| Message ID | 20231010171020.462211-2-david.kaplan@amd.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:2908:b0:403:3b70:6f57 with SMTP id ib8csp11709vqb;
Tue, 10 Oct 2023 10:11:07 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IEArky32Qs+TakEOo8HztY+jzgF5aQ3V6WHh31Pt9Ms7i85Bgfs7gDVni79s61meh7Ts1Dq
X-Received: by 2002:a17:902:6941:b0:1bb:b855:db3c with SMTP id
k1-20020a170902694100b001bbb855db3cmr12523056plt.41.1696957867170;
Tue, 10 Oct 2023 10:11:07 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1696957867; cv=pass;
d=google.com; s=arc-20160816;
b=y4WIfNkGpQbQdVJfquExURUDoGFZlB01L+k820bw7SJNn1XmrbpzC6/Q/YZFiYjN8f
9jxZuiBiGqxGNazuctOJzATQnVGHNilgpGKQRFkg1jpVjlk/xueC3HIe1y2pB4NTiEVl
UHTpr7jeIs4mnqcJ7vlcjegq45PrERQlPHMdhvp7J4+Im6Jtx/TLrIfndTAqJOy2e1Lj
l4Escpf5UWYNVz7E4kuHwfcbjVCAbBS+m4xD2OlGP2WK97e8dqvdPcFH5FpTW7/aj1sw
DnZCAZ6uoWYSVB3+8NYv+8kE7418YNinzQ7LRcpYOP4t85H4wa9O89d42OY1xkSDtQvK
9HRg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=P68wo6zt5TAxWt+pCXOd683FhgHEfFqkuoHeFXwxk6A=;
fh=NF2z8D1okmMlEcQoynZki8Zq0uYBvWjLzLW7FFZFR0g=;
b=mJ3HwlyrBoOeHvS149AIVCEVBHY8i8EwQVetMZQDrLTzkItHqoNJgwTzerLrf63yr0
mvVdyuVQMjuINHOO05PJTbY3l9Knx7Bz5ZtsQL+c87r+/I2QQDAvopF9y9O4Mb1sT4o+
LkwgAq1X53bZxkNY0kejYQa+gSIIYlADC9PZLZZbggzxJ2CpEFIb2uqyr5bvogyXkk3D
PTsd1Kv17wyy7kroH1dBLpkJM0/Xdc/S6GGMsxYDkQ46/N2WvihwVz0bTq64wB/kCP3E
/zxIPeqKujmeCcL/4+5c4Uh/Z/Kva9IVdAycJmST7oYHuRsFclJG/7nhUigSOR6jVMU8
D9eA==
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@amd.com header.s=selector1 header.b=g0Cq0kUF;
arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass
fromdomain=amd.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:2 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
by mx.google.com with ESMTPS id
m10-20020a170902db0a00b001c7345bc007si13128919plx.486.2023.10.10.10.11.06
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 10 Oct 2023 10:11:07 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:2 as permitted sender)
client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
dkim=pass header.i=@amd.com header.s=selector1 header.b=g0Cq0kUF;
arc=pass (i=1 spf=pass spfdomain=amd.com dmarc=pass
fromdomain=amd.com);
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:2 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amd.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by agentk.vger.email (Postfix) with ESMTP id 0D4BE809079A;
Tue, 10 Oct 2023 10:11:03 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233555AbjJJRKq (ORCPT <rfc822;rua109.linux@gmail.com>
+ 20 others); Tue, 10 Oct 2023 13:10:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54058 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232908AbjJJRKo (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 10 Oct 2023 13:10:44 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com
(mail-dm6nam10on2085.outbound.protection.outlook.com [40.107.93.85])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A8D0B7
for <linux-kernel@vger.kernel.org>;
