From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Gleixner Subject: Re: [patch V3 01/13] entry: Provide generic syscall entry functionality Date: Sun, 19 Jul 2020 12:17:07 +0200 Message-ID: <87v9ijollo.fsf@nanos.tec.linutronix.de> References: <20200716182208.180916541@linutronix.de> <20200716185424.011950288@linutronix.de> <202007161336.B993ED938@keescook> <87d04vt98w.fsf@nanos.tec.linutronix.de> <202007171045.FB4A586F1D@keescook> <87mu3yq6sf.fsf@nanos.tec.linutronix.de> <875zakq56t.fsf@nanos.tec.linutronix.de> Mime-Version: 1.0 Content-Type: text/plain Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Cc: Andy Lutomirski , Kees Cook , LKML , X86 ML , linux-arch , Will Deacon , Arnd Bergmann , Mark Rutland , Keno Fischer , Paolo Bonzini , kvm list , Gabriel Krisman Bertazi List-Id: linux-arch.vger.kernel.org Andy Lutomirski writes: > On Sat, Jul 18, 2020 at 7:16 AM Thomas Gleixner wrote: >> Andy Lutomirski writes: >> > FWIW, TIF_USER_RETURN_NOTIFY is a bit of an odd duck: it's an >> > entry/exit word *and* a context switch word. The latter is because >> > it's logically a per-cpu flag, not a per-task flag, and the context >> > switch code moves it around so it's always set on the running task. >> >> Gah, I missed the context switch thing of that. That stuff is hideous. > > It's also delightful because anything that screws up that dance (such > as failure to do the exit-to-usermode path exactly right) likely > results in an insta-root-hole. If we fail to run user return > notifiers, we can run user code with incorrect syscall MSRs, etc. Looking at it deeper, having that thing in the loop is a pointless exercise. This really wants to be done _after_ the loop. Thanks, tglx From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725836AbgGSKRN (ORCPT ); Sun, 19 Jul 2020 06:17:13 -0400 From: Thomas Gleixner Subject: Re: [patch V3 01/13] entry: Provide generic syscall entry functionality In-Reply-To: References: <20200716182208.180916541@linutronix.de> <20200716185424.011950288@linutronix.de> <202007161336.B993ED938@keescook> <87d04vt98w.fsf@nanos.tec.linutronix.de> <202007171045.FB4A586F1D@keescook> <87mu3yq6sf.fsf@nanos.tec.linutronix.de> <875zakq56t.fsf@nanos.tec.linutronix.de> Date: Sun, 19 Jul 2020 12:17:07 +0200 Message-ID: <87v9ijollo.fsf@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-arch-owner@vger.kernel.org List-ID: To: Andy Lutomirski Cc: Kees Cook , LKML , X86 ML , linux-arch , Will Deacon , Arnd Bergmann , Mark Rutland , Keno Fischer , Paolo Bonzini , kvm list , Gabriel Krisman Bertazi Message-ID: <20200719101707.YWLZzz1A5NqhTT2Uk_fBA8ZjPTaXjipshVOOt7A7Rhk@z> Andy Lutomirski writes: > On Sat, Jul 18, 2020 at 7:16 AM Thomas Gleixner wrote: >> Andy Lutomirski writes: >> > FWIW, TIF_USER_RETURN_NOTIFY is a bit of an odd duck: it's an >> > entry/exit word *and* a context switch word. The latter is because >> > it's logically a per-cpu flag, not a per-task flag, and the context >> > switch code moves it around so it's always set on the running task. >> >> Gah, I missed the context switch thing of that. That stuff is hideous. > > It's also delightful because anything that screws up that dance (such > as failure to do the exit-to-usermode path exactly right) likely > results in an insta-root-hole. If we fail to run user return > notifiers, we can run user code with incorrect syscall MSRs, etc. Looking at it deeper, having that thing in the loop is a pointless exercise. This really wants to be done _after_ the loop. Thanks, tglx From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6387C433E0 for ; Sun, 19 Jul 2020 10:17:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B3E512080D for ; Sun, 19 Jul 2020 10:17:15 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="q8WBW4lp"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="/icnqJkw" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726061AbgGSKRN (ORCPT ); Sun, 19 Jul 2020 06:17:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725836AbgGSKRN (ORCPT ); Sun, 19 Jul 2020 06:17:13 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC79FC0619D2; Sun, 19 Jul 2020 03:17:12 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1595153827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Klowtb+zpu2upHcc0/al6Z+g7rUSuNatngTABmSqQks=; b=q8WBW4lphpZf+Rpq1Cbtq7QgWkuGOkQnhsp20yFar8wiTi3gddfIDm+NyjZXpS2fG6rA+q nG+u1+A8/GifDOyHJe4mxZ6pq0OhvKaPDIOBpYTOIKKvcrn/YoixV5P5iwYLHRsu/SHrbB oabbWpe0eEH+8X31+lECGS4HW3og5wKDFwN9HWV0zdIh6E2oS5i9Ch6BOhIPYksPf0PS59 HSzEz5B0gio3gV1tM43uyUPe2j/HmyVv99lFkpdKIIS5CZWoOK3Y3KH6ULxF3cL7tz/OT5 Ye5LMOV4/wPXxTLQxm83eV6glbq19TpIa9HyJMKOa/DSXSJg/LWwwe+6zZl2oA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1595153827; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Klowtb+zpu2upHcc0/al6Z+g7rUSuNatngTABmSqQks=; b=/icnqJkwLN5zSzDGZYcXzpGR7LI1HSuX35hwBCDMz7GGGc6gotQIlS2LCnsQLZ+UvWAWqy jn0fn49/bZ1nRjAQ== To: Andy Lutomirski Cc: Andy Lutomirski , Kees Cook , LKML , X86 ML , linux-arch , Will Deacon , Arnd Bergmann , Mark Rutland , Keno Fischer , Paolo Bonzini , kvm list , Gabriel Krisman Bertazi Subject: Re: [patch V3 01/13] entry: Provide generic syscall entry functionality In-Reply-To: References: <20200716182208.180916541@linutronix.de> <20200716185424.011950288@linutronix.de> <202007161336.B993ED938@keescook> <87d04vt98w.fsf@nanos.tec.linutronix.de> <202007171045.FB4A586F1D@keescook> <87mu3yq6sf.fsf@nanos.tec.linutronix.de> <875zakq56t.fsf@nanos.tec.linutronix.de> Date: Sun, 19 Jul 2020 12:17:07 +0200 Message-ID: <87v9ijollo.fsf@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain Sender: kvm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: kvm@vger.kernel.org Andy Lutomirski writes: > On Sat, Jul 18, 2020 at 7:16 AM Thomas Gleixner wrote: >> Andy Lutomirski writes: >> > FWIW, TIF_USER_RETURN_NOTIFY is a bit of an odd duck: it's an >> > entry/exit word *and* a context switch word. The latter is because >> > it's logically a per-cpu flag, not a per-task flag, and the context >> > switch code moves it around so it's always set on the running task. >> >> Gah, I missed the context switch thing of that. That stuff is hideous. > > It's also delightful because anything that screws up that dance (such > as failure to do the exit-to-usermode path exactly right) likely > results in an insta-root-hole. If we fail to run user return > notifiers, we can run user code with incorrect syscall MSRs, etc. Looking at it deeper, having that thing in the loop is a pointless exercise. This really wants to be done _after_ the loop. Thanks, tglx