Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp3052276img; Mon, 25 Mar 2019 02:46:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqz/YedqEvhSTMCzAhd9x5x5JUMMN1BxLf3zNXRSCUxUij+qGJbneUJdN2/KQ+lIfXN0irM/ X-Received: by 2002:a65:63c2:: with SMTP id n2mr22564472pgv.439.1553507182665; Mon, 25 Mar 2019 02:46:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553507182; cv=none; d=google.com; s=arc-20160816; b=dLWBR0E2PXwAo0iXWd/2lqB1DtNJoXZZUoo9nEA7EyPI3H6o8YsbTw/3oHUhdY3vCb X/y0TY93R2m8OJnee+5kim7p06XsIi/mVeiiqwcSsaCh8bJW9Egl9v/FyA5B7mIVsEF7 RtVoUObIrEPpPEGTWkTd/QkUzLlBd/8yOQBqs/kPbLOHfSafQooV87l1L4cqAZC8Rc1g NMaUOp6Yx0Jl0JBkKew8h5J/SRM6mr2stCakJE4DHfbNC9Or65JgjpCRgp3HIyRXS4Fi QyB6N1PCaD89D18LT1qHtpjUJ8sjFBwPhtYMemnBolcAAOQui5fQ4eqWXPjgVaYsGbN1 u3vA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date; bh=S3E+kB9WUGzKLbNCemF+RGYbqee7l4cAen4rQXhlKnQ=; b=r9KRPFsNy8yV+ea8sC7UgblwbS7Cxpo/zZ35/P0weGHZTMpaSCOxhIKIR6Iw/WbfqR jzgQjy3nL8koWub+80qpTWa5lJAA/KGDtEF9pltQf/aQ5PMLwb9NK0Nb1p8EeZK1GvcZ SeajtQXM53oCl4x2HUEzFRHyhJ3YlbxVtcNNo1dMr4xzYYmjJL7HIzGAZelq25bSG6/Z ftU5SmS9uzdvIh8d9gSCFiZ1/2W30h7KDC431OJEryXg22e5x1DuYCx6I1M87dTHEa58 caoWHhxJLJaTm9gD39b+GicHoxZCn8cpqXDZMHYI9rd1cqFukVNY+lpUeRfjCyQIb7Jd Kaig== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z9si12567805pgv.265.2019.03.25.02.46.07; Mon, 25 Mar 2019 02:46:22 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730501AbfCYJoQ (ORCPT + 99 others); Mon, 25 Mar 2019 05:44:16 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:45197 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730757AbfCYJoO (ORCPT ); Mon, 25 Mar 2019 05:44:14 -0400 Received: from p5492e2fc.dip0.t-ipconnect.de ([84.146.226.252] helo=nanos) by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1h8M9F-0006mF-DJ; Mon, 25 Mar 2019 10:44:05 +0100 Date: Mon, 25 Mar 2019 10:44:04 +0100 (CET) From: Thomas Gleixner To: "Chang S. Bae" cc: Ingo Molnar , Andy Lutomirski , "H . Peter Anvin" , Andi Kleen , Ravi Shankar , LKML , Dave Hansen Subject: Re: [RESEND PATCH v6 08/12] x86/fsgsbase/64: Use the per-CPU base as GSBASE at the paranoid_entry In-Reply-To: <1552680405-5265-9-git-send-email-chang.seok.bae@intel.com> Message-ID: References: <1552680405-5265-1-git-send-email-chang.seok.bae@intel.com> <1552680405-5265-9-git-send-email-chang.seok.bae@intel.com> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Linutronix-Spam-Score: -1.0 X-Linutronix-Spam-Level: - X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required, ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 15 Mar 2019, Chang S. Bae wrote: > The FSGSBASE instructions allow fast accesses on GSBASE. Now, at the > paranoid_entry, the per-CPU base value can be always copied to GSBASE. > And the original GSBASE value will be restored at the exit. Again you are describing WHAT but not the WHY. > So far, GSBASE modification has not been directly allowed from userspace. > So, swapping GSBASE has been conditionally executed according to the > kernel-enforced convention that a negative GSBASE indicates a kernel value. > But when FSGSBASE is enabled, userspace can put an arbitrary value in > GSBASE. The change will secure a correct GSBASE value with FSGSBASE. So that's some WHY, but it should be explained _BEFORE_ explaining the change. This changelog style is as bad as top posting. Why? 1) FSGSBASE is fast 2) Copy GSBASE always on paranoid exit and restore on entry 3) Explain the context No. You want to explain context first and then explain why this needs a change