From: Peter Zijlstra <peterz@infradead.org>
To: Nick Desaulniers <ndesaulniers@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Nathan Chancellor <natechancellor@gmail.com>,
Kees Cook <keescook@chromium.org>,
Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
Joe Perches <joe@perches.com>, Ingo Molnar <mingo@redhat.com>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
Borislav Petkov <bp@alien8.de>, "H. Peter Anvin" <hpa@zytor.com>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>, Kan Liang <kan.liang@linux.intel.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
Shawn Landden <shawn@git.icu>,
clang-built-linux <clang-built-linux@googlegroups.com>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Craig Topper <craig.topper@intel.com>,
Chandler Carruth <chandlerc@google.com>
Subject: Re: [PATCH] perf/x86/intel: Mark expected switch fall-throughs
Date: Thu, 27 Jun 2019 09:11:07 +0200 [thread overview]
Message-ID: <20190627071107.GY3402@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <CAKwvOdnvKLs1oF0-G8iq2T4wqcVkBGRKiZjPbb+K0gDRh3Liww@mail.gmail.com>
On Wed, Jun 26, 2019 at 03:33:36PM -0700, Nick Desaulniers wrote:
> On Wed, Jun 26, 2019 at 9:31 AM Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > On Tue, Jun 25, 2019 at 11:47:06PM +0200, Thomas Gleixner wrote:
> > > > On Tue, Jun 25, 2019 at 09:53:09PM +0200, Thomas Gleixner wrote:
> >
> > > > > but it also makes objtool unhappy:
> >
> > > > > arch/x86/kernel/cpu/mtrr/generic.o: warning: objtool: get_fixed_ranges()+0x9b: unreachable instruction
> >
> > > I just checked two of them in the disassembly. In both cases it's jump
> > > label related. Here is one:
> > >
> > > asm volatile("1: rdmsr\n"
> > > 410: b9 59 02 00 00 mov $0x259,%ecx
> > > 415: 0f 32 rdmsr
> > > 417: 49 89 c6 mov %rax,%r14
> > > 41a: 48 89 d3 mov %rdx,%rbx
> > > return EAX_EDX_VAL(val, low, high);
> > > 41d: 48 c1 e3 20 shl $0x20,%rbx
> > > 421: 48 09 c3 or %rax,%rbx
> > > 424: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> > > 429: eb 0f jmp 43a <get_fixed_ranges+0xaa>
> > > do_trace_read_msr(msr, val, 0);
> > > 42b: bf 59 02 00 00 mov $0x259,%edi <------- "unreachable"
>
> I assume if 0x42b is unreachable, that's bad as $0x259 is never stored
> in %edi before the call to get_fixed_ranges+0xaa...
So what happens is that the __jump_table entry for 424 is wrong. When we
enable that key (read msr tracepoint) the code will jump to another
instance of the read msr tracepoint and continue running from there.
So we'll jump from one inlined instance to another, with all the
ramifications thereof; the code-flow will be completely screwy.
> > > 430: 48 89 de mov %rbx,%rsi
> > > 433: 31 d2 xor %edx,%edx
> > > 435: e8 00 00 00 00 callq 43a <get_fixed_ranges+0xaa>
> > > 43a: 44 89 35 00 00 00 00 mov %r14d,0x0(%rip) # 441 <get_fixed_ranges+0xb1>
> >
> > Thomas provided the actual .o file, and from that we find that the
> > .rela__jump_table entries look like:
> >
> > 000000000010 000100000002 R_X86_64_PC32 0000000000000000 .text + 3e9
> > 000000000014 000100000002 R_X86_64_PC32 0000000000000000 .text + 3f0
> > 000000000018 006100000018 R_X86_64_PC64 0000000000000000 __tracepoint_read_msr + 8
>
> I assume these relocations come from arch_static_branch() (and thus
> appear in triples?)
>
> 21 static __always_inline bool arch_static_branch(struct static_key
> *key, bool branch)
> 22 {
> 23 asm_volatile_goto("1:"
> 24 ".byte " __stringify(STATIC_KEY_INIT_NOP) "\n\t"
> 25 ".pushsection __jump_table, \"aw\" \n\t"
> 26 _ASM_ALIGN "\n\t"
> 27 ".long 1b - ., %l[l_yes] - . \n\t" // 1, 2
> 28 _ASM_PTR "%c0 + %c1 - .\n\t" // 3
> 29 ".popsection \n\t"
Yes, its lines 25-29 ^ that generate the jump_table entries. The first
entry is the code location, the second is the jump target and the third
is a pointer (and two LSB state bits) to the key this belongs to.
The compiler emits .rela objects for these and this is what we use with
objtool -- just like a linker would to resolve and create the actual
__jump_table section.
> 30 : : "i" (key), "i" (branch) : : l_yes);
>
> > 000000000020 000100000002 R_X86_64_PC32 0000000000000000 .text + 424
> > 000000000024 000100000002 R_X86_64_PC32 0000000000000000 .text + 3f0
> > 000000000028 006100000018 R_X86_64_PC64 0000000000000000 __tracepoint_read_msr + 8
> >
> > From this we find that the jump target that goes with the NOP at +424 is
> > +3f0, not +42b as one would expect.
> >
> > And as Josh noted, it is also 'weird' that this +3f0 is the very same as
> > the target for the previous entry.
>
> (Ok, I think I did talk to Josh about this, and I think he did mention
> something about the jump targets, but I didn't really understand the
> issue well at the time).
