Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Content-Type: text/plain;
        charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Subject: Re: [PATCH net-next 02/15] net: dsa: sja1105: Remove usage of
 iterator for list_add() after loop
From:   Jakob Koschel <jakobkoschel@gmail.com>
In-Reply-To: <20220410110508.em3r7z62ufqcbrfm@skbuf>
Date:   Sun, 10 Apr 2022 14:39:48 +0200
Cc:     "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>, Andrew Lunn <andrew@lunn.ch>,
        Vivien Didelot <vivien.didelot@gmail.com>,
        Florian Fainelli <f.fainelli@gmail.com>,
        Lars Povlsen <lars.povlsen@microchip.com>,
        Steen Hegelund <Steen.Hegelund@microchip.com>,
        UNGLinuxDriver@microchip.com, Ariel Elior <aelior@marvell.com>,
        Manish Chopra <manishc@marvell.com>,
        Edward Cree <ecree.xilinx@gmail.com>,
        Martin Habets <habetsm.xilinx@gmail.com>,
        Michael Ellerman <mpe@ellerman.id.au>,
        Benjamin Herrenschmidt <benh@kernel.crashing.org>,
        Paul Mackerras <paulus@samba.org>,
        Jiri Pirko <jiri@resnulli.us>,
        Casper Andersson <casper.casan@gmail.com>,
        Bjarni Jonasson <bjarni.jonasson@microchip.com>,
        Colin Ian King <colin.king@intel.com>,
        Michael Walle <michael@walle.cc>,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        Arnd Bergmann <arnd@arndb.de>,
        Eric Dumazet <edumazet@google.com>,
        Di Zhu <zhudi21@huawei.com>, Xu Wang <vulab@iscas.ac.cn>,
        Netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
        Mike Rapoport <rppt@kernel.org>,
        Brian Johannesmeyer <bjohannesmeyer@gmail.com>,
        Cristiano Giuffrida <c.giuffrida@vu.nl>,
        "Bos, H.J." <h.j.bos@vu.nl>
Content-Transfer-Encoding: quoted-printable
Message-Id: <935062D0-C657-4C79-A0BE-70141D052EC0@gmail.com>
References: <20220407102900.3086255-1-jakobkoschel@gmail.com>
 <20220407102900.3086255-3-jakobkoschel@gmail.com>
 <20220408114120.tvf2lxvhfqbnrlml@skbuf>
 <FA317E17-3B09-411B-9DF6-05BDD320D988@gmail.com>
 <C9081CE3-B008-48DA-A97C-76F51D4F189F@gmail.com>
 <20220410110508.em3r7z62ufqcbrfm@skbuf>
To:     Vladimir Oltean <olteanv@gmail.com>
Precedence: bulk


> On 10. Apr 2022, at 13:05, Vladimir Oltean <olteanv@gmail.com> wrote:
>=20
> On Sun, Apr 10, 2022 at 12:51:56PM +0200, Jakob Koschel wrote:
>> I've just looked at this again in a bit more detail while integrating =
it into the patch series.
>>=20
>> I realized that this just shifts the 'problem' to using the 'pos' =
iterator variable after the loop.
>> If the scope of the list iterator would be lowered to the list =
traversal loop it would also make sense
>> to also do it for list_for_each().
>=20
> Yes, but list_for_each() was never formulated as being problematic in
> the same way as list_for_each_entry(), was it? I guess I'm starting to
> not understand what is the true purpose of the changes.

Sorry for having caused the confusion. Let me elaborate a bit to give =
more context.

There are two main benefits of this entire effort.

1) fix the architectural bugs and avoid any missuse of the list iterator =
after the loop
by construction. This only concerns the list_for_each_entry_*() macros =
and your change
will allow lowering the scope for all of those. It might be debatable =
that it would be
more consistent to lower the scope for list_for_each() as well, but it =
wouldn't be
strictly necessary.

2) fix *possible* speculative bugs. In our project, Kasper [1], we were =
able to show
that this can be an issue for the list traversal macros (and this is how =
the entire
effort started).
The reason is that the processor might run an additional loop iteration =
in speculative
execution with the iterator variable computed based on the head element. =
This can
(and we have verified this) happen if the CPU incorrectly=20
assumes !list_entry_is_head(pos, head, member).

If this happens, all memory accesses based on the iterator variable =
*potentially* open
the chance for spectre [2] gadgets. The proposed mitigation was setting =
the iterator variable
to NULL when the terminating condition is reached (in speculative safe =
way). Then,
the additional speculative list iteration would still execute but won't =
access any
potential secret data.

And this would also be required for list_for_each() since combined with =
the list_entry()
within the loop it basically is semantically identical to =
list_for_each_entry()
for the additional speculative iteration.

Now, I have no strong opinion on going all the way and since 2) is not =
the main motivation
for this I'm also fine with sticking to your proposed solution, but it =
would mean that implementing
a "speculative safe" list_for_each() will be more difficult in the =
future since it is using
the iterator of list_for_each() past the loop.

I hope this explains the background a bit better.

>=20
>> What do you think about doing it this way:
>>=20
>> diff --git a/drivers/net/dsa/sja1105/sja1105_vl.c =
b/drivers/net/dsa/sja1105/sja1105_vl.c
>> index b7e95d60a6e4..f5b0502c1098 100644
>> --- a/drivers/net/dsa/sja1105/sja1105_vl.c
>> +++ b/drivers/net/dsa/sja1105/sja1105_vl.c
>> @@ -28,6 +28,7 @@ static int sja1105_insert_gate_entry(struct =
sja1105_gating_config *gating_cfg,
>>                list_add(&e->list, &gating_cfg->entries);
>>        } else {
>>                struct sja1105_gate_entry *p;
>> +               struct list_head *pos =3D NULL;
>>=20
>>                list_for_each_entry(p, &gating_cfg->entries, list) {
>>                        if (p->interval =3D=3D e->interval) {
>> @@ -37,10 +38,14 @@ static int sja1105_insert_gate_entry(struct =
sja1105_gating_config *gating_cfg,
>>                                goto err;
>>                        }
>>=20
>> -                       if (e->interval < p->interval)
>> +                       if (e->interval < p->interval) {
>> +                               pos =3D &p->list;
>>                                break;
>> +                       }
>>                }
>> -               list_add(&e->list, p->list.prev);
>> +               if (!pos)
>> +                       pos =3D &gating_cfg->entries;
>> +               list_add(&e->list, pos->prev);
>>        }
>>=20
>>        gating_cfg->num_entries++;
>> --
>>=20
>>>=20
>>> Thanks for the suggestion.
>>>=20
>>>> 	}
>>>>=20
>>>> 	gating_cfg->num_entries++;
>>>> -----------------------------[ cut here =
]-----------------------------
>>>=20
>>> [1] =
https://lore.kernel.org/linux-kernel/20220407102900.3086255-12-jakobkosche=
l@gmail.com/
>>>=20
>>> 	Jakob
>>=20
>> Thanks,
>> Jakob

Thanks,
Jakob

[1] https://www.vusec.net/projects/kasper/
[2] https://spectreattack.com/spectre.pdf