From: Andi Kleen <andi@firstfloor.org>
To: tglx@linutronix.de
Cc: x86@kernel.org, linux-kernel@vger.kernel.org, bp@alien8.de,
dwmw2@infradead.org, jpoimboe@redhat.com,
Andi Kleen <ak@linux.intel.com>
Subject: [PATCH 2/2] x86/retpoline: Fix return buffer filling
Date: Mon, 12 Feb 2018 16:04:22 -0800 [thread overview]
Message-ID: <20180213000422.16916-2-andi@firstfloor.org> (raw)
In-Reply-To: <20180213000422.16916-1-andi@firstfloor.org>
From: Andi Kleen <ak@linux.intel.com>
An earlier patch moved the RSB filling out of line, ending
it with a return. This results in the return buffer filling
only giving 15 instead of 16 usable returns because
the return from fill_rsb already uses one up.
Since the kernel call chains can be quite deep that's
somewhat dangerous and better avoided.
Always do one extra return buffer fill in the caller.
I added a STUFF_ONE_RSB macro for this, and fixed
up all the caller
An alternative would be to revert 1dde7415e999
and just go back to the inline version.
Needs the earlier patch to avoid lots of bogus warnings
from objtool, but even with that there is one left.
Fixes: 1dde7415e999 ("x86/retpoline: Simplify vmexit...")
Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
arch/x86/include/asm/nospec-branch.h | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index 788c4da7dda9..af0ca73abb23 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -77,10 +77,19 @@
#endif
.endm
+.macro STUFF_ONE_RSB
+#ifdef CONFIG_RETPOLINE
+ call 581f
+ pause ; lfence
+581: add $(BITS_PER_LONG/8), %_ASM_SP
+#endif
+.endm
+
/* This clobbers the BX register */
.macro FILL_RETURN_BUFFER nr:req ftr:req
#ifdef CONFIG_RETPOLINE
- ALTERNATIVE "", "call __clear_rsb", \ftr
+ ALTERNATIVE "", "call __clear_rsb" , \ftr
+ ALTERNATIVE "", "STUFF_ONE_RSB", \ftr
#endif
.endm
@@ -133,6 +142,20 @@
# define THUNK_TARGET(addr) [thunk_target] "rm" (addr)
#endif
+#ifdef CONFIG_X86_64
+#define STUFF_ONE_RSB \
+ " call 881f\n" \
+ " pause;lfence\n" \
+ "881:\n" \
+ " addq $8,%%rsp\n"
+#else
+#define STUFF_ONE_RSB \
+ " call 881f\n" \
+ " pause;lfence\n" \
+ "881:\n" \
+ " addl $4,%%esp\n"
+#endif
+
/* The Spectre V2 mitigation variants */
enum spectre_v2_mitigation {
SPECTRE_V2_NONE,
@@ -156,7 +179,7 @@ static inline void vmexit_fill_RSB(void)
{
#ifdef CONFIG_RETPOLINE
alternative_input("",
- "call __fill_rsb",
+ "call __fill_rsb;" STUFF_ONE_RSB,
X86_FEATURE_RETPOLINE,
ASM_NO_INPUT_CLOBBER(_ASM_BX, "memory"));
#endif
--
2.14.3
next prev parent reply other threads:[~2018-02-13 0:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-13 0:04 [PATCH 1/2] objtool: Don't warn for intra function calls in alternative Andi Kleen
2018-02-13 0:04 ` Andi Kleen [this message]
2018-02-13 1:06 ` [PATCH 2/2] x86/retpoline: Fix return buffer filling Josh Poimboeuf
2018-02-13 11:21 ` Borislav Petkov
2018-02-13 13:18 ` Borislav Petkov
2018-02-13 13:58 ` David Woodhouse
2018-02-13 14:32 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180213000422.16916-2-andi@firstfloor.org \
--to=andi@firstfloor.org \
--cc=ak@linux.intel.com \
--cc=bp@alien8.de \
--cc=dwmw2@infradead.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).