So what we have here is two instances of the same read msr inline. They
have code in different offsets (+3e9 and +424 resp.) but somehow the
compiler messed up and collapsed their jump target (or didn't properly
de-duplicate -- I've no idea how inline instantiation actually works).
> >
> > When we compare the code at both sites, we find:
> >
> > 3f0: bf 58 02 00 00 mov $0x258,%edi
> > 3f5: 48 89 de mov %rbx,%rsi
> > 3f8: 31 d2 xor %edx,%edx
> > 3fa: e8 00 00 00 00 callq 3ff <get_fixed_ranges+0x6f>
> > 3fb: R_X86_64_PC32 do_trace_read_msr-0x4
> >
> > vs
> >
> > 42b: bf 59 02 00 00 mov $0x259,%edi
> > 430: 48 89 de mov %rbx,%rsi
> > 433: 31 d2 xor %edx,%edx
> > 435: e8 00 00 00 00 callq 43a <get_fixed_ranges+0xaa>
> > 436: R_X86_64_PC32 do_trace_read_msr-0x4
> >
> > Which is not in fact the same code.
> >
> > So for some reason the .rela__jump_table are buggy on this clang build.
>
> So that sounds like a correctness bug then.
Yes, this is very very very bad. Like I wrote above, this results in
code flow moving from one inline'd instance into another, it completely
wrecks code flow integrity.
> (I'd been doing testing
> with the STATIC_KEYS_SELFTEST, which I guess doesn't expose this).
> I'm kind of surprised we can boot and pass STATIC_KEYS_SELFTEST. Any
> way you can help us pare down a test case?
It looks like an inlining bug, and I a rare one at that. The static key
self-tests simply don't trigger this for whatever reason. Like Thomas
wrote, of all the jump_labels in the kernel, only 6 go 'funny' for
whatever reason.
next prev parent reply other threads:[~2019-06-27 7:11 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-24 16:19 [PATCH] perf/x86/intel: Mark expected switch fall-throughs Gustavo A. R. Silva
2019-06-24 19:31 ` Peter Zijlstra
2019-06-24 19:45 ` Joe Perches
2019-06-24 20:37 ` Peter Zijlstra
2019-06-24 20:53 ` Gustavo A. R. Silva
2019-06-24 20:57 ` Joe Perches
2019-06-25 7:20 ` Peter Zijlstra
2019-06-24 22:28 ` Miguel Ojeda
2019-06-25 7:18 ` Peter Zijlstra
2019-06-25 12:47 ` Miguel Ojeda
2019-06-25 18:15 ` Nick Desaulniers
2019-06-25 22:29 ` Joe Perches
2019-06-25 22:57 ` Nick Desaulniers
2019-06-25 23:25 ` Joe Perches
2019-06-26 8:49 ` Peter Zijlstra
2019-06-26 22:14 ` Nick Desaulniers
2019-06-27 7:12 ` Peter Zijlstra
2019-06-28 13:31 ` Peter Zijlstra
2019-06-28 18:44 ` Nick Desaulniers
2019-06-29 7:10 ` Peter Zijlstra
2019-06-25 17:12 ` Kees Cook
2019-06-25 18:05 ` Nathan Chancellor
2019-06-25 19:53 ` Thomas Gleixner
2019-06-25 20:27 ` Nathan Chancellor
2019-06-25 20:37 ` Nick Desaulniers
2019-06-25 21:47 ` Thomas Gleixner
2019-06-26 5:10 ` Nathan Chancellor
2019-06-26 15:18 ` Thomas Gleixner
2019-06-26 19:00 ` Nathan Chancellor
2019-06-26 19:46 ` Thomas Gleixner
2019-06-26 20:03 ` Nathan Chancellor
2019-06-26 9:24 ` Peter Zijlstra
2019-06-26 9:55 ` Peter Zijlstra
2019-06-26 22:23 ` Nick Desaulniers
2019-06-27 7:35 ` Peter Zijlstra
2019-06-26 10:43 ` Peter Zijlstra
2019-06-26 22:15 ` Nick Desaulniers
2019-06-27 7:16 ` Peter Zijlstra
2019-06-26 16:30 ` Peter Zijlstra
2019-06-26 22:33 ` Nick Desaulniers
2019-06-26 23:11 ` Thomas Gleixner
2019-06-27 7:11 ` Peter Zijlstra [this message]
2019-06-25 23:46 ` Arnaldo Carvalho de Melo
2019-06-26 5:14 ` Nathan Chancellor
2019-06-25 20:09 ` Kees Cook
2019-06-26 8:06 ` Peter Zijlstra
2019-06-25 7:15 ` Peter Zijlstra
2019-07-25 16:27 ` [tip:perf/urgent] " tip-bot for Gustavo A. R. Silva
2019-07-25 17:06 ` Borislav Petkov
2019-07-25 17:35 ` Peter Zijlstra
2019-07-25 23:18 ` Joe Perches
2019-07-25 23:28 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190627071107.GY3402@hirez.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=acme@kernel.org \
--cc=alexander.shishkin@linux.intel.com \
--cc=bp@alien8.de \
--cc=chandlerc@google.com \
--cc=clang-built-linux@googlegroups.com \
--cc=craig.topper@intel.com \
--cc=gustavo@embeddedor.com \
--cc=hpa@zytor.com \
--cc=joe@perches.com \
--cc=jolsa@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=kan.liang@linux.intel.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=natechancellor@gmail.com \
--cc=ndesaulniers@google.com \
--cc=shawn@git.icu \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.