Tue, 10 Oct 2023 10:10:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=DmsKnOT1U73z65cDB835xfc/Z2MCQcreQ3llaqdsVkaBax5yGQDJxKJ4oMDyX84UM0IMh8dyrMUlKSOPMrTf8EpCdAxhyxVuuEi6/iNSloGj+R/tXOC9B9Mzk3iuUJCv3OhYncCdqrQ49Kfvqu0YdcrqNVxi/hA/evJ9QGOMldkUPvawT4Fu43Mpd/hVLGfZZ4495Y0bbQZsXLrzLwA2TTXPOullCAnTYKCde7gl35DDxRNaYgQ4rV1emj+os1RKfAFOs+eSyBoWHQD1CY4EEIopREiAm6oXlvSrMsaB8cGsGLY9OHyePyFMWDso8+wreBgbrHnbp5/DjpWiuzA9Cw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=P68wo6zt5TAxWt+pCXOd683FhgHEfFqkuoHeFXwxk6A=;
b=Y+W+YEWNoRyX3fkFFhLcEUi2lXUbJQrBgFeteHs+P9dQFkum0hSLWVbfZhvTqdG2uyhoOdFVF6JwVpEdWLYeOzf/gI8qppKvBI1IiE0KtbiRWk+ItnsAreNinXFJzhi1tnLJr+5bxppAXPoJvoadCbyXXoDNoIKuCJJKugmydOfMDijBmHc9pYtzw2zXVPna5+lkjQrT5wMf/P73YeXzQMfambZvdteoS/y16VevKOr59Lv8qTSvkuQODTF3vvo1dhHmKPLKMU28bHUicZxTcORJMmEMThkFpVT53FrddrmqpeI04qpPG67mc6TwSzacHcd+HjJ/2ZLZoGk7X6vD6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
165.204.84.17) smtp.rcpttodomain=kernel.org smtp.mailfrom=amd.com; dmarc=pass
(p=quarantine sp=quarantine pct=100) action=none header.from=amd.com;
dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amd.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=P68wo6zt5TAxWt+pCXOd683FhgHEfFqkuoHeFXwxk6A=;
b=g0Cq0kUFhfb5PjoEruMh/Tl9qu62SSCOM/+3Ryzby7K/MEamfFVjZL/NLCRY7D3xIUl0KI6d/TK1Wih8cIyDrALpfLlFBDbifEpcFE8R18/CViQ0+cA8F6zIzZzsqtiRikBSvxAocDvYeI1Mgn/wp5alFbN+anJ8YwsNNwHZQa0=
Received: from MW4P220CA0030.NAMP220.PROD.OUTLOOK.COM (2603:10b6:303:115::35)
by IA0PR12MB8352.namprd12.prod.outlook.com (2603:10b6:208:3dd::14) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6838.29; Tue, 10 Oct
2023 17:10:38 +0000
Received: from CO1PEPF000044F7.namprd21.prod.outlook.com
(2603:10b6:303:115:cafe::75) by MW4P220CA0030.outlook.office365.com
(2603:10b6:303:115::35) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.38 via Frontend
Transport; Tue, 10 Oct 2023 17:10:38 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 165.204.84.17)
smtp.mailfrom=amd.com; dkim=none (message not signed)
header.d=none;dmarc=pass action=none header.from=amd.com;
Received-SPF: Pass (protection.outlook.com: domain of amd.com designates
165.204.84.17 as permitted sender) receiver=protection.outlook.com;
client-ip=165.204.84.17; helo=SATLEXMB04.amd.com; pr=C
Received: from SATLEXMB04.amd.com (165.204.84.17) by
CO1PEPF000044F7.mail.protection.outlook.com (10.167.241.197) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
15.20.6907.6 via Frontend Transport; Tue, 10 Oct 2023 17:10:38 +0000
Received: from tiny.amd.com (10.180.168.240) by SATLEXMB04.amd.com
(10.181.40.145) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Tue, 10 Oct
2023 12:10:37 -0500
From: David Kaplan <david.kaplan@amd.com>
To: <x86@kernel.org>, <luto@kernel.org>
CC: <linux-kernel@vger.kernel.org>,
Josh Poimboeuf <jpoimboe@kernel.org>
Subject: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk
section"
Date: Tue, 10 Oct 2023 12:10:18 -0500
Message-ID: <20231010171020.462211-2-david.kaplan@amd.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20231010171020.462211-1-david.kaplan@amd.com>
References: <20231010171020.462211-1-david.kaplan@amd.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Originating-IP: [10.180.168.240]
X-ClientProxiedBy: SATLEXMB03.amd.com (10.181.40.144) To SATLEXMB04.amd.com
