Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4921142imu;
        Sun, 25 Nov 2018 12:54:50 -0800 (PST)
X-Google-Smtp-Source: AFSGD/W/iZzC8ChGMqB3sX84lFgCKNwNCXcqrw+GOmvDeYN12LZiVePLe8g7Zy+gj5Q311uILjvh
X-Received: by 2002:a62:2c81:: with SMTP id s123mr21266827pfs.174.1543179290885;
        Sun, 25 Nov 2018 12:54:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543179290; cv=none;
        d=google.com; s=arc-20160816;
        b=ENbPUIxvEFHt2Ycg4qxyDgxbvKIrXHApNmxVFzY+Abn81RTt3BWzkO7a/6CpbvusYy
         WybaFJR0ARwyFomwpfp6hogI4aMN5kreJBWqFkvwpSaiyGmaPt7P3OxMpudkk+OOJ2yg
         ddKVVwPNFk1m3RtaW9qIJIRIVJFjtJ4nTbrBxXsObucFPiXrOU+0Ptib3wJ1ljz93Uqn
         rJ60gaJVSNgDlhuSCr3rx4rpXJZXXUcxwBCbyjUSF5k8IS1l5zp9JCJB6BK1eBNnn1jm
         71Z4+GONfsgqt9SMNofc6Pxrh9sWzB9kIyB/lfA+kYe0Nkw5uMJRWmiPMBkb/UVon91V
         AM5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=Y6abjEQ3gzkBWMsn+vxSiPb71TR+FtlvTd9J/uZmkI0=;
        b=c4uiGNEt1RxbQsudnD7EQ+4sQxYv6QxOJ9LitELLTCbXJRKB2wrc+TY6VGZKQyiCNH
         p3rY3ZOh6j1/QZ6g25NPDSTNRFf4K3l3hEKkpOLGeW/dla5e3pox0XM+AJWfuNtusFC+
         BVXAfJL/Sgqv7aJpxqFj3IS/fs6bXUsjYtZDix7DhQ1HgrReg/xW2c3m4v3VJzaSikz5
         qoJt/Y8QhufNN6TnAxsMUEmQgryln5ehGujfa4pq2NGkswkzl7X3/uIX37MouAkADl/j
         Vg8NKW9/7kP3fRAIv5vMQe/nvEGg0Z9lh5esy1EVHrDLktEhHZw1eIV2ZBhxVGEN4wd8
         eBvA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g1-v6si32213883plt.215.2018.11.25.12.54.36;
        Sun, 25 Nov 2018 12:54:50 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726644AbeKZHp1 (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Mon, 26 Nov 2018 02:45:27 -0500
Received: from mga02.intel.com ([134.134.136.20]:30872 "EHLO mga02.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725863AbeKZHp1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 26 Nov 2018 02:45:27 -0500
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
  by orsmga101.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Nov 2018 12:53:31 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.56,279,1539673200"; 
   d="scan'208";a="98902911"
Received: from tassilo.jf.intel.com (HELO tassilo.localdomain) ([10.7.201.126])
  by FMSMGA003.fm.intel.com with ESMTP; 25 Nov 2018 12:53:30 -0800
Received: by tassilo.localdomain (Postfix, from userid 1000)
        id DFC10309C88; Sun, 25 Nov 2018 12:53:30 -0800 (PST)
Date:   Sun, 25 Nov 2018 12:53:30 -0800
From:   Andi Kleen <ak@linux.intel.com>
To:     Thomas Gleixner <tglx@linutronix.de>
Cc:     LKML <linux-kernel@vger.kernel.org>, x86@kernel.org,
        Peter Zijlstra <peterz@infradead.org>,
        Andy Lutomirski <luto@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Jiri Kosina <jkosina@suse.cz>,
        Tom Lendacky <thomas.lendacky@amd.com>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Andrea Arcangeli <aarcange@redhat.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Dave Hansen <dave.hansen@intel.com>,
        Casey Schaufler <casey.schaufler@intel.com>,
        Asit Mallick <asit.k.mallick@intel.com>,
        Arjan van de Ven <arjan@linux.intel.com>,
        Jon Masters <jcm@redhat.com>,
        Waiman Long <longman9394@gmail.com>,
        Greg KH <gregkh@linuxfoundation.org>,
        Dave Stewart <david.c.stewart@intel.com>,
        Kees Cook <keescook@chromium.org>
Subject: Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB
 in switch_mm()
Message-ID: <20181125205330.GO13936@tassilo.jf.intel.com>
References: <20181125183328.318175777@linutronix.de>
 <20181125185005.466447057@linutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20181125185005.466447057@linutronix.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> The current check whether two tasks belong to the same context is using the
> tasks context id. While correct, it's simpler to use the mm pointer because
> it allows to mangle the TIF_SPEC_IB bit into it. The context id based
> mechanism requires extra storage, which creates worse code.

[We tried similar in some really early versions, but it was replaced
with the context id later.]

One issue with using the pointer is that the pointer can be reused
when the original mm_struct is freed, and then gets reallocated
immediately to an attacker. Then the attacker may avoid the IBPB.

Given it's probably hard to generate any reasonable leak bandwidth with
such a complex scenario, but it still seemed better to close the hole.

Because of concerns with that the counter ID was used instead.

The ID can wrap too, but since it's 64bit, it will take very long.

-Andi