On 11/22/2018 11:37 PM, Ingo Molnar wrote: >>> I think all the call paths from prctl and seccomp coming here >>> has tsk == current. >> >> We had that discussion before with SSBD: >> >> seccomp_set_mode_filter() >> seccomp_attach_filter() >> seccomp_sync_threads() >> for_each_thread(t) >> if (t == current) >> continue; >> seccomp_assign_mode(t) >> arch_seccomp_spec_mitigate(t); >> >> seccomp_assign_mode(current...) >> arch_seccomp_spec_mitigate(); >> >>> But if task_update_spec_tif gets used in the future where tsk is running >>> on a remote CPU, this could lead to the MSR getting out of sync with the >>> running task's TIF flag. This will break either performance or security. >> >> We also had that discussion with SSBD and decided that we won't chase >> threads and send IPIs around. Yes, it's not perfect, but not the end of the >> world either. For PRCTL it's a non issue.
Looks like seccomp thread can be running on a remote CPU when its TIF_SPEC_IB flag gets updated. I wonder if this will cause STIBP to be always off in this scenario, when two tasks with SPEC_IB flags running on a remote CPU have STIBP bit always *off* in SPEC MSR. Let's say we have tasks A and B running on a remote CPU: task A: SPEC_IB flag is on task B: SPEC_IB flag is off but is currently running on remote CPU, SPEC MSR's STIBP bit is off Now arch_seccomp_spec_mitigation is called, setting SPEC_IB flag on task B. SPEC MSR becomes out of sync with running task B's SPEC_IB flag. Task B context switches to task A. Because both tasks have SPEC_IB flag set and the flag status is unchanged, SPEC MSR's STIBP bit is not updated. SPEC MSR STIBP bit remains off if tasks A and B are the only tasks running on the CPU. There is an equivalent scenario where the SPEC MSR's STIBP bit remains on even though both running task A and B's SPEC_IB flags are turned off. Wonder if I may be missing something so the above scenario is not of concern? Thanks. Tim > > Fair enough and agreed - but please add a comment for all this, as it's a > non-trivial and rare call context and a non-trivial implementation > trade-off as a result. >