(10.181.40.145)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1PEPF000044F7:EE_|IA0PR12MB8352:EE_
X-MS-Office365-Filtering-Correlation-Id: 15836d23-8365-4fc4-8e0c-08dbc9b3d342
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
PKRQk3PdZv16PM4zdk3dPbXz+FbBoLEDjWH0rI1t7SyiXLn/jOPtwxzgcmvvZUwITpCAwsqWi3Eevo+3ajjR3lwnPRr7OYH3TVQh/Kfw8iAUmzzEhnsXSEBTZy3q57xgMDlxQ6geLdLXbAWqdWHUeSJYllrbhp6zpZSscQKFPk+Q9MaeAgtXeLGdlRgiFDwxCB2SsUNUY8v84aobufANg5rIZAFMwEBb7yeAJm9DdqoLZweRgKtxKZ3rVaSTH2pFZVh/3eK/IO2zGpW/Ujn+lgi1WWViH2Izlvmp+jjX6IxzVFux8eo/M2Auu7aWkwg0ilj/wzQfL7UO5mwcXgUBd1998Loek7BwQTHDtWRx23zjuJ6L7foPpCypPxyzP3kAtgNIgkA+leKV+Ge3RTLA9QSJWTxj74yD2bmI+a2aE1t3t3F6d66zpWIvo3JR2rfjnEbe8pH2rnLLoauOKF9Mx8DRLebFTEjTxI6kTOMm6A5Kxgj17FBj0GMDGtXnr4Jcytcvc6YOrltuhnnnEoslL4FqBLiU/1CbmqYv93Y/KdBcYeEGiNIARfw52vUdS8dz84dJ+uPx5SG1lB+Rnlpc3BAUDAv6V9EIgNUAYtMS1Xb0KKDMo+XrJIsNq6itxqLS1a/efv9HXVgcMdPFN1czgF+PQn6tQO2krWpNwCcS2uMoVXKNNQ00kkxAdNaH0cnxNPXINN0bIbk9f1XxNChIKS9xuqyleKmq0oaJ81flv3Lwh58tyNeLXqQEBhaj6z8ReKc6aY5ImOBW5u/7ML6dxCgaMEdCYOWXp1VWpISKT0Q=
X-Forefront-Antispam-Report:
CIP:165.204.84.17;CTRY:;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:SATLEXMB04.amd.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230031)(4636009)(376002)(396003)(346002)(136003)(39860400002)(230922051799003)(451199024)(1800799009)(82310400011)(64100799003)(186009)(36840700001)(46966006)(40470700004)(8936002)(82740400003)(40480700001)(478600001)(4326008)(8676002)(44832011)(7696005)(47076005)(40460700003)(36756003)(36860700001)(316002)(5660300002)(54906003)(110136005)(70206006)(41300700001)(70586007)(356005)(6666004)(1076003)(2616005)(336012)(426003)(2906002)(26005)(83380400001)(81166007)(86362001)(16526019)(142923001)(101420200003)(36900700001);DIR:OUT;SFP:1101;
X-OriginatorOrg: amd.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Oct 2023 17:10:38.1396
(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
15836d23-8365-4fc4-8e0c-08dbc9b3d342
X-MS-Exchange-CrossTenant-Id: 3dd8961f-e488-4e60-8e11-a82d994e183d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=3dd8961f-e488-4e60-8e11-a82d994e183d;Ip=[165.204.84.17];Helo=[SATLEXMB04.amd.com]
X-MS-Exchange-CrossTenant-AuthSource:
CO1PEPF000044F7.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR12MB8352
X-Spam-Status: No, score=2.7 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,
URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]);
Tue, 10 Oct 2023 10:11:03 -0700 (PDT)
X-Spam-Level: **
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1779389292753251999
X-GMAIL-MSGID: 1779389292753251999
|
| Series |
Ensure default return thunk isn't used at runtime
|
|
Commit Message
Kaplan, David
Oct. 10, 2023, 5:10 p.m. UTC
This reverts commit e92626af3234708fe30f53b269d210d202b95206.
This commit broke patching of the return thunk jmp in the retpoline
sequence.
Before (broken sequence):
objdump -d -r arch/x86/lib/retpoline.o:
0000000000000000 <__x86_indirect_thunk_array>:
...
a: e9 d1 02 00 00 jmpq 2e0 <__x86_return_thunk>
live disassembly at runtime:
0xffffffff81d12a8a <+10>: jmpq 0xffffffff81d12d60
<__x86_return_thunk>
This jmp to the default return thunk should not happen after alternatives
patching.
