From patchwork Sat Jan 6 01:09:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Williams X-Patchwork-Id: 123593 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp40495qgn; Fri, 5 Jan 2018 17:18:18 -0800 (PST) X-Google-Smtp-Source: ACJfBotUKAuxlPnNGVaSe76t1wK6tJ7TQKO7Vqcf37rFDqNz7nS8iTY4GptuhK9n9x+UGvWIBaJL X-Received: by 10.99.150.18 with SMTP id c18mr3906091pge.136.1515201498786; Fri, 05 Jan 2018 17:18:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1515201498; cv=none; d=google.com; s=arc-20160816; b=r1uaQb2xeVp0vKrfhv8EmOhwZsDIiDU1IHkXD++TtjEX4O761iifp4QrXtHd+HJkd0 ixtetGlf7xu/4yF5WK9r6pNyIta382BrhAnFX7UdaM3yLaRtNIb3TfnYBp7c20DmiEut qJoIngLY3n3Rkeir7Vnp/pVLoFZrpPrdub8I177t8h7QFSsCnWFCV6b4aGMYmjFy3PkP wKVir0JTnnt0TrBGWcFpw/GNbrUMcl2ew8cCOGZkMmpSJ9ygTp9/kylzkNZLpZbLnmDs WmWGCPL7YzMBCi3q41XiNs5jr7CpiE7cNzl6vIxW3ANIVvWVrd/a43iqyh+ae7lS3AxE 2v3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:arc-authentication-results; bh=hYwPUuYE5peQbZpkuqBNMM1rLdtu/XXphsiVeAI6SM0=; b=Ij2n+P9kpPeYcbqkUD155fA6ws+JlOEeKac7uq9XqpR9+RUBhOcSAkUmARmXqF2gns y/rpugkUfB4kAKudiKYEvcpvfvtOUz7BpiUKhY0ev+H8QcodP6Cb0iz1cJz0XSyqrSeN fiWZ8HRfA907Mtcss8TXYQgn12UnhX9n+fJcwzz1zJlzDH442YAHa6vOmMaxzYKlyqww C+UPH6Wa+902qIAwrw3CaVyKKh1iFfyKfpfmYYNjKAXwQlmwQ3hLoh2hvn4BetcPiZIu pxq4xXowbJ/3G6SUmgZGThqJFbg0JGr3BPTNWTOEKsCwFFnLUFTamQN9jjt5QoTiC5Dr XiOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k1si1803835pgo.823.2018.01.05.17.18.17; Fri, 05 Jan 2018 17:18:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753604AbeAFBSQ (ORCPT + 28 others); Fri, 5 Jan 2018 20:18:16 -0500 Received: from mga06.intel.com ([134.134.136.31]:15544 "EHLO mga06.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753389AbeAFBSM (ORCPT ); Fri, 5 Jan 2018 20:18:12 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga104.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Jan 2018 17:18:11 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,320,1511856000"; d="scan'208";a="190352416" Received: from dwillia2-desk3.jf.intel.com (HELO dwillia2-desk3.amr.corp.intel.com) ([10.54.39.16]) by orsmga005.jf.intel.com with ESMTP; 05 Jan 2018 17:18:11 -0800 Subject: [PATCH 01/18] asm-generic/barrier: add generic nospec helpers From: Dan Williams To: linux-kernel@vger.kernel.org Cc: Mark Rutland , linux-arch@vger.kernel.org, peterz@infradead.org, netdev@vger.kernel.org, Will Deacon , gregkh@linuxfoundation.org, tglx@linutronix.de, torvalds@linux-foundation.org, alan@linux.intel.com Date: Fri, 05 Jan 2018 17:09:58 -0800 Message-ID: <151520099810.32271.11023910901471332353.stgit@dwillia2-desk3.amr.corp.intel.com> In-Reply-To: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> References: <151520099201.32271.4677179499894422956.stgit@dwillia2-desk3.amr.corp.intel.com> User-Agent: StGit/0.17.1-9-g687f MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mark Rutland Under speculation, CPUs may mis-predict branches in bounds checks. Thus, memory accesses under a bounds check may be speculated even if the bounds check fails, providing a primitive for building a side channel. This patch adds helpers which can be used to inhibit the use of out-of-bounds pointers under speculation. A generic implementation is provided for compatibility, but does not guarantee safety under speculation. Architectures are expected to override these helpers as necessary. Signed-off-by: Mark Rutland Signed-off-by: Will Deacon Cc: Daniel Willams Cc: Peter Zijlstra Signed-off-by: Dan Williams --- include/asm-generic/barrier.h | 68 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h index fe297b599b0a..91c3071f49e5 100644 --- a/include/asm-generic/barrier.h +++ b/include/asm-generic/barrier.h @@ -54,6 +54,74 @@ #define read_barrier_depends() do { } while (0) #endif +/* + * Inhibit subsequent speculative memory accesses. + * + * Architectures with a suitable memory barrier should provide an + * implementation. This is non-portable, and generic code should use + * nospec_ptr(). + */ +#ifndef __nospec_barrier +#define __nospec_barrier() do { } while (0) +#endif + +/** + * nospec_ptr() - Ensure a pointer is bounded, even under speculation. + * + * @ptr: the pointer to test + * @lo: the lower valid bound for @ptr, inclusive + * @hi: the upper valid bound for @ptr, exclusive + * + * If @ptr falls in the interval [@lo, @i), returns @ptr, otherwise returns + * NULL. + * + * Architectures which do not provide __nospec_barrier() should override this + * to ensure that ptr falls in the [lo, hi) interval both under architectural + * execution and under speculation, preventing propagation of an out-of-bounds + * pointer to code which is speculatively executed. + */ +#ifndef nospec_ptr +#define nospec_ptr(ptr, lo, hi) \ +({ \ + typeof (ptr) __ret; \ + typeof (ptr) __ptr = (ptr); \ + typeof (ptr) __lo = (lo); \ + typeof (ptr) __hi = (hi); \ + \ + __ret = (__lo <= __ptr && __ptr < __hi) ? __ptr : NULL; \ + \ + __nospec_barrier(); \ + \ + __ret; \ +}) +#endif + +/** + * nospec_array_ptr - Generate a pointer to an array element, ensuring the + * pointer is bounded under speculation. + * + * @arr: the base of the array + * @idx: the index of the element + * @sz: the number of elements in the array + * + * If @idx falls in the interval [0, @sz), returns the pointer to @arr[@idx], + * otherwise returns NULL. + * + * This is a wrapper around nospec_ptr(), provided for convenience. + * Architectures should implement nospec_ptr() to ensure this is the case + * under speculation. + */ +#define nospec_array_ptr(arr, idx, sz) \ +({ \ + typeof(*(arr)) *__arr = (arr); \ + typeof(idx) __idx = (idx); \ + typeof(sz) __sz = (sz); \ + \ + nospec_ptr(__arr + __idx, __arr, __arr + __sz); \ +}) + +#undef __nospec_barrier + #ifndef __smp_mb #define __smp_mb() mb() #endif