| Message ID | 20240226-verw-arg-fix-v1-1-7b37ee6fd57d@linux.intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-82456-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7300:a81b:b0:108:e6aa:91d0 with SMTP id
bq27csp2426889dyb;
Mon, 26 Feb 2024 17:10:14 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCXRT5lxWXscQedvKyssiqF3CGgomlqoj9iZZAo/hQhLLCxbejJ+HAySPMVmLyB6TE+RLoKSbr5fmLVxobpAvJ1oX6nIjA==
X-Google-Smtp-Source:
AGHT+IGf5eTSj3/NuwM93rtpSGj1h/lABeoAtAVMi6VhMNi1CUQdZ+MiTSca5kwD+jy+dQrcODhF
X-Received: by 2002:a05:6214:f23:b0:68f:22b1:8e24 with SMTP id
iw3-20020a0562140f2300b0068f22b18e24mr1228331qvb.28.1708996214499;
Mon, 26 Feb 2024 17:10:14 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1708996214; cv=pass;
d=google.com; s=arc-20160816;
b=IiCw02oc69jk9/I8QktavS2dWWAW53R3Y8UhOhUlmxjNMtciMQkt85MYnvu/SCdlZm
YMp77YnFtgXJ3vOFo1LrQBxSmlvlZTStxw8LKQBWjZx9mpK+tWn4jNTsgf54AZeSkqSG
79kHuw+P1g60QP0eG77DM1uLRGAdORaEuf1ewuXKZlSzWcmuoY30wUN42xZOnQnPpQjX
0Q1dRFkpTY/Zfgo2NwGIwJFbPKz74e8Wvm0AB5OnbqKzs62grFv4G6ilhSg4/mlb78kE
J+LavYLTnhpjvf6FkpLlPtyJKmzz9ZnxSH4/LBRyI+gtGRgLU16TXcnI29/dmvwD6khw
aNlQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=content-disposition:mime-version:list-unsubscribe:list-subscribe
:list-id:precedence:message-id:subject:cc:to:from:date
:dkim-signature;
bh=KYuxNfHytXCiu750xUqMLTeHDN76m54tB8hq/19FVdM=;
fh=/SW4r5cWHmOVQk4Z9jg6TjPU2RamqwhieJHWWEMeL/U=;
b=UF5ydQfys1JVx0o1xxrQD/4zSPau9qRVU4xUoVGCuL/KATuhx56taOMDM8nP0W/A0N
9TsD69obQODdDG832XHV+aBJjWpl2dnflFWG/KBL9aO4a2mRR5+WSoOlK6gMeXAJtiny
TXWGlm4C5IWWL5wkWlVR+XrNEOORgnw4DvCNtqrtnYJ6pCTNeSCYtXUQl5opAVkKH/yW
29Q23TlFR7rIVmMXu3gQh40XHvZJcjooeYW2xXHaiuVt5dV71Vvah4t8n9Ma9KKUGreH
BQMxvpcwYxpjw4jYfbD7QP+Y67DmvLS08re0pczdxECeqX8Q69GUgQSxlCUXbmir61WR
l4TA==;
dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=eKmUSclU;
arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass
fromdomain=linux.intel.com);
spf=pass (google.com: domain of
linux-kernel+bounces-82456-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-82456-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org.
