Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1119470imm;
        Thu, 6 Sep 2018 16:00:55 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdaFIb0Iwgmj0mN3EEZ1ZHaIOZPf6dItXvkG7hkNi1qCfuG1fKIF+cOhPz3/OeG0nZfkRG+b
X-Received: by 2002:a63:8648:: with SMTP id x69-v6mr5275554pgd.268.1536274854923;
        Thu, 06 Sep 2018 16:00:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536274854; cv=none;
        d=google.com; s=arc-20160816;
        b=VloAFgJKyoKFXfE1mxvnUHDQ389Mq4AXjyctx7WtFTAHa2w9WAJvysw7wsTPBZKvJW
         lBF+FyvaXlB0Mt4xVjOq2zMBEwohnZAz1ciY6Yzi0FgzAXdjFV4ZJEBul3lLew+QqePt
         nuyzr1Dv1cr24ZRvKIXeXN3C2GWu734/VkRPkPf9ewTu/Rq4CH9+yL7mKpDMedZbAo1/
         +mjJA2aJrSQPf10yULJcSh+mf+jdLj1D5ZfOXW2Ke8mTYonaNsA42jMJa9SFdye+Y0FO
         C6q5/h9MJtLfVyDTElx+sBiV64WddiECi/p8lSj5nUISc7P1feydia0x3z3rYTNRQlLq
         9SzA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:references:message-id
         :content-transfer-encoding:cc:date:in-reply-to:from:subject
         :mime-version:dkim-signature;
        bh=ey41mNH9LAFsx9JkWO9N14Jix9PaIGdJKoz2RuJXAwI=;
        b=eWGPsqIZZGYl7kGOYYUb6ScCPU6TVcvFux7QaTnNXRPTTC0zo/l3GTRHqWY6mPGDQP
         CbujFeqQslq+MUYnapYNQ96f8zdfH4bldQXGIreQDttDNDYqywDtRP9VauFdI3EUW+Bx
         QmTgLx/GYle/MapnKPVYetujo4UkGxtJsfkDvgeet16Zkjc7bqryPDH9sMAlO1Ki/VBz
         X96h9FipYxRgL7ASq/rKpH3Ytg5BPzYEjiAv3olBkZuK/YaTAtQQchcEec11NA/idLyb
         Hmb62Idu2jWx9qAXSy/wa9+ttVC16FJlD8JtVtFGbzXaunTLW/+ZsdhJhEYvw/9VyAQC
         2ZHQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=GiHLlcMh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b9-v6si6361890pfi.99.2018.09.06.16.00.39;
        Thu, 06 Sep 2018 16:00:54 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=GiHLlcMh;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729387AbeIGAt1 (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Thu, 6 Sep 2018 20:49:27 -0400
Received: from mail-wr1-f66.google.com ([209.85.221.66]:36028 "EHLO
        mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728639AbeIGAt0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 6 Sep 2018 20:49:26 -0400
Received: by mail-wr1-f66.google.com with SMTP id e1-v6so3628880wrt.3
        for <linux-kernel@vger.kernel.org>; Thu, 06 Sep 2018 13:12:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=ey41mNH9LAFsx9JkWO9N14Jix9PaIGdJKoz2RuJXAwI=;
        b=GiHLlcMhQzemXpla58Awqm0sm2nuAbWpNhMKy6SHTDjSRMXEUAY0j03vuSl+sg722l
         FevKD0ftRmAedhs/9JFgSywGJOK0QnGkNCwU26qdceab+dkzD2PBF8re23StdqcNzbkw
         TCU7+rIzgM7xMiItLmiWpe5aekFjUez/hvXXPKytCqX/FziW6c6ACBtyeSiudZl2pyM1
         AAO59BatU4yF0vDlLkyGfawvqU+b+F0aLEFf64tuRYi406Df0Pi58EwgET/s3Ve4RKYL
         GXbK9n4oXeGtCgyzZ59YUbTqdjtLf4NSq7Hss5/RdJvViUTEC2gf/vTKquaQQdfGq+zc
         ymLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
         :content-transfer-encoding:message-id:references:to;
        bh=ey41mNH9LAFsx9JkWO9N14Jix9PaIGdJKoz2RuJXAwI=;
        b=GWP+Iq23crEn8t6dBPXQk38kfLGvbBbNtS2iLkg7ioWwxoQZEMxWMQ2YokX9usxNnD
         5iAzbVONOmQ6e1uzuR/6KhcsaMYTmMOeVOmGCph2N98CEuOWxXpS0qLYXfVMLMxMVNVQ
         e7UDm2uSnN3qE+ejYjVYdnTZhJp+vmj7DbSD1S6sYcobwte8Aun3SrmJmyON9iAc4yPD
         uO5ssMIHar6PL/j277yDP4R56px/5jPxAARdo0LWmUAzjz+pLmW+NWtwzJgT76DDKKbC
         +EDxPxVSxz7Hg57MSRUusDxG+IcFFnMCW8zkGNgIsMkgU1XEb0DVwJSgg+XCVjGZ09XP
         UoLw==
X-Gm-Message-State: APzg51Bwbhce4RUXRyjEFUeXsDbutkvYaCuDRnyzV+dWQd5RXt4KXgoI
        gSOokkBR4gtsEporcn+gpg8=
X-Received: by 2002:adf:8385:: with SMTP id 5-v6mr3590590wre.13.1536264740716;
        Thu, 06 Sep 2018 13:12:20 -0700 (PDT)
Received: from [10.33.114.204] ([66.170.99.1])
        by smtp.gmail.com with ESMTPSA id 144-v6sm9215345wma.45.2018.09.06.13.12.17
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 06 Sep 2018 13:12:20 -0700 (PDT)
Content-Type: text/plain;
        charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Re: [PATCH] x86: use WRITE_ONCE() when setting PTEs
From:   Nadav Amit <nadav.amit@gmail.com>
In-Reply-To: <20180906195731.GE4816@worktop.programming.kicks-ass.net>
Date:   Thu, 6 Sep 2018 13:12:14 -0700
Cc:     Thomas Gleixner <tglx@linutronix.de>,
        LKML <linux-kernel@vger.kernel.org>,
        Ingo Molnar <mingo@redhat.com>, X86 ML <x86@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Andi Kleen <ak@linux.intel.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Michal Hocko <mhocko@suse.com>,
        Vlastimil Babka <vbabka@suse.cz>,
        Dave Hansen <dave.hansen@intel.com>,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Andy Lutomirski <luto@kernel.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <10030BE1-FE29-4C60-9963-4BE932EF09BA@gmail.com>
References: <20180902181451.80520-1-namit@vmware.com>
 <20180906195731.GE4816@worktop.programming.kicks-ass.net>
To:     Peter Zijlstra <peterz@infradead.org>,
        Nadav Amit <namit@vmware.com>
X-Mailer: Apple Mail (2.3445.9.1)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