After reverting this:
objdump -d -r arch/x86/lib/retpoline.o:
0000000000000000 <__x86_indirect_thunk_array>:
...
a: e9 00 00 00 00 jmpq f <__x86_indirect_thunk_array+0xf>
b: R_X86_64_PLT32 __x86_return_thunk-0x4
live disassembly at runtime:
0xffffffff81d12a8a <+10>: jmpq 0xffffffff81f0410b
<srso_alias_return_thunk>
This is correct as the jmp is written to the correct return sequence.
objtool (add_jump_destinations()) only recognizes return thunk jmps that have
relocation entries, which will not occur if the return thunk is in the
same section as the indirect thunks.
Signed-off-by: David Kaplan <david.kaplan@amd.com>
Cc: Josh Poimboeuf <jpoimboe@kernel.org>
---
arch/x86/kernel/vmlinux.lds.S | 3 +++
arch/x86/lib/retpoline.S | 2 ++
2 files changed, 5 insertions(+)
Comments
On Tue, Oct 10, 2023 at 12:10:18PM -0500, David Kaplan wrote: > arch/x86/kernel/vmlinux.lds.S | 3 +++ > arch/x86/lib/retpoline.S | 2 ++ > 2 files changed, 5 insertions(+) > > diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S > index 9cdb1a7332c4..54a5596adaa6 100644 > --- a/arch/x86/kernel/vmlinux.lds.S > +++ b/arch/x86/kernel/vmlinux.lds.S > @@ -132,7 +132,10 @@ SECTIONS > LOCK_TEXT > KPROBES_TEXT > SOFTIRQENTRY_TEXT > +#ifdef CONFIG_RETPOLINE > *(.text..__x86.indirect_thunk) > + *(.text..__x86.return_thunk) > +#endif > STATIC_CALL_TEXT > > ALIGN_ENTRY_TEXT_BEGIN > diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S > index db813113e637..3da768a71cf9 100644 > --- a/arch/x86/lib/retpoline.S > +++ b/arch/x86/lib/retpoline.S > @@ -129,6 +129,8 @@ SYM_CODE_END(__x86_indirect_jump_thunk_array) > > #ifdef CONFIG_RETHUNK Perhaps elucidate the future reader with a comment here? Lest someone tries removing it again. > > + .section .text..__x86.return_thunk > + > #ifdef CONFIG_CPU_SRSO
On Tue, Oct 10, 2023 at 07:48:33PM +0200, Peter Zijlstra wrote: > On Tue, Oct 10, 2023 at 12:10:18PM -0500, David Kaplan wrote: > > > arch/x86/kernel/vmlinux.lds.S | 3 +++ > > arch/x86/lib/retpoline.S | 2 ++ > > 2 files changed, 5 insertions(+) > > > > diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S > > index 9cdb1a7332c4..54a5596adaa6 100644 > > --- a/arch/x86/kernel/vmlinux.lds.S > > +++ b/arch/x86/kernel/vmlinux.lds.S > > @@ -132,7 +132,10 @@ SECTIONS > > LOCK_TEXT > > KPROBES_TEXT > > SOFTIRQENTRY_TEXT > > +#ifdef CONFIG_RETPOLINE > > *(.text..__x86.indirect_thunk) > > + *(.text..__x86.return_thunk) > > +#endif > > STATIC_CALL_TEXT > > > > ALIGN_ENTRY_TEXT_BEGIN > > diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S > > index db813113e637..3da768a71cf9 100644 > > --- a/arch/x86/lib/retpoline.S > > +++ b/arch/x86/lib/retpoline.S > > @@ -129,6 +129,8 @@ SYM_CODE_END(__x86_indirect_jump_thunk_array) > > > > #ifdef CONFIG_RETHUNK > > Perhaps elucidate the future reader with a comment here? Lest someone > tries removing it again. Yes, please. Also we could make objtool properly detect the non-relocated jump target. But this works for now.
On Tue, Oct 10, 2023 at 12:57:21PM -0700, Josh Poimboeuf wrote: > Also we could make objtool properly detect the non-relocated jump > target. I was wondering about that... I guess it can compute the JMP target and compare it to the address of __x86_return_thunk?