[2604:1380:45d1:ec00::1])
by mx.google.com with ESMTPS id
gu15-20020a056214260f00b0068ccc1e5d6csi6575576qvb.41.2024.02.26.17.10.14
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 26 Feb 2024 17:10:14 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-82456-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=eKmUSclU;
arc=pass (i=1 dkim=pass dkdomain=intel.com dmarc=pass
fromdomain=linux.intel.com);
spf=pass (google.com: domain of
linux-kernel+bounces-82456-ouuuleilei=gmail.com@vger.kernel.org designates
2604:1380:45d1:ec00::1 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-82456-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ny.mirrors.kernel.org (Postfix) with ESMTPS id 438421C22C77
for <ouuuleilei@gmail.com>; Mon, 26 Feb 2024 23:52:50 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 1B597135A7B;
Mon, 26 Feb 2024 23:52:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
header.b="eKmUSclU"
Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.20])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 658AE1E894
for <linux-kernel@vger.kernel.org>; Mon, 26 Feb 2024 23:52:35 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=none smtp.client-ip=198.175.65.20
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1708991557; cv=none;
b=t0xJF52DaffL8nMiS257jBwGLE1Kyap0+kHL5uzfnGxdg1cGusyaviz6cIdnti0UyLpmj0sqZeUH3SHeb7i54OFtyHHjBOjkYdVbQ6hbm6V5CqDGkxB4c/ss0QJLkf98t0g1m7VDRrfLXSAGP6JC+08C+X7kLAx1PsoH0o4s2Xg=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1708991557; c=relaxed/simple;
bh=XIVySJ6fBrUqstD49rkPpA3Y2psGokotiQmfXjTagF0=;
h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type:
Content-Disposition;
b=qZ6mIpuchOR89awBO0bkhCAjSOvpjh2Swd3TYShPlZ32vs7DnXNZrrDUfEiz/KCt16VVnPRmZQxPX2OSBrt199NSSFiAOkdbYPe1IcDDrJUEHoYEVS4b8mGte07ujVgbgnDP+INF6JIG8skehWOz4aWxKX9JafyR83JLUUl26YY=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=linux.intel.com;
spf=none smtp.mailfrom=linux.intel.com;
dkim=pass (2048-bit key) header.d=intel.com header.i=@intel.com
header.b=eKmUSclU; arc=none smtp.client-ip=198.175.65.20
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=none dis=none) header.from=linux.intel.com
Authentication-Results: smtp.subspace.kernel.org;
spf=none smtp.mailfrom=linux.intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1708991555; x=1740527555;
h=date:from:to:cc:subject:message-id:mime-version;
bh=XIVySJ6fBrUqstD49rkPpA3Y2psGokotiQmfXjTagF0=;
b=eKmUSclUeXutWPjCmdUxo/PKMYZ5zh4wDlXnrlhGoTI6fgvJVcldNW/t
geD2asjt0yNApa9/+Jtb9JSBg9TS+yEK74KEDdPmkaE4KN5d4455UmHIz
KKl+8Ov0GBOHEbHaDvxa1fwUP0TeIS4jtVA0xcCNM/FzZiQBW2gZfC3sM
2bbbrV6SruGBUAfocZswn3J322Bw00I2clCUTgL6Hr2W9hwdT7eX4c+3y
+cWaEohXImGpyYe3FawuXEhX+7KaIXBG4449/hi/HNcPUoesecslF4Aae
o+rTeR8FvdEUnChl0Ewe5d5qhxyQJ2gnozYSUXvZWS2hFSdPDqBS9j83z
g==;
X-IronPort-AV: E=McAfee;i="6600,9927,10996"; a="3179668"
X-IronPort-AV: E=Sophos;i="6.06,187,1705392000";
d="scan'208";a="3179668"
Received: from orviesa004.jf.intel.com ([10.64.159.144])
by orvoesa112.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
26 Feb 2024 15:52:34 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="6.06,187,1705392000";
d="scan'208";a="11511965"
Received: from jhaqq-mobl1.amr.corp.intel.com (HELO desk) ([10.209.17.170])
by orviesa004-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
26 Feb 2024 15:52:35 -0800
Date: Mon, 26 Feb 2024 15:52:33 -0800
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
To: Thomas Gleixner <tglx@linutronix.de>, Borislav Petkov <bp@alien8.de>,
Peter Zijlstra <peterz@infradead.org>,
Josh Poimboeuf <jpoimboe@kernel.org>,
Ingo Molnar <mingo@redhat.com>,
Dave Hansen <dave.hansen@linux.intel.com>, x86@kernel.org,
"H. Peter Anvin" <hpa@zytor.com>
Cc: Daniel Sneddon <daniel.sneddon@linux.intel.com>,
Nikolay Borisov <nik.borisov@suse.com>,
linux-kernel@vger.kernel.org,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Subject: [PATCH] x86/bugs: Use fixed addressing for VERW operand
Message-ID: <20240226-verw-arg-fix-v1-1-7b37ee6fd57d@linux.intel.com>
X-B4-Tracking: v=1; b=H4sIAPAj3WUC/x2MQQqAIBAAvxJ7bsEszPpKdBDbbC8WK1gg/T3pO
AMzBRIJU4K5KSCUOfEZK3RtA/5wMRDyVhm00oPS2mAmudFJwJ0fHCfjTK+s9cMGNbmEqv53y/q
+H0StzMheAAAA
X-Mailer: b4 0.12.3
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1792012414422423994
X-GMAIL-MSGID: 1792012414422423994
|
| Series |
x86/bugs: Use fixed addressing for VERW operand
|
|
Commit Message
Pawan Gupta
Feb. 26, 2024, 11:52 p.m. UTC
Macro used for MDS mitigation executes VERW with relative addressing for
the operand. This is unnecessary and creates a problem for backports on
older kernels that don't support relocations in alternatives. Relocation
support was added by commit 270a69c4485d ("x86/alternative: Support
relocations in alternatives"). Also asm for fixed addressing is much
more cleaner than relative RIP addressing.