when FSGSBASE is enabled and how that change looks like at the conceptual level. > Also, factor out the RDMSR-based GSBASE read into a new macro, > READ_MSR_GSBASE. This new macro is related to this change in what way? None AFAICT. I'm fine with the macro itself, but the benefit for a single usage site is dubious. Adding this macro and using it should be done with a separate patch before this one, so this patch becomes simpler to review. > /* > @@ -1178,9 +1185,38 @@ ENTRY(paranoid_entry) > * This is also why CS (stashed in the "iret frame" by the > * hardware at entry) can not be used: this may be a return > * to kernel code, but with a user CR3 value. > + * > + * As long as this PTI macro doesn't depend on kernel GSBASE, > + * we can do it early. This is because FIND_PERCPU_BASE > + * references data in kernel space. It's not about 'can do it early'. The FSGSBASE handling requires that the kernel page tables are switched in. And for review and bisectability sake moving the CR3 switch in front of the GS handling should be done as a separate preparatory patch. > */ > SAVE_AND_SWITCH_TO_KERNEL_CR3 scratch_reg=%rax save_reg=%r14 > > + /* > + * Read GSBASE by RDGSBASE. Kernel GSBASE is found > + * from the per-CPU offset table with a CPU NR. That CPU NR comes out of thin air, right? This code is complex enough by itself and does not need further confusion by comments which need a crystal ball for decoding. > + */ Sigh. I can't see how that comment explains the ALTERNATIVE jump. > + ALTERNATIVE "jmp .Lparanoid_entry_no_fsgsbase", "",\ > + X86_FEATURE_FSGSBASE Please separate the above from the below with a new line for readability sake. > + rdgsbase %rbx > + FIND_PERCPU_BASE %rax > + wrgsbase %rax So this really should be wrapped in a macro like: SAVE_AND_SET_GSBASE %rbx, %rax which makes it entirely clear what this is about. > + ret > + > @@ -1194,12 +1230,21 @@ END(paranoid_entry) > * be complicated. Fortunately, we there's no good reason > * to try to handle preemption here. > * > - * On entry, ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) > + * On entry, > + * With FSGSBASE, > + * %rbx is original GSBASE that needs to be restored on the exit > + * Without that, > + * %ebx is "no swapgs" flag (1: don't need swapgs, 0: need it) > */ > ENTRY(paranoid_exit) > UNWIND_HINT_REGS > DISABLE_INTERRUPTS(CLBR_ANY) > TRACE_IRQS_OFF_DEBUG > + ALTERNATIVE "jmp .Lparanoid_exit_no_fsgsbase", "nop",\ > + X86_FEATURE_FSGSBASE > + wrgsbase %rbx > + jmp .Lparanoid_exit_no_swapgs; Again. A few newlines would make it more readable. This modifies the semantics of paranoid_entry and paranoid_exit. Looking at the usage sites there is the following code in the nmi maze: /* * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit * as we should not be calling schedule in NMI context. * Even with normal interrupts enabled. An NMI should not be * setting NEED_RESCHED or anything that normal interrupts and * exceptions might do. */ call paranoid_entry UNWIND_HINT_REGS /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */ movq %rsp, %rdi movq $-1, %rsi call do_nmi /* Always restore stashed CR3 value (see paranoid_entry) */ RESTORE_CR3 scratch_reg=%r15 save_reg=%r14 testl %ebx, %ebx /* swapgs needed? */ jnz nmi_restore nmi_swapgs: SWAPGS_UNSAFE_STACK nmi_restore: POP_REGS I might be missing something, but how is that supposed to work when paranoid_entry uses FSGSBASE? I think it's broken, but if it's not then there is a big fat comment missing explaining why. Thanks, tglx