[RFC PATCH] x86/speculation: Don't inherit TIF_SSBD on execve()

linux-doc.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Waiman Long <longman@redhat.com>
To: Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@kernel.org>, Borislav Petkov <bp@alien8.de>,
	Jonathan Corbet <corbet@lwn.net>
Cc: x86@kernel.org, linux-kernel@vger.kernel.org,
	linux-doc@vger.kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
	Andi Kleen <ak@linux.intel.com>,
	David Woodhouse <dwmw@amazon.co.uk>,
	Jiri Kosina <jikos@kernel.org>,
	Josh Poimboeuf <jpoimboe@redhat.com>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	KarimAllah Ahmed <karahmed@amazon.de>,
	Peter Zijlstra <peterz@infradead.org>,
	Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
	Waiman Long <longman@redhat.com>
Subject: [RFC PATCH] x86/speculation: Don't inherit TIF_SSBD on execve()
Date: Wed, 19 Dec 2018 14:09:50 -0500	[thread overview]
Message-ID: <1545246590-12704-1-git-send-email-longman@redhat.com> (raw)

With the default SPEC_STORE_BYPASS_SECCOMP/SPEC_STORE_BYPASS_PRCTL mode,
the TIF_SSBD bit will be inherited when a new task is fork'ed or cloned.

As only certain class of applications (like Java) requires disabling
speculative store bypass for security purpose, it may not make sense to
allow the TIF_SSBD bit to be inherited across execve() boundary where the
new application may not need SSBD at all and is probably not aware that
SSBD may have been turned on. This may cause an unnecessary performance
loss of up to 20% in some cases.

The arch_setup_new_exec() function is updated to clear the TIF_SSBD
bit unless it has been force-disabled.

Signed-off-by: Waiman Long <longman@redhat.com>
---
 Documentation/userspace-api/spec_ctrl.rst |  3 +++
 arch/x86/kernel/process.c                 | 10 ++++++++++
 2 files changed, 13 insertions(+)

diff --git a/Documentation/userspace-api/spec_ctrl.rst b/Documentation/userspace-api/spec_ctrl.rst
index c4dbe6f..226aed5 100644
--- a/Documentation/userspace-api/spec_ctrl.rst
+++ b/Documentation/userspace-api/spec_ctrl.rst
@@ -55,6 +55,9 @@ is selected by arg2 of :manpage:`prctl(2)` per task. arg3 is used to hand
 in the control value, i.e. either PR_SPEC_ENABLE or PR_SPEC_DISABLE or
 PR_SPEC_FORCE_DISABLE.
 
+When mitigation is enabled, its state will not be inherited on
+:manpage:`execve(2)` unless it is force-disabled.
+
 Common error codes
 ------------------
 ======= =================================================================
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index 7d31192..f207f4d 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -252,6 +252,16 @@ void arch_setup_new_exec(void)
 	/* If cpuid was previously disabled for this task, re-enable it. */
 	if (test_thread_flag(TIF_NOCPUID))
 		enable_cpuid();
+
+	/*
+	 * Don't inherit TIF_SSBD across exec boundary unless speculative
+	 * store bypass is force-disabled (e.g. seccomp on).
+	 */
+	if (test_thread_flag(TIF_SSBD) &&
+	   !task_spec_ssb_force_disable(current)) {
+		clear_thread_flag(TIF_SSBD);
+		task_clear_spec_ssb_disable(current);
+	}
 }
 
 static inline void switch_to_bitmap(struct thread_struct *prev,
-- 
1.8.3.1

next             reply	other threads:[~2018-12-19 19:10 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-19 19:09 Waiman Long [this message]
2018-12-19 19:38 ` [RFC PATCH] x86/speculation: Don't inherit TIF_SSBD on execve() Andi Kleen
2018-12-19 19:45   ` Waiman Long
2018-12-20  0:58     ` Andi Kleen
2019-01-07 14:49 ` Waiman Long
2019-01-11 19:52 ` Thomas Gleixner
2019-01-14 21:46   ` Waiman Long
2019-01-15  9:48     ` Thomas Gleixner
2019-01-15 15:54       ` Waiman Long

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c4dbe6f dfblob:226aed5 dfblob:7d31192 dfblob:f207f4d )
 OR (
bs:"[RFC PATCH] x86/speculation: Don't inherit TIF_SSBD on execve()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1545246590-12704-1-git-send-email-longman@redhat.com \
    --to=longman@redhat.com \
    --cc=ak@linux.intel.com \
    --cc=bp@alien8.de \
    --cc=corbet@lwn.net \
    --cc=dwmw@amazon.co.uk \
    --cc=hpa@zytor.com \
    --cc=jikos@kernel.org \
    --cc=jpoimboe@redhat.com \
    --cc=karahmed@amazon.de \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=tim.c.chen@linux.intel.com \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).