[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH SpectreV1+L1TF v5 9/9] common/memory: block speculative out-of-bound accesses

To: <nmanthey@xxxxxxxxx>
From: "Jan Beulich" <JBeulich@xxxxxxxx>
Date: Wed, 06 Feb 2019 08:25:35 -0700
Cc: Juergen Gross <jgross@xxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>, Dario Faggioli <dfaggioli@xxxxxxxx>, Martin Pohlack <mpohlack@xxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, David Woodhouse <dwmw@xxxxxxxxxxxx>, "Martin Mazein\(amazein\)" <amazein@xxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Julian Stecklina <jsteckli@xxxxxxxxx>, Bjoern Doebel <doebel@xxxxxxxxx>
Delivery-date: Wed, 06 Feb 2019 15:25:50 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

>>> On 29.01.19 at 15:43, <nmanthey@xxxxxxxxx> wrote:
> @@ -33,10 +34,10 @@ unsigned long __read_mostly pdx_group_valid[BITS_TO_LONGS(
>  
>  bool __mfn_valid(unsigned long mfn)
>  {
> -    return likely(mfn < max_page) &&
> -           likely(!(mfn & pfn_hole_mask)) &&
> -           likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
> -                           pdx_group_valid));
> +    return evaluate_nospec(likely(mfn < max_page) &&
> +                           likely(!(mfn & pfn_hole_mask)) &&
> +                           likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
> +                                           pdx_group_valid)));

Other than in the questionable grant table case, here I agree that
you want to wrap the entire construct. This has an unwanted effect
though: The test_bit() may still be speculated into with an out-of-
bounds mfn. (As mentioned elsewhere, operations on bit arrays are
an open issue altogether.) I therefore think you want to split this into
two:

bool __mfn_valid(unsigned long mfn)
{
    return likely(evaluate_nospec(mfn < max_page)) &&
           evaluate_nospec(likely(!(mfn & pfn_hole_mask)) &&
                           likely(test_bit(pfn_to_pdx(mfn) / PDX_GROUP_COUNT,
                                           pdx_group_valid)));
}

Jan



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH SpectreV1+L1TF v5 9/9] common/memory: block speculative out-of-bound accesses
  - From: Norbert Manthey

Prev by Date: [Xen-devel] [xen-unstable-smoke test] 132967: tolerable all pass - PUSHED
Next by Date: [Xen-devel] Ping: libfsimage path/file name changes
Previous by thread: [Xen-devel] [xen-unstable-smoke test] 132967: tolerable all pass - PUSHED
Next by thread: Re: [Xen-devel] [PATCH SpectreV1+L1TF v5 9/9] common/memory: block speculative out-of-bound accesses
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.