Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2471271imm; Thu, 27 Sep 2018 13:28:51 -0700 (PDT) X-Google-Smtp-Source: ACcGV63wiQE1ent8/b+Wo0G5dPZ8TTPik+54WbRCY0Xr3GXOq6xY3jRcSEFUlUT90grQfE544Hny X-Received: by 2002:a17:902:158b:: with SMTP id m11-v6mr12772362pla.102.1538080131595; Thu, 27 Sep 2018 13:28:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538080131; cv=none; d=google.com; s=arc-20160816; b=bfpS/ixxad1aLn7k/yb378PLhfAye2ZLy6Z9RDS8RIEgThj74FUY5N1bs/qGndqGWf vaHXXZ0X42x9NHll/QFrhwPR+SwAMnwyE69FRlIjppPd5mu+pn5Q/UtK696VE/8BdO6O YowRJelWQfXpW9H2K28P2s0oqIrkWbjQhN03LavToeufapwigwa+zNwhX6VYbXOX2WLS u0fyVEMPbkO25ya8rTWsmjFntz32KjzR3r1uVket+2IvCB9/S4OtIK1P7bKEc1fu2b1B IkRyv0R2rz+S5llcQe63EqfvKvhjeJGj6HGKrZK+YbP4wgrAPiGZn517ShSGB24TdXi3 ABpw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=6lbu6bxB60tCDAuvGG0eePJ/65yGrWcY+gm6+kg0ZWc=; b=gzi3ZCyNhbhTqudLan09wODyjUi4pI6tLHsbJpR3t/F3mXsATzwN8OFL6X4tEk6rh2 bzVz0xxRZ1mGhIpzmoDPPE41K33ymCe/Bdt2LdwV/ozNmpI7gzDFx3dXMw6J1O4Bq/s0 ZMyp30Gkh3qD+sm6XzXjhnEGyvw2xTKcXJW0+48dy/LkW3FPLKIkbEGKFsrriAq/h3YK 9zFsQir4/qcX8YwgpDLqwxWiO3t5j9+AhsOMMdl9qhUBnL6pNV1VxdqzvBSfC3TwyBnj TemJNyhfhsNnzrxkQn/MTvlSTrpi7xtgliqeHsr+7Op7gvsWlwCcyYegHMiz9/2zd+UM OebA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si2663908plr.488.2018.09.27.13.28.36; Thu, 27 Sep 2018 13:28:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727832AbeI1Cs2 (ORCPT + 99 others); Thu, 27 Sep 2018 22:48:28 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:52960 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727361AbeI1Cs2 (ORCPT ); Thu, 27 Sep 2018 22:48:28 -0400 Received: from p5492e4c1.dip0.t-ipconnect.de ([84.146.228.193] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1g5ctI-0002iA-9P; Thu, 27 Sep 2018 22:28:04 +0200 Date: Thu, 27 Sep 2018 22:28:03 +0200 (CEST) From: Thomas Gleixner To: Stephen Smalley cc: Jiri Kosina , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , "Woodhouse, David" , Andi Kleen , Tim Chen , "Schaufler, Casey" , linux-kernel@vger.kernel.org, x86@kernel.org Subject: Re: [PATCH v7 1/3] x86/speculation: apply IBPB more strictly to avoid cross-process data leak In-Reply-To: <7f9e1a22-37a8-db88-ffc0-91961174ced4@tycho.nsa.gov> Message-ID: References: <7f9e1a22-37a8-db88-ffc0-91961174ced4@tycho.nsa.gov> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 27 Sep 2018, Stephen Smalley wrote: > On 09/25/2018 08:38 AM, Jiri Kosina wrote: > > +static bool ibpb_needed(struct task_struct *tsk, u64 last_ctx_id) > > +{ > > + /* > > + * Check if the current (previous) task has access to the memory > > + * of the @tsk (next) task. If access is denied, make sure to > > + * issue a IBPB to stop user->user Spectre-v2 attacks. > > + * > > + * Note: __ptrace_may_access() returns 0 or -ERRNO. > > + */ > > + return (tsk && tsk->mm && tsk->mm->context.ctx_id != last_ctx_id && > > + ptrace_may_access_sched(tsk, PTRACE_MODE_SPEC_IBPB)); > > Would there be any safe way to perform the ptrace check earlier at a point > where the locking constraints are less severe, and just pass down the result > to this code? Possibly just defaulting to enabling IBPB for safety if > something changed in the interim that would invalidate the earlier ptrace > check? Probably not possible, but I thought I'd ask as it would avoid the > need to skip both the ptrace_has_cap check and the LSM hook, and would reduce > the critical section. It's not possible unfortunately as this happens under the scheduler run queue lock and this needs to be taken to figure out which is the next task. We can't drop it before context switch and revisit the decision afterwards to verify it, that would be a massive performance issue and open an even more horrible can of worms. Any check which needs to be done in that context should be as minimalistic as possible. So having a special mode which then might invoke special hooks makes a lot of sense. > > + * Returns true on success, false on denial. > > + * > > + * Similar to ptrace_may_access(). Only to be called from context switch > > + * code. Does not call into audit and the regular LSM hooks due to locking > > + * constraints. > > Pardon my ignorance, but can you clarify exactly what are the locking > constraints for any code that might be called now or in the future from > ptrace_may_access_sched(). What's permissible? rcu_read_lock()? rcu_read_lock() is fine. Locks might be fine, but the probability that you run into a lock inversion is extremly high. Also please keep in mind that this wants to be a raw_spinlock as otherwise preempt-RT will have issues and the lock sections need to be really short. switch_to() is a hot path. Thanks, tglx