Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1618047imm;
        Tue, 2 Oct 2018 11:04:07 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60bZDpHBVcDUmPqA/Qsf7xIujcllS2d7kq7ihLF/VajLhdeQ7T8/9SjaEtJVa40xTXzLUdK
X-Received: by 2002:a17:902:bcc2:: with SMTP id o2-v6mr18123777pls.22.1538503447920;
        Tue, 02 Oct 2018 11:04:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1538503447; cv=none;
        d=google.com; s=arc-20160816;
        b=Hq7Fg0r3haNqkQK1vUQsIkTmf0H0BED8qe7zO2nv9bpolxkR/X+pklT2LACDh9m5UB
         4Wn2SurYsXo5/rIzpqLNWTdxnTcHdaKruUpw/n+fQmrbcdDaGK30WKUtVZCUD97p1QKo
         Z6scOLUbAKbgd5tEJ4++dh1cx6ezQnGmshUOdNyJ+jtfsoajsPt36KGl8BVgJBRvJnKb
         Nz/r6twrqpmD49aXJes2u5Xy1S/FhtXvkFYp6bfyg2ov3Dk3M4IeZ3p+01QMaDAUrVuq
         mNjtN/SfYCVV96mySmJAKAIjpvb0wMVwlMvh8fbLlGyHu+fRnHPHiUhy4Vvaeu6dZ8Zi
         vsGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=cUoPp3By/xRZSF3f0XSRrB/cftlFC6pWR40u3uqobMs=;
        b=w5Q3x6bitGmc6qvxUub09T0FTE9vGvuGYBxQxHcj8rarZ2XIO9lTAUhLWJxaWaxsVz
         o498Rw/UAHoghlXG3E9QXJknJjyQHCdoiBPwkDYAF1yzsdgDsEtWhywRWYTQUCz7zB82
         4z4UUJF28r3U3VILsCErYc7kOnwMrleAMoemPXXdxo96XP40HeYcpfeXEuJnx6hWe1tY
         3gjU171+HdIpXNs7g2DdOTXfYwzD/oa9qKaUgF73eOwnBbx3B/PyIBfErBWDmBtFAE8j
         T6EXAIad3dZnNAPkpDcugwQpyzYLN40PRqT4kPCUPrRfo4+XXZAQTNePQwu9dpArps01
         p1xA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l185-v6si16332613pgl.270.2018.10.02.11.03.52;
        Tue, 02 Oct 2018 11:04:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727347AbeJCAnG (ORCPT <rfc822;tanxianhu@gmail.com> + 99 others);
        Tue, 2 Oct 2018 20:43:06 -0400
Received: from Galois.linutronix.de ([146.0.238.70]:60783 "EHLO
        Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726645AbeJCAnG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Oct 2018 20:43:06 -0400
Received: from p5492e4c1.dip0.t-ipconnect.de ([84.146.228.193] helo=nanos)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tglx@linutronix.de>)
        id 1g7Ovy-0000wQ-NO; Tue, 02 Oct 2018 19:58:10 +0200
Date:   Tue, 2 Oct 2018 19:58:06 +0200 (CEST)
From:   Thomas Gleixner <tglx@linutronix.de>
To:     Tim Chen <tim.c.chen@linux.intel.com>
cc:     Jiri Kosina <jikos@kernel.org>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Andi Kleen <ak@linux.intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Casey Schaufler <casey.schaufler@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Jon Masters <jcm@redhat.com>, linux-kernel@vger.kernel.org,
        x86@kernel.org
Subject: Re: [Patch v2 4/4] x86/speculation: Add prctl to control indirect
 branch speculation per process
In-Reply-To: <ae3fb86f74de2001ddab477579afd813bca9baa9.1537920575.git.tim.c.chen@linux.intel.com>
Message-ID: <alpine.DEB.2.21.1810021949450.1435@nanos.tec.linutronix.de>
References: <cover.1537920575.git.tim.c.chen@linux.intel.com> <ae3fb86f74de2001ddab477579afd813bca9baa9.1537920575.git.tim.c.chen@linux.intel.com>
User-Agent: Alpine 2.21 (DEB 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, 25 Sep 2018, Tim Chen wrote:
>  
> +void arch_set_dumpable(struct task_struct *tsk, struct mm_struct *mm, int value)
> +{
> +	if (!static_branch_unlikely(&spectre_v2_app_lite))
> +		return;
> +	if (!static_cpu_has(X86_FEATURE_STIBP))
> +		return;
> +
> +	if ((unsigned) value != SUID_DUMP_USER) {

First of all we use unsigned int and not unsigned, Aside of that why is the
argument not unsigned int right away?

> +		set_tsk_thread_flag(tsk, TIF_STIBP);
> +		return;
> +	}
> +
> +	if (!task_spec_indir_branch_disable(tsk)) {
> +		clear_tsk_thread_flag(tsk, TIF_STIBP);
> +	}

No braces for single line statements required.

> +}
> +
>  #ifdef CONFIG_SECCOMP
>  void arch_seccomp_spec_mitigate(struct task_struct *task)
>  {
> @@ -766,11 +824,33 @@ static int ssb_prctl_get(struct task_struct *task)
>  	}
>  }
>  
> -static void set_stibp(struct task_struct *tsk)
> -{
> -	/*
> -	 * For lite protection mode, we set STIBP only 
> -	 * for non-dumpable processes.
> -	 */
> -
> -	if (!static_branch_unlikely(&spectre_v2_app_lite))
> -		return;
> -
> -	if (!tsk || !tsk->mm)
> -		return;
> -
> -	if (get_dumpable(tsk->mm) != SUID_DUMP_USER)
> -		set_tsk_thread_flag(tsk, TIF_STIBP);
> -	else
> -		clear_tsk_thread_flag(tsk, TIF_STIBP);
> -}

This patch ordering is really strange. You first add set_stibp() just to
replace it in the next patch.


> diff --git a/fs/exec.c b/fs/exec.c
> index 1ebf6e5..89edadd 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -1362,9 +1362,9 @@ void setup_new_exec(struct linux_binprm * bprm)
>  	if (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP ||
>  	    !(uid_eq(current_euid(), current_uid()) &&
>  	      gid_eq(current_egid(), current_gid())))
> -		set_dumpable(current->mm, suid_dumpable);
> +		set_dumpable(current, current->mm, suid_dumpable);
>  	else
> -		set_dumpable(current->mm, SUID_DUMP_USER);
> +		set_dumpable(current, current->mm, SUID_DUMP_USER);

What's the point of adding an argument instead of just replacing mm with
task?

> +void __weak arch_set_dumpable(struct task_struct *tsk, struct mm_struct *mm, int value)
> +{
> +	return;
> +}

So this wants to be structured as follows:

 Patch 1: Change the argument from mm to task and update the implementation of
 	  set_dumpable() accordingly and fixup the users

 Patch 2: Introduce the weak arch_set_dumpable()
	 
 Patch N: Add the x86 implementation along with the patch which adds the
          stipb magic instead of having that extra step of set_stipb() and
          then replacing it.

 ....

 Patch X: Add the PRCTL

It's well documented that patches should do one thing at a time and not
come as a hodgepogde of changes.

Thanks,

	tglx