From: Peter Zijlstra <peterz@infradead.org>
To: x86@kernel.org
Cc: linux-kernel@vger.kernel.org, peterz@infradead.org,
keescook@chromium.org, hjl.tools@gmail.com,
andrew.cooper3@citrix.com, mark.rutland@arm.com, will@kernel.org,
ndesaulniers@google.com
Subject: [PATCH v2 5/6] x86/alternative: Relax text_poke_bp() constraint
Date: Sat, 04 Dec 2021 14:43:43 +0100 [thread overview]
Message-ID: <20211204134908.082342723@infradead.org> (raw)
In-Reply-To: 20211204134338.760603010@infradead.org
Currently text_poke_bp() is very strict to only allow patching a
single instruction; however with straight-line-speculation it will be
required to patch: ret; int3, which is two instructions.
As such, relax the constraints a little to allow int3 padding for all
instructions that do not imply the execution of the next instruction,
ie: RET, JMP.d8 and JMP.d32.
While there, rename the text_poke_loc::rel32 field to ::disp.
Note: this fills up the text_poke_loc structure which is now a round
16 bytes big.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
arch/x86/kernel/alternative.c | 44 ++++++++++++++++++++++++++++--------------
1 file changed, 30 insertions(+), 14 deletions(-)
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -1114,10 +1114,11 @@ void text_poke_sync(void)
struct text_poke_loc {
s32 rel_addr; /* addr := _stext + rel_addr */
- s32 rel32;
+ s32 disp;
+ u8 len;
u8 opcode;
const u8 text[POKE_MAX_OPCODE_SIZE];
- u8 old;
+ u8 old; /* see text_poke_bp_batch() */
};
struct bp_patching_desc {
@@ -1165,7 +1166,7 @@ noinstr int poke_int3_handler(struct pt_
{
struct bp_patching_desc *desc;
struct text_poke_loc *tp;
- int len, ret = 0;
+ int ret = 0;
void *ip;
if (user_mode(regs))
@@ -1205,8 +1206,7 @@ noinstr int poke_int3_handler(struct pt_
goto out_put;
}
- len = text_opcode_size(tp->opcode);
- ip += len;
+ ip += tp->len;
switch (tp->opcode) {
case INT3_INSN_OPCODE:
@@ -1221,12 +1221,12 @@ noinstr int poke_int3_handler(struct pt_
break;
case CALL_INSN_OPCODE:
- int3_emulate_call(regs, (long)ip + tp->rel32);
+ int3_emulate_call(regs, (long)ip + tp->disp);
break;
case JMP32_INSN_OPCODE:
case JMP8_INSN_OPCODE:
- int3_emulate_jmp(regs, (long)ip + tp->rel32);
+ int3_emulate_jmp(regs, (long)ip + tp->disp);
break;
default:
@@ -1301,7 +1301,7 @@ static void text_poke_bp_batch(struct te
*/
for (do_sync = 0, i = 0; i < nr_entries; i++) {
u8 old[POKE_MAX_OPCODE_SIZE] = { tp[i].old, };
- int len = text_opcode_size(tp[i].opcode);
+ int len = tp[i].len;
if (len - INT3_INSN_SIZE > 0) {
memcpy(old + INT3_INSN_SIZE,
@@ -1378,20 +1378,36 @@ static void text_poke_loc_init(struct te
const void *opcode, size_t len, const void *emulate)
{
struct insn insn;
- int ret;
+ int ret, i;
memcpy((void *)tp->text, opcode, len);
if (!emulate)
emulate = opcode;
ret = insn_decode_kernel(&insn, emulate);
-
BUG_ON(ret < 0);
- BUG_ON(len != insn.length);
tp->rel_addr = addr - (void *)_stext;
+ tp->len = len;
tp->opcode = insn.opcode.bytes[0];
+ switch(tp->opcode) {
+ case RET_INSN_OPCODE:
+ case JMP32_INSN_OPCODE:
+ case JMP8_INSN_OPCODE:
+ /*
+ * Control flow instructions without implied execution of the
+ * next instruction can be padded with INT3.
+ */
+ for (i = insn.length; i < len; i++)
+ BUG_ON(tp->text[i] != INT3_INSN_OPCODE);
+ break;
+
+ default:
+ BUG_ON(len != insn.length);
+ };
+
+
switch (tp->opcode) {
case INT3_INSN_OPCODE:
case RET_INSN_OPCODE:
@@ -1400,7 +1416,7 @@ static void text_poke_loc_init(struct te
case CALL_INSN_OPCODE:
case JMP32_INSN_OPCODE:
case JMP8_INSN_OPCODE:
- tp->rel32 = insn.immediate.value;
+ tp->disp = insn.immediate.value;
break;
default: /* assume NOP */
@@ -1408,13 +1424,13 @@ static void text_poke_loc_init(struct te
case 2: /* NOP2 -- emulate as JMP8+0 */
BUG_ON(memcmp(emulate, x86_nops[len], len));
tp->opcode = JMP8_INSN_OPCODE;
- tp->rel32 = 0;
+ tp->disp = 0;
break;
case 5: /* NOP5 -- emulate as JMP32+0 */
BUG_ON(memcmp(emulate, x86_nops[len], len));
tp->opcode = JMP32_INSN_OPCODE;
- tp->rel32 = 0;
+ tp->disp = 0;
break;
default: /* unknown instruction */
next prev parent reply other threads:[~2021-12-04 13:54 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-04 13:43 [PATCH v2 0/6] x86: Add stright-line-speculation mitigations Peter Zijlstra
2021-12-04 13:43 ` [PATCH v2 1/6] x86/atomic64_386_32: Rename things Peter Zijlstra
2021-12-10 11:05 ` [tip: x86/core] x86/lib/atomic64_386_32: " tip-bot2 for Peter Zijlstra
2021-12-04 13:43 ` [PATCH v2 2/6] x86: Prepare asm files for straight-line-speculation Peter Zijlstra
2021-12-10 11:05 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2021-12-04 13:43 ` [PATCH v2 3/6] x86: Prepare inline-asm " Peter Zijlstra
2021-12-10 11:05 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2021-12-04 13:43 ` [PATCH v2 4/6] objtool: Add straight-line-speculation validation Peter Zijlstra
2021-12-10 11:05 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2021-12-04 13:43 ` Peter Zijlstra [this message]
2021-12-10 11:05 ` [tip: x86/core] x86/alternative: Relax text_poke_bp() constraint tip-bot2 for Peter Zijlstra
2021-12-04 13:43 ` [PATCH v2 6/6] x86: Add straight-line-speculation mitigation Peter Zijlstra
2021-12-10 11:05 ` [tip: x86/core] " tip-bot2 for Peter Zijlstra
2022-07-19 13:19 ` Missing SLS int3 in JMP_NOSPEC? (Was: [PATCH v2 6/6] x86: Add straight-line-speculation mitigation) Maciej S. Szmigiero
2022-07-19 21:23 ` [RFC][PATCH] x86,nospec: Simplify {JMP,CALL}_NOSPEC Peter Zijlstra
2022-07-19 21:33 ` Peter Zijlstra
2022-07-20 0:01 ` Maciej S. Szmigiero
2022-07-20 9:12 ` Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211204134908.082342723@infradead.org \
--to=peterz@infradead.org \
--cc=andrew.cooper3@citrix.com \
--cc=hjl.tools@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=ndesaulniers@google.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.