On 2/18/19 6:20 PM, Andy Lutomirski wrote:
>
>
>> On Feb 18, 2019, at 4:24 PM, Linus Torvalds <torva...@linux-foundation.org>
>> wrote:
>>
>>> On Mon, Feb 18, 2019 at 2:31 PM H. Peter Anvin <h...@zytor.com> wrote:
>>>
>>> The question is what "fix it" means. I'm really concerned about AC escapes,
>>> and everyone else should be, too.
>>
>> I do think that it might be the right thing to do to add some kind of
>> WARN_ON_ONCE() for AC being set in various can-reschedule situations.
>>
>> We'd just have to abstract it sanely. I'm sure arm64 has the exact
>> same issue with PAN - maybe it saves properly, but the same "we
>> wouldn't want to go through the scheduler with PAN clear".
>>
>> On x86, we might as well check DF at the same time as AC.
>>
>
> hpa is right, though — calling into tracing code with AC set is not really so
> good. And calling schedule() (via preempt_enable() or whatever) is also bad
> because it runs all the scheduler code with AC on. Admittedly, the scheduler
> is not *that* interesting of an attack surface.
>
Not just that, but the other question is just how much code we are running
with AC open. It really should only be done in some very small regions.
-hpa