Simplify the asm by using fixed addressing for VERW operand.
Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW")
Reported-by: Nikolay Borisov <nik.borisov@suse.com>
Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
---
arch/x86/include/asm/nospec-branch.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
---
base-commit: d206a76d7d2726f3b096037f2079ce0bd3ba329b
change-id: 20240226-verw-arg-fix-796a63088c4d
Comments
On 27.02.24 г. 1:52 ч., Pawan Gupta wrote: > Macro used for MDS mitigation executes VERW with relative addressing for > the operand. This is unnecessary and creates a problem for backports on > older kernels that don't support relocations in alternatives. Relocation > support was added by commit 270a69c4485d ("x86/alternative: Support > relocations in alternatives"). Also asm for fixed addressing is much > more cleaner than relative RIP addressing. > > Simplify the asm by using fixed addressing for VERW operand. > > Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") > Reported-by: Nikolay Borisov <nik.borisov@suse.com> > Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> > --- > arch/x86/include/asm/nospec-branch.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h > index 2aa52cab1e46..ab19c7f1167b 100644 > --- a/arch/x86/include/asm/nospec-branch.h > +++ b/arch/x86/include/asm/nospec-branch.h > @@ -323,7 +323,7 @@ > * Note: Only the memory operand variant of VERW clears the CPU buffers. > */ > .macro CLEAR_CPU_BUFFERS > - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF > + ALTERNATIVE "", __stringify(verw mds_verw_sel), X86_FEATURE_CLEAR_CPU_BUF Actually thinking about it more and discussing with Jiri (cc'ed), will this work with KASLR enabled? > .endm > > #else /* __ASSEMBLY__ */ > > --- > base-commit: d206a76d7d2726f3b096037f2079ce0bd3ba329b > change-id: 20240226-verw-arg-fix-796a63088c4d >
On 27. 02. 24, 9:47, Nikolay Borisov wrote: > > > On 27.02.24 г. 1:52 ч., Pawan Gupta wrote: >> Macro used for MDS mitigation executes VERW with relative addressing for >> the operand. This is unnecessary and creates a problem for backports on >> older kernels that don't support relocations in alternatives. Relocation >> support was added by commit 270a69c4485d ("x86/alternative: Support >> relocations in alternatives"). Also asm for fixed addressing is much >> more cleaner than relative RIP addressing. >> >> Simplify the asm by using fixed addressing for VERW operand. >> >> Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") >> Reported-by: Nikolay Borisov <nik.borisov@suse.com> >> Closes: >> https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ >> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> >> --- >> arch/x86/include/asm/nospec-branch.h | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/arch/x86/include/asm/nospec-branch.h >> b/arch/x86/include/asm/nospec-branch.h >> index 2aa52cab1e46..ab19c7f1167b 100644 >> --- a/arch/x86/include/asm/nospec-branch.h >> +++ b/arch/x86/include/asm/nospec-branch.h >> @@ -323,7 +323,7 @@ >> * Note: Only the memory operand variant of VERW clears the CPU >> buffers. >> */ >> .macro CLEAR_CPU_BUFFERS >> - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), >> X86_FEATURE_CLEAR_CPU_BUF >> + ALTERNATIVE "", __stringify(verw mds_verw_sel), >> X86_FEATURE_CLEAR_CPU_BUF > > Actually thinking about it more and discussing with Jiri (cc'ed), will > this work with KASLR enabled? I might of course be wrong. We appear to rely on the asm+linker here. Please see also: https://lore.kernel.org/r/fd8f2df0-563e-4f5c-aca4-bc92a14e9426@kernel.org thanks,