On Tue, Oct 10, 2023 at 10:04:29PM +0200, Borislav Petkov wrote: > On Tue, Oct 10, 2023 at 12:57:21PM -0700, Josh Poimboeuf wrote: > > Also we could make objtool properly detect the non-relocated jump > > target. > > I was wondering about that... I guess it can compute the JMP target and > compare it to the address of __x86_return_thunk? Fine, you twisted my arm ;-) This seems to do the trick. Lemme write up a proper patch. diff --git a/tools/objtool/check.c b/tools/objtool/check.c index e308d1ba664e..6cbc9812a36e 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -1610,6 +1610,11 @@ static int add_jump_destinations(struct objtool_file *file) return -1; } + if (jump_dest->sym && jump_dest->sym->return_thunk) { + add_return_call(file, insn, true); + continue; + } + /* * Cross-function jump. */
[AMD Official Use Only - General] > -----Original Message----- > From: Josh Poimboeuf <jpoimboe@kernel.org> > Sent: Tuesday, October 10, 2023 3:19 PM > To: Borislav Petkov <bp@alien8.de> > Cc: Peter Zijlstra <peterz@infradead.org>; Kaplan, David > <David.Kaplan@amd.com>; x86@kernel.org; luto@kernel.org; linux- > kernel@vger.kernel.org > Subject: Re: [PATCH 1/3] Revert "x86/retpoline: Remove > .text..__x86.return_thunk section" > > Caution: This message originated from an External Source. Use proper caution > when opening attachments, clicking links, or responding. > > > On Tue, Oct 10, 2023 at 10:04:29PM +0200, Borislav Petkov wrote: > > On Tue, Oct 10, 2023 at 12:57:21PM -0700, Josh Poimboeuf wrote: > > > Also we could make objtool properly detect the non-relocated jump > > > target. > > > > I was wondering about that... I guess it can compute the JMP target > > and compare it to the address of __x86_return_thunk? > > Fine, you twisted my arm ;-) > > This seems to do the trick. Lemme write up a proper patch. > > diff --git a/tools/objtool/check.c b/tools/objtool/check.c index > e308d1ba664e..6cbc9812a36e 100644 > --- a/tools/objtool/check.c > +++ b/tools/objtool/check.c > @@ -1610,6 +1610,11 @@ static int add_jump_destinations(struct > objtool_file *file) > return -1; > } > > + if (jump_dest->sym && jump_dest->sym->return_thunk) { > + add_return_call(file, insn, true); > + continue; > + } > + > /* > * Cross-function jump. > */ This looks good to me in my testing so far. --David Kaplan
On Tue, Oct 10, 2023 at 01:19:12PM -0700, Josh Poimboeuf wrote: > On Tue, Oct 10, 2023 at 10:04:29PM +0200, Borislav Petkov wrote: > > On Tue, Oct 10, 2023 at 12:57:21PM -0700, Josh Poimboeuf wrote: > > > Also we could make objtool properly detect the non-relocated jump > > > target. > > > > I was wondering about that... I guess it can compute the JMP target and > > compare it to the address of __x86_return_thunk? > > Fine, you twisted my arm ;-) > > This seems to do the trick. Lemme write up a proper patch. Here is said patch. ---8<--- From: Josh Poimboeuf <jpoimboe@kernel.org> Subject: [PATCH] objtool: Fix return thunk patching in retpolines With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail call to a return thunk ('JMP __x86_return_thunk'). Objtool annotates all such return sites so they can be patched during boot by apply_returns(). The implementation of __x86_return_thunk() is just a bare RET. It's only meant to be used temporarily until apply_returns() patches all return sites with either a JMP to another return thunk or an actual RET. The following commit e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines broke objtool's detection of return sites in retpolines. Since retpolines and return thunks are now in the same section, the compiler no longer uses relocations for the intra-section jumps between the retpolines and the return thunk, causing objtool to overlook them. As a result, none of the retpolines' return sites get patched. Each one stays at 'JMP __x86_return_thunk', effectively a bare RET. Fix it by teaching objtool to detect when a non-relocated jump target is a return thunk. Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") Reported-by: David Kaplan <david.kaplan@amd.com> Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> --- tools/objtool/check.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index e308d1ba664e..556469db4239 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file) return -1; } + /* + * Since retpolines are in the same section as the return + * thunk, they might not use a relocation when branching to it. + */ + if (jump_dest->sym && jump_dest->sym->return_thunk) { + add_return_call(file, insn, true); + continue; + } + /* * Cross-function jump. */
