From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752977AbdGMTZ7 (ORCPT ); Thu, 13 Jul 2017 15:25:59 -0400 Received: from mx1.redhat.com ([209.132.183.28]:50102 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751384AbdGMTZ5 (ORCPT ); Thu, 13 Jul 2017 15:25:57 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 27D3351141 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=jpoimboe@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 27D3351141 Date: Thu, 13 Jul 2017 14:25:54 -0500 From: Josh Poimboeuf To: Matthias Kaehlcke Cc: Chris J Arges , Borislav Petkov , Thomas Gleixner , Ingo Molnar , "H . Peter Anvin" , x86@kernel.org, linux-kernel@vger.kernel.org, Douglas Anderson , Michael Davidson , Greg Hackmann , Nick Desaulniers , Stephen Hines , Kees Cook , Arnd Bergmann , Bernhard.Rosenkranzer@linaro.org Subject: Re: [PATCH] Revert "x86/uaccess: Add stack frame output operand in get_user() inline asm" Message-ID: <20170713192554.f4xznyxjkdtrmh3f@treble> References: <20170712212744.23660-1-mka@chromium.org> <20170712221242.puv5illztsla4nph@treble> <20170712222040.GD95735@google.com> <20170712223547.fyra43dizqooosbs@treble> <20170712223630.gb237t4vhrqeu5zd@treble> <20170712232213.GE95735@google.com> <20170713180001.mvwzdmudht56hdk5@treble> <20170713184748.GF95735@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20170713184748.GF95735@google.com> User-Agent: Mutt/1.6.0.1 (2016-04-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 13 Jul 2017 19:25:57 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jul 13, 2017 at 11:47:48AM -0700, Matthias Kaehlcke wrote: > > What happens if you try the below patch instead of the revert? Any > > chance the offending instruction goes away? > > > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h > > index 11433f9..beac907 100644 > > --- a/arch/x86/include/asm/uaccess.h > > +++ b/arch/x86/include/asm/uaccess.h > > @@ -171,7 +171,7 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) > > might_fault(); \ > > asm volatile("call __get_user_%P4" \ > > : "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp) \ > > - : "0" (ptr), "i" (sizeof(*(ptr)))); \ > > + : "0" (ptr), "i" (sizeof(*(ptr))), "r" (__sp)); \ > > (x) = (__force __typeof__(*(ptr))) __val_gu; \ > > __builtin_expect(__ret_gu, 0); \ > > }) > > The generated code is basically the same, only that now the value from > the stack is stored in a register and written twice to RSP: > > ffffffff813676ba: 31 c0 xor %eax,%eax > ffffffff813676bc: 48 89 45 c8 mov %rax,-0x38(%rbp) > ffffffff813676c0: 45 31 ff xor %r15d,%r15d > ffffffff813676c3: 48 89 45 a8 mov %rax,-0x58(%rbp) > ... > ffffffff81367918: 48 8b 4d a8 mov -0x58(%rbp),%rcx > ffffffff8136791c: 48 89 cc mov %rcx,%rsp > ffffffff8136791f: 48 89 cc mov %rcx,%rsp > ffffffff81367922: e8 69 26 f1 ff callq ffffffff81279f90 <__get_user_4> LOL. Why corrupt the stack pointer with a single instruction (reading a zero from memory, no less) when you can instead do it with three instructions, including two duplicates? Anyway this seems like a clang bug to me. If I specify RSP as an input register then the compiler shouldn't overwrite it first. For that matter it has no reason to overwrite it if it's an output register either. -- Josh