Re: [PATCH v2 4/4] x86/static_call: Add inline static call implementation for x86-64

[Peter Zijlstra <peterz@infradead.org>]

On Thu, Nov 29, 2018 at 05:37:39AM -0800, Andy Lutomirski wrote:
> 
> 
> > On Nov 29, 2018, at 1:42 AM, Peter Zijlstra <peterz@infradead.org> wrote:
> > 
> > On Wed, Nov 28, 2018 at 10:05:54PM -0800, Andy Lutomirski wrote:
> > 
> >>>> +static void static_call_bp_handler(struct pt_regs *regs, void *_data)
> >>>> +{
> >>>> +    struct static_call_bp_data *data = _data;
> >>>> +
> >>>> +    /*
> >>>> +     * For inline static calls, push the return address on the stack so the
> >>>> +     * "called" function will return to the location immediately after the
> >>>> +     * call site.
> >>>> +     *
> >>>> +     * NOTE: This code will need to be revisited when kernel CET gets
> >>>> +     *       implemented.
> >>>> +     */
> >>>> +    if (data->ret) {
> >>>> +        regs->sp -= sizeof(long);
> >>>> +        *(unsigned long *)regs->sp = data->ret;
> >>>> +    }
> >> 
> >> You can’t do this.  Depending on the alignment of the old RSP, which
> >> is not guaranteed, this overwrites regs->cs.  IRET goes boom.
> > 
> > I don't get it; can you spell that out?
> > 
> > The way I understand it is that we're at a location where a "E8 - Near
> > CALL" instruction should be, and thus RSP should be the regular kernel
> > stack, and the above simply does "PUSH ret", which is what that CALL
> > would've done too.
> > 
> 
> int3 isn’t IST anymore, so the int3 instruction conditionally
> subtracts 8 from RSP and then pushes SS, etc. So my email was
> obviously wrong wrt “cs”, but you’re still potentially overwriting the
> int3 IRET frame.

ARGH!..

can't we 'fix' that again? The alternative is moving that IRET-frame and
fixing everything up, which is going to be fragile, ugly and such
things more.

Commit d8ba61ba58c8 ("x86/entry/64: Don't use IST entry for #BP stack")
doesn't list any strong reasons for why it should NOT be an IST.