On Tue, Feb 27, 2024 at 10:43:53AM +0100, Jiri Slaby wrote: > On 27. 02. 24, 9:47, Nikolay Borisov wrote: > > > > > > On 27.02.24 г. 1:52 ч., Pawan Gupta wrote: > > > Macro used for MDS mitigation executes VERW with relative addressing for > > > the operand. This is unnecessary and creates a problem for backports on > > > older kernels that don't support relocations in alternatives. Relocation > > > support was added by commit 270a69c4485d ("x86/alternative: Support > > > relocations in alternatives"). Also asm for fixed addressing is much > > > more cleaner than relative RIP addressing. > > > > > > Simplify the asm by using fixed addressing for VERW operand. > > > > > > Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") > > > Reported-by: Nikolay Borisov <nik.borisov@suse.com> > > > Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ > > > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> > > > --- > > > arch/x86/include/asm/nospec-branch.h | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/arch/x86/include/asm/nospec-branch.h > > > b/arch/x86/include/asm/nospec-branch.h > > > index 2aa52cab1e46..ab19c7f1167b 100644 > > > --- a/arch/x86/include/asm/nospec-branch.h > > > +++ b/arch/x86/include/asm/nospec-branch.h > > > @@ -323,7 +323,7 @@ > > > * Note: Only the memory operand variant of VERW clears the CPU > > > buffers. > > > */ > > > .macro CLEAR_CPU_BUFFERS > > > - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), > > > X86_FEATURE_CLEAR_CPU_BUF > > > + ALTERNATIVE "", __stringify(verw mds_verw_sel), > > > X86_FEATURE_CLEAR_CPU_BUF > > > > Actually thinking about it more and discussing with Jiri (cc'ed), will > > this work with KASLR enabled? > > I might of course be wrong. We appear to rely on the asm+linker here. You were right, with KASLR enabled, instructions with fixed addressing in alternatives don't get relocated. I guess we will have to keep rip-relative as is. Thanks for catching that.
On Mon, Feb 26, 2024 at 03:52:33PM -0800, Pawan Gupta wrote: > Macro used for MDS mitigation executes VERW with relative addressing for > the operand. This is unnecessary and creates a problem for backports on > older kernels that don't support relocations in alternatives. Relocation > support was added by commit 270a69c4485d ("x86/alternative: Support > relocations in alternatives"). Also asm for fixed addressing is much > more cleaner than relative RIP addressing. > > Simplify the asm by using fixed addressing for VERW operand. > > Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") > Reported-by: Nikolay Borisov <nik.borisov@suse.com> > Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> > --- > arch/x86/include/asm/nospec-branch.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h > index 2aa52cab1e46..ab19c7f1167b 100644 > --- a/arch/x86/include/asm/nospec-branch.h > +++ b/arch/x86/include/asm/nospec-branch.h > @@ -323,7 +323,7 @@ > * Note: Only the memory operand variant of VERW clears the CPU buffers. > */ > .macro CLEAR_CPU_BUFFERS > - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF > + ALTERNATIVE "", __stringify(verw mds_verw_sel), X86_FEATURE_CLEAR_CPU_BUF Extremely sorry this change will not work with KASLR. The patch was rushed to facilitate backports, and was only tested on qemu that had KASLR disabled. :( Lesson learnt. Please drop this patch.
