Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation

From: Marc Zyngier
Date: Thu May 24 2018 - 07:43:38 EST

Next message: Lorenzo Pieralisi: "Re: [PATCH] PCI: hv: Do not wait forever on a device that has disappeared"
Previous message: Yong Wu: "[PATCH v4] dt-bindings: mediatek: Add binding for mt2712 IOMMU and SMI"
In reply to: Will Deacon: "Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 24/05/18 13:19, Will Deacon wrote:
> On Thu, May 24, 2018 at 01:16:38PM +0100, Marc Zyngier wrote:
>> On 24/05/18 13:01, Mark Rutland wrote:
>>> On Tue, May 22, 2018 at 04:06:43PM +0100, Marc Zyngier wrote:
>>>> In order to allow userspace to be mitigated on demand, let's
>>>> introduce a new thread flag that prevents the mitigation from
>>>> being turned off when exiting to userspace, and doesn't turn
>>>> it on on entry into the kernel (with the assumtion that the
>>>
>>> Nit: s/assumtion/assumption/
>>>
>>>> mitigation is always enabled in the kernel itself).
>>>>
>>>> This will be used by a prctl interface introduced in a later
>>>> patch.
>>>>
>>>> Signed-off-by: Marc Zyngier <marc.zyngier@xxxxxxx>
>>>
>>> On the assumption that this flag cannot be flipped while a task is in
>>> userspace:
>>
>> Well, that's the case unless you get into the seccomp thing, which does
>> change TIF_SSBD on all threads of the task, without taking it to the
>> kernel first. That nicely breaks the state machine, and you end-up
>> running non-mitigated in the kernel. Oops.
>>
>> I have a couple of patches fixing that, using a second flag
>> (TIF_SSBD_PENDING) that gets turned into the real thing on exit to
>> userspace. It's pretty ugly though.
>
> ... which introduces the need for atomics on the entry path too :(

Oh, I'm not saying it is nice. It would hit us on the exception return
to userspace for all tasks (and not only the mitigated ones). I'd rather
not have this at all.

> I would /much/ rather kill the seccomp implicit enabling of the mitigation,
> or at least have a way to opt-out per arch since it doesn't seem to be
> technically justified imo.
I agree. The semantics are really odd (the thread still runs unmitigated
until it traps into the kernel), and I don't really get why seccomp
tasks should get a special treatment compared to the rest of the userspace.

But 4.17 is only something like 10 days away, so whatever we decide,
we'd better decide it soon.

M.
--
Jazz is not dead. It just smells funny...

Next message: Lorenzo Pieralisi: "Re: [PATCH] PCI: hv: Do not wait forever on a device that has disappeared"
Previous message: Yong Wu: "[PATCH v4] dt-bindings: mediatek: Add binding for mt2712 IOMMU and SMI"
In reply to: Will Deacon: "Re: [PATCH 09/14] arm64: ssbd: Introduce thread flag to control userspace mitigation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]