[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/mm: Remove unnecessary mfn_valid() call from get_page_from_l1e()
- To: Jan Beulich <jbeulich@xxxxxxxx>
- From: Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
- Date: Thu, 26 May 2022 16:52:26 +0000
- Accept-language: en-GB, en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D1iy85bGt0AMepCcoTnsVf4tZhW+lfptrVVB8EvquZI=; b=U6c3jdGrwBKR0FgTsXUrJvbiY92dQ96dHMn3EH65hFXBBG5vAw0wEUkRpCdxL4NSD+yFBgRAUOGCVZu0CdJRYPUAvtw0nhyzE+prhGuSGFRn2cyNrEyf9QRkmDfaRU+0ZWopOOiJlos6+M57ZBwnZ1Qf79AcKbMUC4ra/OX+1lCSZ0XKqKIqkcMhZPh+RcMpVEsVr4y7H0jLlz+jpjEcykg1QOsk8jS5nSSohCwCVFDv4JsL/FcpXKfy4iIB+TjcGnmeAHkKwWPnBiWh5iLE6jSbAJMcuXCQz+Pyiplh4umV6FQwpbDgn29Se/NJKL4+VkOzLuTDeGIVvmrpgL3VjQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dth5Ugn2ZdVh7iCOC4x+qgus7DNseEfddRwZlqIBMARMnLdBh8X5n3EFjI2McixrUl+PRMaJKFPJoxRxrNl4AjgpLoqWsxOBsGv1hm9D1rHxKxLbXXIwLhLLet2Nc/8sOEnl88aOnNb/QXU7Iogim8AQGoBoVBUAVcr2m9VLQ1F9nukWYfo6HqFYUzyoHdsrYHmtRQPKmaMG1fmSns/AQXmN65Y5Pf7+n6TCGpKZUiv6Ue9cG7DILfnQtA2MLWWINf/kmv+MQnmwO6Tyexy32EWtXyQdu1lRdZfbDohYihPnYVWq8W71oGHfz4yzDYUUG4KQuOM5n9vURPKsPPLftQ==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;
- Cc: Roger Pau Monne <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Thu, 26 May 2022 16:52:48 +0000
- Ironport-data: A9a23:6NKigKP3sd3ezDHvrR3WlsFynXyQoLVcMsEvi/4bfWQNrUp01WZRn zcfUDvSbPeIZ2P8L4hwbt63pEkF7J7WnNcxQQto+SlhQUwRpJueD7x1DKtR0wB+jCHnZBg6h ynLQoCYdKjYdleF+lH1dOKJQUBUjclkfJKlYAL/En03FFYMpBsJ00o5wbZk2NAw2LBVPivW0 T/Mi5yHULOa82Yc3lI8s8pvfzs24ZweEBtB1rAPTagjUG32zhH5P7pGTU2FFFPqQ5E8IwKPb 72rIIdVXI/u10xF5tuNyt4Xe6CRK1LYFVDmZnF+A8BOjvXez8CbP2lS2Pc0MC9qZzu1c99Z+ YsXpbfgawESYqzltvw6bQkBNQtTBPgTkFPHCSDXXc276WTjKiKp6NI3SUY8MMsf5/p9BnxI+ boAMjcRYxufhuWwhrWmVu1rgcdlJ87uVG8dkig4kXeFUrB7H9aaHPyiCdxwhV/cguhnG/rEa tVfQj1odBnaODVEO0sNCYJ4l+Ct7pX6W2IC9gzP//Fpi4TV5AIg1KHBIMLLQdqxZPdwtWiIv jydpXusV3n2M/Tak1Jp6EmEhOXCgCf6U4I6D6Cj+7hhh1j77nMXIA0bUx28u/bRol6zXZdTJ lIZ/gIqrLMu7wq7Q9/lRRq6rXWY+BkGVLJt//YS7QiMzu/f5F+fD21dFzpZMoV57YkxWCAg0 UKPk5XxHztzvbaJSHWbsLCJsTe1PitTJmgHDcMZcTY4DxDYiNlbpnryohxLSsZZUvWd9enM/ g23
- Ironport-hdrordr: A9a23:sxtivqmdPO5mT2PjC2cEzYjD/6LpDfN1iWdD5ihNYBxZY6Wkfp +V8cjzhCWftN9OYhodcIi7SdK9qXO1z+8X3WGIVY3SEDUOy1HYVr2KirGSjAEIeheOu9K1sJ 0NT0EQMqyWMbEXt6fHCUyDYq4dKbq8ge6VbIXlvhFQpGhRAskOgTuRSDzra3GeLzM2Z6bRYa Dsgvav0ADQHEj/AP7aOlA1G8z44/HbnpPvZhALQzQ97hOVsD+u4LnmVzCFwxY3SVp0sPcf2F mAtza8yrSosvm9xBOZ/XTU9Y5qlNzozcYGLNCQi/ISNi7nhm+TFcdcsvy5zXIISdOUmRIXee r30lAd1gNImjXsl1SO0F7QMs/boW8TAjHZuAelaDDY0LHErXoBerZ8bMRiA1rkAgMbza9BOO gg5RPni7NHSRzHhyjz/N7OSlVjkVe1u2MrlaoJg2VYSpZ2Us4YkWUzxjIiLH47JlOy1GnnKp gdMOjMoPJNNV+KZXHQuWdihNSqQ3QoBx+DBkwPoNac3TRalG1wixJw/r1Uol4QsJYmD5VU7e XNNapl0LlIU88NdKp4QOMMW9G+BGDBSQ/FdGiSPVPkHqcaPG+lke+93JwloOWxPJAYxpo7n5 rMFFteqG4pYkrrTdaD2ZVamyq9N1lVnQ6dvv22y6IJyoEUHoCbQBFrYGpe4PeIsrEYHtDRXe q1NdZfH+LjRFGebLp04w==
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
- Thread-index: AQHYWj++Z1s5A5v8NEKWGg6sIKRPsq0xdrWAgAAWwAA=
- Thread-topic: [PATCH] x86/mm: Remove unnecessary mfn_valid() call from get_page_from_l1e()
On 26/05/2022 16:31, Jan Beulich wrote:
> On 27.04.2022 16:04, Andrew Cooper wrote:
>> mfn_valid() is not a trivially simple, and contains an evaluate_nospec() for
>> speculative defence. Avoid calling it redundantly, and just store the result
>> of the first call.
> Since it took quite some time for this to actually be committed, I did
> notice it among more recent commits, and I've grown a question: Isn't
> the latching of the result in a local variable undermining the supposed
> speculative defense? It's not as if I could point out a particular
> gadget here, but it feels like the adjustment should have specifically
> justified the speculative safety ... But I guess my understanding of
> all of this might still be somewhat flaky?
The eval_nospec() in mfn_valid() is to avoid a speculative over-read of
pdx_group_valid[].
It does not provide any protection for any other logic.
In particular, it does not provide any safety whatsoever in
get_page_from_l1e() because the lfence is the wrong side of the
conditional jump. i.e. you've got:
...
call mfn_valid // lfence in here
test %al, %al
je 1f
... // lfence missing from here
1:
... // and here
The change I've made is simply CSE that a compiler could do
automatically. if it could be persuaded that __mfn_valid() was pure
(which it logically is.)
If logic in get_page_from_l1e() needs Spectre protections for any
reason, it needs its own eval_nospec()/array_access_nospec()/etc because
it is specifically not safe to rely on incidental lfence's from
unrelated protections.
~Andrew
P.S. I need to add this to the list of reasons of why we need a "coding
& speculation safety" doc in the tree.
|
