse3cGbQmpC5HMsrrsc0HLlgHIwbagw=; b=Ll3JnYyJBVNBLJNr/LfsTj+/t Vzcr/ATNuLuNDSIxL6gq248LwoaBTQq90JG0uy/dy4rJfo81fSpxFNk4L8C7gx7kGQlS3CM78HYIE PxzM2kod6F38lSbQQpR45t+ihNkXXyTl/B4n4+YoqJpHRoUFuiCfxIuEr8KYkx/w8Hl9fCr9Zkjvc rARysP8GjXXnuj3+NabtiVihFLk3uM6x3E9GtBwvCvSWjMO4dwH1P5TkbUmyhh4EDrSnXUUo//n6W AGQfHh7ezq2y3c7XdchVdFrfkDGBcv6+LLM3m+soExK3VnHSJi6SDXR2epEAL6jkHqqVfTCwle5fN uGJbzq6+g==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fuCeR-0000qB-Ev; Mon, 27 Aug 2018 08:13:31 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id EB3112024EFCD; Mon, 27 Aug 2018 10:13:29 +0200 (CEST) Date: Mon, 27 Aug 2018 10:13:29 +0200 From: Peter Zijlstra To: Masami Hiramatsu Cc: Andy Lutomirski , Kees Cook , Nadav Amit , Linus Torvalds , Paolo Bonzini , Jiri Kosina , Will Deacon , Benjamin Herrenschmidt , Nick Piggin , the arch/x86 maintainers , Borislav Petkov , Rik van Riel , Jann Horn , Adin Scannell , Dave Hansen , Linux Kernel Mailing List , linux-mm , David Miller , Martin Schwidefsky , Michael Ellerman Subject: Re: TLB flushes on fixmap changes Message-ID: <20180827081329.GZ24124@hirez.programming.kicks-ass.net> References: <56A9902F-44BE-4520-A17C-26650FCC3A11@gmail.com> <9A38D3F4-2F75-401D-8B4D-83A844C9061B@gmail.com> <8E0D8C66-6F21-4890-8984-B6B3082D4CC5@gmail.com> <20180826112341.f77a528763e297cbc36058fa@kernel.org> <20180826090958.GT24124@hirez.programming.kicks-ass.net> <20180827120305.01a6f26267c64610cadec5d8@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180827120305.01a6f26267c64610cadec5d8@kernel.org> User-Agent: Mutt/1.10.0 (2018-05-17) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 27, 2018 at 12:03:05PM +0900, Masami Hiramatsu wrote: > On Sun, 26 Aug 2018 11:09:58 +0200 > Peter Zijlstra wrote: > > FWIW, before text_poke_bp(), text_poke() would only be used from > > stop_machine, so all the other CPUs would be stuck busy-waiting with > > IRQs disabled. These days, yeah, that's lots more dodgy, but yes > > text_mutex should be serializing all that. > > I'm still not sure that speculative page-table walk can be done > over the mutex. Also, if the fixmap area is for aliasing > pages (which always mapped to memory), what kind of > security issue can happen? So suppose CPU-A is doing the text_poke (let's say through text_poke_bp, such that other CPUs get to continue with whatever they're doing). While at that point, CPU-B gets an interrupt, and the CPU's branch-trace-buffer for the IRET points to / near our fixmap. Then the CPU could do a speculative TLB fill based on the BTB value, either directly or indirectly (through speculative driven fault-ahead) of whatever is in te fixmap at the time. Then CPU-A completes the text_poke and only does a local TLB invalidate on CPU-A, leaving CPU-B with an active translation. *FAIL*