RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers

From: David Laight
Date: Thu Mar 17 2022 - 18:21:12 EST

Next message: Jarkko Sakkinen: "Re: [PATCH V2 16/32] x86/sgx: Support restricting of enclave page permissions"
Previous message: Josh Poimboeuf: "Re: [PATCH] x86/sev: Add ENCODE_FRAME_POINTER after stack changed for #VC"
In reply to: Thomas Gleixner: "Re: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Next in thread: Luck, Tony: "RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Thomas Gleixner
> Sent: 17 March 2022 18:07
>
> On Thu, Mar 17 2022 at 12:13, Pavel Machek wrote:
> >> In https://lore.kernel.org/all/87y22uujkm.ffs@tglx/ Thomas
> >> said:
> >>
> >> Its's simply wishful thinking that stuff gets fixed because of a
> >> WARN_ONCE(). This has never worked. The only thing which works is to
> >> make stuff fail hard or slow it down in a way which makes it annoying
> >> enough to users to complain.
> >>
> >> He was talking about WBINVD. But it made me think about how we
> >> use the split lock detection feature in Linux.
> >>
> >> Existing code has three options for applications:
> >> 1) Don't enable split lock detection (allow arbitrary split locks)
> >> 2) Warn once when a process uses split lock, but let the process
> >> keep running with split lock detection disabled
> >> 3) Kill process that use split locks
> >
> > I'm not sure what split locks are, and if you want applications to
> > stop doing that maybe documentation would help.
>
> Split locks are lock prefixed operations which cross a cache line
> boundary. The way how they are implemented is taking the bus lock, which
> is the largest serialization hammer.
>
> Bus locks are also triggered by lock prefixed operations on uncached
> memory and on MMIO.
>
> > Anyway, you can't really introduce regressions to userspace to "get
> > stuff fixed" in applications.
>
> Split locks can be triggered by unpriviledged user space and can be used
> to run a local DoS attack. A very effective DoS to be clear.
>
> We have no indication whether a process is malicious or just doing
> stupid things. The only reason to not kill the offending process
> instantly is that there can be legacy binary only executables which
> trigger that due to stupidity.
>
> But that opens up DoS at the same time. So the only way to "protect"
> against that is to slow down the freqeuncy of buslocks unconditionally.
> If you don't like that after analysing the situation you can turn split
> lock detection off.
>
> The only binary I've seen so far triggering this, is some stoneage "value
> add" blob from HP which is also doing totally nuts other things.

They are actually more likely to happen in the kernel
when code casts int[] to long[] and then uses the 'BIT' functions to
set/clear bits - which do locked operations.
Quite often then don't need the locks anyway.
And that cast is surprisingly common and completely broken on BE.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: Jarkko Sakkinen: "Re: [PATCH V2 16/32] x86/sgx: Support restricting of enclave page permissions"
Previous message: Josh Poimboeuf: "Re: [PATCH] x86/sev: Add ENCODE_FRAME_POINTER after stack changed for #VC"
In reply to: Thomas Gleixner: "Re: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Next in thread: Luck, Tony: "RE: [PATCH v2 1/2] x86/split_lock: Make life miserable for split lockers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]