From patchwork Fri Jan 5 14:57:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 123527 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp910814qgn; Fri, 5 Jan 2018 06:58:10 -0800 (PST) X-Google-Smtp-Source: ACJfBovcGudZdDdMZkfFa/K/43G57I4WXaZM4tDj+j2+FEg3wsqgTp4m5g7ogAiPc5c96GcMf3A5 X-Received: by 10.98.185.16 with SMTP id z16mr3275573pfe.140.1515164290041; Fri, 05 Jan 2018 06:58:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515164290; cv=none; d=google.com; s=arc-20160816; b=hQBDl2bzgYDwcfLO5CmG3UH10pNqYp6L5va3YS0Z6BOtYS6nE2hGB7ffizrLXRSEiM 2GZPcLrVny98qByC776Qnvp2V2+ETWL3JUr/nr0lOKDJZaIsk0Nj7z1ECxUSCLU7StYz SpMaY+fULtV5s4kD/FeoFVi9LeeLhPcgy9qd12s0zdqUG1drzi4vGESIm8PpkH+UBUV0 z6Ox0bU32d0VVrED+MhL7cGpMl+S0ke9HvBBqNtRbAY4rbDgQIl8MtkWUSjiFAfZgH+H DyYv8WwC/dzi4Ukc5ZlVlh4fSL7qBu7AooSSqpnN3zv80WUfMjHU2z/z50Bl0Pev7oLl VJLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=+wgyfcCU94Fe9SH2HhvsI3zrsOGGDGykF3c59TBqu7c=; b=B+IhYI7W0PYAzI8N+690wu0WlctfKfjeAA7Z4mAYBDjW24E3rDkZH0ZbRiDf6K/4nO acLrzWUy4w0t9oTZtmWsate7c5p7mBYxPIUmObAM36dSRmxIidypJEhAwd5v1cFWozsR FQXZLIYjeTfmedlGTsrHVLX9Aw/oCRJth1Zp986+uRU/pSB13MPkvkaKuu6HvaL3sAox t59bszhVfk61HtIV99IgZPbCKV2wQRe8YcAO0DXogqt1Cyd9Il/M+NB2MXFP5vCQXu37 qxvYZw4pQKU/DPbC1zaYUbTMr9ZPb4NhFbadu7G/xVBx+fj1Vt5FRHsvSCo+SFc1XUmd hwtg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 33si4077516ply.308.2018.01.05.06.58.09; Fri, 05 Jan 2018 06:58:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752189AbeAEO6G (ORCPT + 26 others); Fri, 5 Jan 2018 09:58:06 -0500 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:46054 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751961AbeAEO6D (ORCPT ); Fri, 5 Jan 2018 09:58:03 -0500 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8EE201596; Fri, 5 Jan 2018 06:58:03 -0800 (PST) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 9F2403F581; Fri, 5 Jan 2018 06:58:01 -0800 (PST) From: Mark Rutland To: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Cc: dan.j.williams@intel.com, elena.reshetova@intel.com, corbet@lwn.net, alan@linux.intel.com, peterz@infradead.org, will.deacon@arm.com, gregkh@linuxfoundation.org, tglx@linutronix.de, Mark Rutland Subject: [RFCv2 1/4] asm-generic/barrier: add generic nospec helpers Date: Fri, 5 Jan 2018 14:57:47 +0000 Message-Id: <20180105145750.53294-2-mark.rutland@arm.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180105145750.53294-1-mark.rutland@arm.com> References: <20180105145750.53294-1-mark.rutland@arm.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Under speculation, CPUs may mis-predict branches in bounds checks. Thus, memory accesses under a bounds check may be speculated even if the bounds check fails, providing a primitive for building a side channel. This patch adds helpers which can be used to inhibit the use of out-of-bounds pointers under speculation. A generic implementation is provided for compatibility, but does not guarantee safety under speculation. Architectures are expected to override these helpers as necessary. Signed-off-by: Mark Rutland Signed-off-by: Will Deacon Cc: Daniel Willams Cc: Peter Zijlstra --- include/asm-generic/barrier.h | 68 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) Dan, I've reworked this so that nospec_ptr() can take an arch-specific barrier sequence. I believe that for x86 you just need to implement __nospec_barrier() as osb(). Mark. -- 2.11.0 diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h index fe297b599b0a..91c3071f49e5 100644 --- a/include/asm-generic/barrier.h +++ b/include/asm-generic/barrier.h @@ -54,6 +54,74 @@ #define read_barrier_depends() do { } while (0) #endif +/* + * Inhibit subsequent speculative memory accesses. + * + * Architectures with a suitable memory barrier should provide an + * implementation. This is non-portable, and generic code should use + * nospec_ptr(). + */ +#ifndef __nospec_barrier +#define __nospec_barrier() do { } while (0) +#endif + +/** + * nospec_ptr() - Ensure a pointer is bounded, even under speculation. + * + * @ptr: the pointer to test + * @lo: the lower valid bound for @ptr, inclusive + * @hi: the upper valid bound for @ptr, exclusive + * + * If @ptr falls in the interval [@lo, @i), returns @ptr, otherwise returns + * NULL. + * + * Architectures which do not provide __nospec_barrier() should override this + * to ensure that ptr falls in the [lo, hi) interval both under architectural + * execution and under speculation, preventing propagation of an out-of-bounds + * pointer to code which is speculatively executed. + */ +#ifndef nospec_ptr +#define nospec_ptr(ptr, lo, hi) \ +({ \ + typeof (ptr) __ret; \ + typeof (ptr) __ptr = (ptr); \ + typeof (ptr) __lo = (lo); \ + typeof (ptr) __hi = (hi); \ + \ + __ret = (__lo <= __ptr && __ptr < __hi) ? __ptr : NULL; \ + \ + __nospec_barrier(); \ + \ + __ret; \ +}) +#endif + +/** + * nospec_array_ptr - Generate a pointer to an array element, ensuring the + * pointer is bounded under speculation. + * + * @arr: the base of the array + * @idx: the index of the element + * @sz: the number of elements in the array + * + * If @idx falls in the interval [0, @sz), returns the pointer to @arr[@idx], + * otherwise returns NULL. + * + * This is a wrapper around nospec_ptr(), provided for convenience. + * Architectures should implement nospec_ptr() to ensure this is the case + * under speculation. + */ +#define nospec_array_ptr(arr, idx, sz) \ +({ \ + typeof(*(arr)) *__arr = (arr); \ + typeof(idx) __idx = (idx); \ + typeof(sz) __sz = (sz); \ + \ + nospec_ptr(__arr + __idx, __arr, __arr + __sz); \ +}) + +#undef __nospec_barrier + #ifndef __smp_mb #define __smp_mb() mb() #endif