Re: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers

From: Thomas Gleixner
Date: Thu Mar 17 2022 - 14:07:06 EST

Next message: Oleg Nesterov: "Re: [PATCH 2/2] ptrace: Return the signal to continue with from ptrace_stop"
Previous message: Kirill A. Shutemov: "Re: [PATCHv6 12/30] x86/tdx: Detect TDX at early kernel decompression time"
In reply to: Luck, Tony: "RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Next in thread: David Laight: "RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 17 2022 at 12:13, Pavel Machek wrote:
>> In https://lore.kernel.org/all/87y22uujkm.ffs@tglx/ Thomas
>> said:
>>
>> Its's simply wishful thinking that stuff gets fixed because of a
>> WARN_ONCE(). This has never worked. The only thing which works is to
>> make stuff fail hard or slow it down in a way which makes it annoying
>> enough to users to complain.
>>
>> He was talking about WBINVD. But it made me think about how we
>> use the split lock detection feature in Linux.
>>
>> Existing code has three options for applications:
>> 1) Don't enable split lock detection (allow arbitrary split locks)
>> 2) Warn once when a process uses split lock, but let the process
>> keep running with split lock detection disabled
>> 3) Kill process that use split locks
>
> I'm not sure what split locks are, and if you want applications to
> stop doing that maybe documentation would help.

Split locks are lock prefixed operations which cross a cache line
boundary. The way how they are implemented is taking the bus lock, which
is the largest serialization hammer.

Bus locks are also triggered by lock prefixed operations on uncached
memory and on MMIO.

> Anyway, you can't really introduce regressions to userspace to "get
> stuff fixed" in applications.

Split locks can be triggered by unpriviledged user space and can be used
to run a local DoS attack. A very effective DoS to be clear.

We have no indication whether a process is malicious or just doing
stupid things. The only reason to not kill the offending process
instantly is that there can be legacy binary only executables which
trigger that due to stupidity.

But that opens up DoS at the same time. So the only way to "protect"
against that is to slow down the freqeuncy of buslocks unconditionally.
If you don't like that after analysing the situation you can turn split
lock detection off.

The only binary I've seen so far triggering this, is some stoneage "value
add" blob from HP which is also doing totally nuts other things.

Thanks,

tglx

Next message: Oleg Nesterov: "Re: [PATCH 2/2] ptrace: Return the signal to continue with from ptrace_stop"
Previous message: Kirill A. Shutemov: "Re: [PATCHv6 12/30] x86/tdx: Detect TDX at early kernel decompression time"
In reply to: Luck, Tony: "RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Next in thread: David Laight: "RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]