at 12:57 PM, Peter Zijlstra <peterz@infradead.org> wrote:

> On Sun, Sep 02, 2018 at 11:14:50AM -0700, Nadav Amit wrote:
>> When page-table entries are set, the compiler might optimize their
>> assignment by using multiple instructions to set the PTE. This might
>> turn into a security hazard if the user somehow manages to use the
>> interim PTE. L1TF does not make our lives easier, making even an =
interim
>> non-present PTE a security hazard.
>>=20
>> Using WRITE_ONCE() to set PTEs and friends should prevent this =
potential
>> security hazard.
>>=20
>> I skimmed the differences in the binary with and without this patch. =
The
>> differences are (obviously) greater when CONFIG_PARAVIRT=3Dn as more
>> code optimizations are possible. For better and worse, the impact on =
the
>> binary with this patch is pretty small. Skimming the code did not =
cause
>> anything to jump out as a security hazard, but it seems that at least
>> move_soft_dirty_pte() caused set_pte_at() to use multiple writes.
>=20
> Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
>=20
> Also, its corollary would also make sense/be required, use READ_ONCE()
> when reading these.

I don=E2=80=99t know. This would obviously be much more intrusive. I can =
add a
get_pte() and write a Coccinelle script to use it instead of reading the
PTE, but in most cases, I presume, it would be an overkill.

The reason for that is that the PTEs are supposed to be accessed while
holding the page-table lock, and the hardware can only change dirty & =
access
bits. I think that any code that assumes that these bits do not change =
while
holding the lock is already broken in more ways.