From: David Woodhouse <dwmw2@infradead.org>
To: Paul Turner <pjt@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
"Van De Ven, Arjan" <arjan.van.de.ven@intel.com>,
Andi Kleen <andi@firstfloor.org>,
LKML <linux-kernel@vger.kernel.org>,
Greg Kroah-Hartman <gregkh@linux-foundation.org>,
Tim Chen <tim.c.chen@linux.intel.com>,
Dave Hansen <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Andy Lutomirski <luto@amacapital.net>,
Andi Kleen <ak@linux.intel.com>
Subject: Re: [PATCH] x86/retpoline: Avoid return buffer underflows on context switch
Date: Tue, 09 Jan 2018 03:05:24 +0000 [thread overview]
Message-ID: <1515467124.22302.8.camel@infradead.org> (raw)
In-Reply-To: <CAPM31RKpPzfqzisNerKDG=Y2yLXR82m1mFb2neDK=0cKUvz17g@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2551 bytes --]
On Mon, 2018-01-08 at 18:48 -0800, Paul Turner wrote:
> On Mon, Jan 8, 2018 at 4:48 PM, David Woodhouse <dwmw2@infradead.org> wrote:
> >
> > On Tue, 2018-01-09 at 00:44 +0000, Woodhouse, David wrote:
> > >
> > > On IRC, Arjan assures me that 'pause' here really is sufficient as a
> > > speculation trap. If we do end up returning back here as a
> > > misprediction, that 'pause' will stop the speculative execution on
> > > affected CPUs even though it isn't *architecturally* documented to do
> > > so.
> > >
> > > Arjan, can you confirm that in email please?
> >
> > That actually doesn't make sense to me. If 'pause' alone is sufficient,
> > then why in $DEITY's name would we need a '1:pause;jmp 1b' loop in the
> > retpoline itself?
> >
> > Arjan?
> On further investigation, I don't understand any of the motivation for
> the changes here:
> - It micro-benchmarks several cycles slower than the suggested
> implementation on average (38 vs 44 cycles) [likely due to lost 16-byte call
> alignment]
> - It's much larger in terms of .text size (120 bytes @ 16 calls, 218
> bytes @ 30 calls) vs (61 bytes)
> - I'm not sure it's universally correct in preventing speculation:
>
> (1) I am able to observe a small timing difference between executing
> "1: pause; jmp 1b;" and "pause" in the speculative path.
> Given that alignment is otherwise identical, this should only
> occur if execution is non-identical, which would require speculative
> execution to proceed beyond the pause.
> (2) When we proposed and reviewed the sequence. This was not cited by
> architects as a way of presenting speculation. Indeed, as David
> points out, we'd consider using this within the sequence without the
> loop.
>
>
> If the claim above is true -- which (1) actually appears to contradict
> -- it seems to bear stronger validation. Particularly since that in
> the suggested sequences we can fit the jmps within the space we get
> for free by aligning the call targets.
Some of the discrepancies are because it's been filtered through Intel
and I may not have had your latest version.
I'm going to revert to your version from
https://support.google.com/faqs/answer/7625886 — for the retpoline
(i.e. adding back the alignment) and the RSB stuffing.
If Intel have a sequence which is simpler and guaranteed to work, I'll
let them post that with an authoritative statement from the CPU
architects. At this point, we really need to get on with rolling in the
other parts on top.
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5213 bytes --]
next prev parent reply other threads:[~2018-01-09 3:05 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-08 20:15 [PATCH] x86/retpoline: Avoid return buffer underflows on context switch Andi Kleen
2018-01-08 21:38 ` David Woodhouse
2018-01-08 22:54 ` Andi Kleen
2018-01-08 22:11 ` Peter Zijlstra
2018-01-08 22:17 ` Woodhouse, David
2018-01-08 22:26 ` Peter Zijlstra
2018-01-08 23:25 ` Woodhouse, David
2018-01-08 22:25 ` Andi Kleen
2018-01-08 22:58 ` Andi Kleen
2018-01-09 0:15 ` Paul Turner
2018-01-09 0:15 ` Paul Turner
2018-01-09 0:44 ` Woodhouse, David
2018-01-09 0:48 ` David Woodhouse
2018-01-09 2:48 ` Paul Turner
2018-01-09 3:05 ` David Woodhouse [this message]
2018-01-12 11:15 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1515467124.22302.8.camel@infradead.org \
--to=dwmw2@infradead.org \
--cc=ak@linux.intel.com \
--cc=andi@firstfloor.org \
--cc=arjan.van.de.ven@intel.com \
--cc=dave.hansen@intel.com \
--cc=gregkh@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=tglx@linutronix.de \
--cc=tim.c.chen@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox