lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <447377f0-21e5-067d-55ac-cb2eeca7ceae@intel.com>
Date:   Mon, 27 Sep 2021 12:07:36 -0700
From:   Sohil Mehta <sohil.mehta@...el.com>
To:     Thomas Gleixner <tglx@...utronix.de>, <x86@...nel.org>
CC:     Tony Luck <tony.luck@...el.com>,
        Dave Hansen <dave.hansen@...el.com>,
        "Ingo Molnar" <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H . Peter Anvin" <hpa@...or.com>,
        Andy Lutomirski <luto@...nel.org>,
        Jens Axboe <axboe@...nel.dk>,
        Christian Brauner <christian@...uner.io>,
        Peter Zijlstra <peterz@...radead.org>,
        Shuah Khan <shuah@...nel.org>, Arnd Bergmann <arnd@...db.de>,
        Jonathan Corbet <corbet@....net>,
        Ashok Raj <ashok.raj@...el.com>,
        Jacob Pan <jacob.jun.pan@...ux.intel.com>,
        "Gayatri Kammela" <gayatri.kammela@...el.com>,
        Zeng Guang <guang.zeng@...el.com>,
        "Dan Williams" <dan.j.williams@...el.com>,
        Randy E Witt <randy.e.witt@...el.com>,
        Ravi V Shankar <ravi.v.shankar@...el.com>,
        Ramesh Thomas <ramesh.thomas@...el.com>,
        <linux-api@...r.kernel.org>, <linux-arch@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <linux-kselftest@...r.kernel.org>
Subject: Re: [RFC PATCH 05/13] x86/irq: Reserve a user IPI notification vector

On 9/26/2021 5:39 AM, Thomas Gleixner wrote:
> On Sat, Sep 25 2021 at 15:30, Thomas Gleixner wrote:
>> On Fri, Sep 24 2021 at 01:07, Thomas Gleixner wrote:
>> The obvious question is: What is the value of clearing UINV?
>>
>> Absolutely none. That notification vector cannot be used for anything
>> else, so why would the OS be interested to see it ever? This is about
>> user space interupts, right?
>>
>> UINV should be set _ONCE_ when CR4.UINTR is enabled and not be touched
>> by XSAVES/XRSTORS at all. Any delivery of this vector to the OS should
>> be considered a hardware bug.
> After decoding the documentation (sigh) and staring at the implications of
> keeping UINV armed, I can see the point vs. the UPID lifetime issue when
> a task gets scheduled out and migrated to a different CPU.


I think you got it right. Here is my understanding of this.

The User-interrupt notification processing moves all the pending 
interrupts from UPID.PIR to the UIRR.

As you mentioned below, XSTATE is saved due to several reasons which 
saves the UIRR into memory. UIRR should no longer be updated after it 
has been saved.

XSAVES clears UINV is to stop detecting additional interrupts in the 
UIRR after it has been saved.


> Not the most pretty solution, but as there needs to be some invalidation
> which needs to be undone on return to user space it probably does not
> matter much.
>
> As the whole thing is tightly coupled to XSAVES/RSTORS we need to
> integrate it into that machinery and not pretend that it's something
> half independent.


I agree. Thank you for pointing this out.

> That means we have to handle the setting of the SN bit in UPID whenever
> XSTATE is saved either during context switch, when the kernel uses the
> FPU or in other places (signals, fpu_clone ...). They all end up in
> save_fpregs_to_fpstate() so that might be the place to look at.

  Yes. The current code doesn't do this. SN bit should be set whenever 
UINTR XSTATE is saved.

> While talking about that: fpu_clone() has to invalidate the UINTR state
> in the clone's xstate after the memcpy() or xsaves() operation.
>
> Also the restore portion on the way back to user space has to be coupled
> more tightly:
>
> arch_exit_to_user_mode_prepare()
> {
>          ...
>          if (unlikely(ti_work & _TIF_UPID))
>          	uintr_restore_upid(ti_work & _TIF_NEED_FPU_LOAD);
>          if (unlikely(ti_work & _TIF_NEED_FPU_LOAD))
>          	switch_fpu_return();
> }

I am assuming _TIF_UPID would be set everytime SN is set and XSTATE is 
saved.

> upid_set_ndst(upid)
> {
> 	apicid = __this_cpu_read(x86_cpu_to_apicid);
>
>          if (x2apic_enabled())
>              upid->ndst.x2apic = apicid;
>          else
>              upid->ndst.apic = apicid;
> }
>
> uintr_restore_upid(bool xrstors_pending)
> {
>          clear_thread_flag(TIF_UPID);
>          
> 	// Update destination
>          upid_set_ndst(upid);
>
>          // Do we need something stronger here?
>          barrier();
>
>          clear_bit(SN, upid->status);
>
>          // Any SENDUIPI after this point sends to this CPU
>             
>          // Any bit which was set in upid->pir after SN was set
>          // and/or UINV was cleared by XSAVES up to the point
>          // where SN was cleared above is not reflected in UIRR.
>
> 	// As this runs with interrupts disabled the current state
>          // of upid->pir can be read and used for restore. A SENDUIPI
>          // which sets a bit in upid->pir after that read will send
>          // the notification vector which is going to be handled once
>          // the task reenables interrupts on return to user space.
>          // If the SENDUIPI set the bit before the read then the
>          // notification vector handling will just observe the same
>          // PIR state.
>
>          // Needs to be a locked access as there might be a
>          // concurrent SENDUIPI modiying it.
>          pir = read_locked(upid->pir);
>
>          if (xrstors_pending)) {
>          	// Update the saved xstate for xrstors
>             	current->xstate.uintr.uinv = UINTR_NOTIFICATION_VECTOR;

XSAVES saves the UINV value into the XSTATE buffer. I am not sure if we 
need this again. Is it because it could have been overwritten by calling 
XSAVES twice?


>                  current->xstate.uintr.uirr = pir;

I believe PIR should be ORed. There could be some bits already set in 
the UIRR.

Also, shouldn't UPID->PIR be cleared? If not, we would detect these 
interrupts all over again during the next ring transition.

>          } else {
>                  // Manually restore UIRR and UINV
>                  wrmsrl(IA32_UINTR_RR, pir);
I believe read-modify-write here as well.
> 	        misc.val64 = 0;
>                  misc.uittsz = current->uintr->uittsz;
>                  misc.uinv = UINTR_NOTIFICATION_VECTOR;
>                  wrmsrl(IA32_UINTR_MISC, misc.val64);

Thanks! This helps reduce the additional MSR read.

>          }
> }
>
> That's how I deciphered the documentation and I don't think this is far
> from reality, but I might be wrong as usual.
>
> Hmm?

Thank you for the simplification. This is very helpful.

Sohil


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