Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB in switch_mm()

From: Andi Kleen
Date: Sun Nov 25 2018 - 15:53:34 EST

Next message: Fabio Estevam: "Re: [PATCH 1/3] ARM: imx_v6_v7_defconfig: Remove CONFIG_ARM_UNWIND"
Previous message: Otavio Salvador: "Re: [PATCH] ARM: dts: rv1108-evb: enable eMMC support"
In reply to: Thomas Gleixner: "Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB in switch_mm()"
Next in thread: Thomas Gleixner: "Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB in switch_mm()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The current check whether two tasks belong to the same context is using the
> tasks context id. While correct, it's simpler to use the mm pointer because
> it allows to mangle the TIF_SPEC_IB bit into it. The context id based
> mechanism requires extra storage, which creates worse code.

[We tried similar in some really early versions, but it was replaced
with the context id later.]

One issue with using the pointer is that the pointer can be reused
when the original mm_struct is freed, and then gets reallocated
immediately to an attacker. Then the attacker may avoid the IBPB.

Given it's probably hard to generate any reasonable leak bandwidth with
such a complex scenario, but it still seemed better to close the hole.

Because of concerns with that the counter ID was used instead.

The ID can wrap too, but since it's 64bit, it will take very long.

-Andi

Next message: Fabio Estevam: "Re: [PATCH 1/3] ARM: imx_v6_v7_defconfig: Remove CONFIG_ARM_UNWIND"
Previous message: Otavio Salvador: "Re: [PATCH] ARM: dts: rv1108-evb: enable eMMC support"
In reply to: Thomas Gleixner: "Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB in switch_mm()"
Next in thread: Thomas Gleixner: "Re: [patch V2 21/28] x86/speculation: Prepare for conditional IBPB in switch_mm()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]