On Tue, Oct 10, 2023 at 02:22:54PM -0700, Josh Poimboeuf wrote: > From: Josh Poimboeuf <jpoimboe@kernel.org> > Subject: [PATCH] objtool: Fix return thunk patching in retpolines > > With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail > call to a return thunk ('JMP __x86_return_thunk'). Objtool annotates > all such return sites so they can be patched during boot by > apply_returns(). > > The implementation of __x86_return_thunk() is just a bare RET. It's > only meant to be used temporarily until apply_returns() patches all > return sites with either a JMP to another return thunk or an actual RET. > > The following commit > > e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines > > broke objtool's detection of return sites in retpolines. Since > retpolines and return thunks are now in the same section, the compiler > no longer uses relocations for the intra-section jumps between the > retpolines and the return thunk, causing objtool to overlook them. > > As a result, none of the retpolines' return sites get patched. Each one > stays at 'JMP __x86_return_thunk', effectively a bare RET. > > Fix it by teaching objtool to detect when a non-relocated jump target is > a return thunk. > > Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") > Reported-by: David Kaplan <david.kaplan@amd.com> > Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> > --- > tools/objtool/check.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/tools/objtool/check.c b/tools/objtool/check.c > index e308d1ba664e..556469db4239 100644 > --- a/tools/objtool/check.c > +++ b/tools/objtool/check.c > @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file) > return -1; > } > > + /* > + * Since retpolines are in the same section as the return > + * thunk, they might not use a relocation when branching to it. > + */ > + if (jump_dest->sym && jump_dest->sym->return_thunk) { > + add_return_call(file, insn, true); > + continue; > + } *urgh*... I mean, yes, that obviously works, but should we not also have the retpoline thingy for consistency? That case makes less sense though :/ Perhaps warn about this instead of fixing it? Forcing people to play the section game? I dunno.. no real strong opinions.
On Wed, Oct 11, 2023 at 09:41:42AM +0200, Peter Zijlstra wrote: > *urgh*... I mean, yes, that obviously works, but should we not also have > the retpoline thingy for consistency? That case makes less sense though > :/ > > Perhaps warn about this instead of fixing it? Forcing people to play the > section game? I like the conservative aspect of that: keep the separate sections and warn if the return thunk is in the same section. Thx.
On Wed, Oct 11, 2023 at 09:41:42AM +0200, Peter Zijlstra wrote: > > +++ b/tools/objtool/check.c > > @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file) > > return -1; > > } > > > > + /* > > + * Since retpolines are in the same section as the return > > + * thunk, they might not use a relocation when branching to it. > > + */ > > + if (jump_dest->sym && jump_dest->sym->return_thunk) { > > + add_return_call(file, insn, true); > > + continue; > > + } > > *urgh*... I mean, yes, that obviously works, but should we not also have > the retpoline thingy for consistency? That case makes less sense though > :/ Consistency with what? The extra section seems pointless but maybe I'm missing something.
On Wed, Oct 11, 2023 at 09:28:43AM -0700, Josh Poimboeuf wrote: > On Wed, Oct 11, 2023 at 09:41:42AM +0200, Peter Zijlstra wrote: > > > +++ b/tools/objtool/check.c > > > @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file) > > > return -1; > > > } > > > > > > + /* > > > + * Since retpolines are in the same section as the return > > > + * thunk, they might not use a relocation when branching to it. > > > + */ > > > + if (jump_dest->sym && jump_dest->sym->return_thunk) { > > > + add_return_call(file, insn, true); > > > + continue; > > > + } > > > > *urgh*... I mean, yes, that obviously works, but should we not also have > > the retpoline thingy for consistency? That case makes less sense though > > :/ > > Consistency with what? the reloc case; specifically, I was thinking something along these lines: if (jump-dest->sym && jump_dest->sym->retpoline_thunk) { add_retpoline_call(file, insn); continue; } Then both reloc and immediate versions are more or less the same. > The extra section seems pointless but maybe I'm missing something. By having the section things are better delineated I suppose, be it retpolines or rethunks, all references should be to inside the section (and thus have a reloc) while within the section there should never be a reference to itself. I'm not sure it's worth much, but then we can have the above two cases issue a WARN instead of fixing it up. I don't care too deeply, I can't make up my mind either way. But perhaps keeping the section is easier on all the backports, it's easy to forget a tiny objtool patch like this.
