Re: [patch 20/24] x86/speculation: Split out TIF update

From: Tim Chen
Date: Mon Nov 26 2018 - 13:35:43 EST

Next message: Andrey Smirnov: "Re: [PATCH 0/3] GPCv2 support for i.MX8MQ"
Previous message: Vineeth Remanan Pillai: "Re: [PATCH v2] mm: prototype: rid swapoff of quadratic complexity"
Next in thread: Thomas Gleixner: "Re: [patch 20/24] x86/speculation: Split out TIF update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/22/2018 11:37 PM, Ingo Molnar wrote:

>>> I think all the call paths from prctl and seccomp coming here
>>> has tsk == current.
>>
>> We had that discussion before with SSBD:
>>
>> seccomp_set_mode_filter()
>> seccomp_attach_filter()
>> seccomp_sync_threads()
>> for_each_thread(t)
>> if (t == current)
>> continue;
>> seccomp_assign_mode(t)
>> arch_seccomp_spec_mitigate(t);
>>
>> seccomp_assign_mode(current...)
>> arch_seccomp_spec_mitigate();
>>
>>> But if task_update_spec_tif gets used in the future where tsk is running
>>> on a remote CPU, this could lead to the MSR getting out of sync with the
>>> running task's TIF flag. This will break either performance or security.
>>
>> We also had that discussion with SSBD and decided that we won't chase
>> threads and send IPIs around. Yes, it's not perfect, but not the end of the
>> world either. For PRCTL it's a non issue.

Looks like seccomp thread can be running on a remote CPU when its TIF_SPEC_IB flag
gets updated.

I wonder if this will cause STIBP to be always off in this scenario, when
two tasks with SPEC_IB flags running on a remote CPU have STIBP bit always
*off* in SPEC MSR.

Let's say we have tasks A and B running on a remote CPU:

task A: SPEC_IB flag is on
task B: SPEC_IB flag is off but is currently running on remote CPU, SPEC MSR's STIBP bit is off

Now arch_seccomp_spec_mitigation is called, setting SPEC_IB flag on task B.
SPEC MSR becomes out of sync with running task B's SPEC_IB flag.

Task B context switches to task A. Because both tasks have SPEC_IB flag set and the flag
status is unchanged, SPEC MSR's STIBP bit is not updated.
SPEC MSR STIBP bit remains off if tasks A and B are the only tasks running
on the CPU.

There is an equivalent scenario where the SPEC MSR's STIBP bit remains on even though both
running task A and B's SPEC_IB flags are turned off.

Wonder if I may be missing something so the above scenario is not of concern?

Thanks.

Tim

>
> Fair enough and agreed - but please add a comment for all this, as it's a
> non-trivial and rare call context and a non-trivial implementation
> trade-off as a result.
>

Next message: Andrey Smirnov: "Re: [PATCH 0/3] GPCv2 support for i.MX8MQ"
Previous message: Vineeth Remanan Pillai: "Re: [PATCH v2] mm: prototype: rid swapoff of quadratic complexity"
Next in thread: Thomas Gleixner: "Re: [patch 20/24] x86/speculation: Split out TIF update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]