* Peter Zijlstra <peterz@infradead.org> wrote: > I don't care too deeply, I can't make up my mind either way. But perhaps > keeping the section is easier on all the backports, it's easy to forget a > tiny objtool patch like this. If the objtool fix has a Fixes tag that points to one of the major mitigation commits, then it won't be forgotten. Arguably the new objtool is more robust against what could happen, so that patch is not going away - and with that patch mainline doesn't have to keep the (now ...) pointless section. Maybe change the commit order around: first add the objtool fix, then remove the section, pointing back to the objtool SHA1 in the very next commit, explaining that the objtool fix enables this change. That makes it all backporting-proof as well. Thanks, Ingo
On Thu, Oct 12, 2023 at 12:35:13AM +0200, Peter Zijlstra wrote: > On Wed, Oct 11, 2023 at 09:28:43AM -0700, Josh Poimboeuf wrote: > > On Wed, Oct 11, 2023 at 09:41:42AM +0200, Peter Zijlstra wrote: > > > > +++ b/tools/objtool/check.c > > > > @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file) > > > > return -1; > > > > } > > > > > > > > + /* > > > > + * Since retpolines are in the same section as the return > > > > + * thunk, they might not use a relocation when branching to it. > > > > + */ > > > > + if (jump_dest->sym && jump_dest->sym->return_thunk) { > > > > + add_return_call(file, insn, true); > > > > + continue; > > > > + } > > > > > > *urgh*... I mean, yes, that obviously works, but should we not also have > > > the retpoline thingy for consistency? That case makes less sense though > > > :/ > > > > Consistency with what? > > the reloc case; specifically, I was thinking something along these > lines: > > if (jump-dest->sym && jump_dest->sym->retpoline_thunk) { > add_retpoline_call(file, insn); > continue; > } > > Then both reloc and immediate versions are more or less the same. Ok, I see. If somebody were to do a {JMP,CALL}_NOSPEC somewhere in retpoline.S, it would break similarly. It doesn't hurt to add that to the patch, that way retpoline/rethunk site detection is all handled the same. > > The extra section seems pointless but maybe I'm missing something. > > By having the section things are better delineated I suppose, be it > retpolines or rethunks, all references should be to inside the section > (and thus have a reloc) while within the section there should never be > a reference to itself. As far as delineating things goes, a good argument could be made to instead do that on the source code level. i.e., put the rethunk code in rethunk.S rather than retpoline.S. Incidentally, that would also fix this problem. From an object code standpoint, objtool is the only one who cares about the relocs. It's a good idea to make objtool more robust against non-relocs regardless, as the reloc assumption could always be broken later by LTO. BTW, I wonder if we can also get rid of .text..__x86.indirect_thunk and just put most of the retpoline/rethunk code in .text (other than than the SRSO aliasing hacks which still need special placement).
On Wed, Oct 11, 2023 at 07:27:58PM -0700, Josh Poimboeuf wrote: > From an object code standpoint, objtool is the only one who cares about > the relocs. It's a good idea to make objtool more robust against > non-relocs regardless, as the reloc assumption could always be broken > later by LTO. AFAIK LTO runs before the actual link stage and doesn't resolve inter-section references, but yeah, that might just be an implementation detail. Fair enough.
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S index 9cdb1a7332c4..54a5596adaa6 100644 --- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -132,7 +132,10 @@ SECTIONS LOCK_TEXT KPROBES_TEXT SOFTIRQENTRY_TEXT +#ifdef CONFIG_RETPOLINE *(.text..__x86.indirect_thunk) + *(.text..__x86.return_thunk) +#endif STATIC_CALL_TEXT ALIGN_ENTRY_TEXT_BEGIN diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S index db813113e637..3da768a71cf9 100644 --- a/arch/x86/lib/retpoline.S +++ b/arch/x86/lib/retpoline.S @@ -129,6 +129,8 @@ SYM_CODE_END(__x86_indirect_jump_thunk_array) #ifdef CONFIG_RETHUNK + .section .text..__x86.return_thunk + #ifdef CONFIG_CPU_SRSO /*