On Wed, Feb 28, 2024 at 05:39:27PM -0800, Pawan Gupta wrote: > On Tue, Feb 27, 2024 at 10:43:53AM +0100, Jiri Slaby wrote: > > On 27. 02. 24, 9:47, Nikolay Borisov wrote: > > > > > > > > > On 27.02.24 г. 1:52 ч., Pawan Gupta wrote: > > > > Macro used for MDS mitigation executes VERW with relative addressing for > > > > the operand. This is unnecessary and creates a problem for backports on > > > > older kernels that don't support relocations in alternatives. Relocation > > > > support was added by commit 270a69c4485d ("x86/alternative: Support > > > > relocations in alternatives"). Also asm for fixed addressing is much > > > > more cleaner than relative RIP addressing. > > > > > > > > Simplify the asm by using fixed addressing for VERW operand. > > > > > > > > Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") > > > > Reported-by: Nikolay Borisov <nik.borisov@suse.com> > > > > Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ > > > > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> > > > > --- > > > > arch/x86/include/asm/nospec-branch.h | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/arch/x86/include/asm/nospec-branch.h > > > > b/arch/x86/include/asm/nospec-branch.h > > > > index 2aa52cab1e46..ab19c7f1167b 100644 > > > > --- a/arch/x86/include/asm/nospec-branch.h > > > > +++ b/arch/x86/include/asm/nospec-branch.h > > > > @@ -323,7 +323,7 @@ > > > > * Note: Only the memory operand variant of VERW clears the CPU > > > > buffers. > > > > */ > > > > .macro CLEAR_CPU_BUFFERS > > > > - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), > > > > X86_FEATURE_CLEAR_CPU_BUF > > > > + ALTERNATIVE "", __stringify(verw mds_verw_sel), > > > > X86_FEATURE_CLEAR_CPU_BUF > > > > > > Actually thinking about it more and discussing with Jiri (cc'ed), will > > > this work with KASLR enabled? > > > > I might of course be wrong. We appear to rely on the asm+linker here. > > You were right, with KASLR enabled, instructions with fixed addressing > in alternatives don't get relocated. I guess we will have to keep > rip-relative as is. Thanks for catching that. Looks like this is not settled yet, it was naive of me to trust gdb on /proc/kcore earlier with KASLR enabled. With the below debug patch it appears the relocation with fixed addresses is working as expected with KASLR enabled. diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 6a1fe302c1fd..ae4168db453d 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,7 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw mds_verw_sel), X86_FEATURE_CLEAR_CPU_BUF + ALTERNATIVE "", __stringify(verw mds_verw_sel; ud2), X86_FEATURE_CLEAR_CPU_BUF .endm #else /* __ASSEMBLY__ */ --- With the patch adding #UD after verw I get below panic: [ 1.402347] traps: PANIC: double fault, error_code: 0x0 [ 1.402350] double fault: 0000 [#1] PREEMPT SMP PTI [ 1.402353] CPU: 0 PID: 1 Comm: init Not tainted 6.7.6-00007-ga040ab9fe827-dirty #27 [ 1.402355] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 1.402356] RIP: 0010:entry_SYSRETQ_unsafe_stack+0xb/0x10 [ 1.402365] Code: c7 eb 08 48 89 c7 48 0f ba ef 3f 48 81 cf 00 08 00 00 48 81 cf 00 10 00 00 0f 22 df 58 5f 5c 0f 01 f8 0f 00 2c 25 00 00 60 ab <0f> 0b 48 0f 07 cc 0f 1f 44 00 00 56 48 8b 74 24 08 48 89 7c 24 08 [ 1.402366] RSP: 0018:00007ffe253461f8 EFLAGS: 000100c6 [ 1.402369] RAX: 000055e5c94f7000 RBX: 00007f3d8d9b4e80 RCX: 00007f3d8d9b8f9b [ 1.402370] RDX: 0000000000000000 RSI: 00007ffe253461ec RDI: 0000000000000000 [ 1.402371] RBP: 00007ffe25346290 R08: 0000000000000000 R09: 0000000000000022 [ 1.402372] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3d8d993000 [ 1.402373] R13: 0000002300000007 R14: 0000000000000007 R15: 00007ffe253462a0 [ 1.402378] FS: 0000000000000000(0000) GS:ffff906d3bc00000(0000) knlGS:ffff906d3bc00000 [ 1.402380] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.402381] CR2: 00007ffe253461e8 CR3: 00000001002a8003 CR4: 00000000007706f0 [ 1.402382] PKRU: 55555554 [ 1.402383] Call Trace: [ 1.402384] <#DF> [ 1.402386] ? die+0x37/0x90 [ 1.402390] ? exc_double_fault+0xcf/0x180 [ 1.402394] ? asm_exc_double_fault+0x23/0x30 [ 1.402397] ? entry_SYSRETQ_unsafe_stack+0xb/0x10 [ 1.402400] </#DF> [ 1.402401] Modules linked in: [ 1.402403] Dumping ftrace buffer: [ 1.402406] (ftrace buffer empty) [ 1.402407] ---[ end trace 0000000000000000 ]--- [ 1.402408] RIP: 0010:entry_SYSRETQ_unsafe_stack+0xb/0x10 [ 1.402411] Code: c7 eb 08 48 89 c7 48 0f ba ef 3f 48 81 cf 00 08 00 00 48 81 cf 00 10 00 00 0f 22 df 58 5f 5c 0f 01 f8 0f 00 2c 25 00 00 60 ab <0f> 0b 48 0f 07 cc 0f 1f 44 00 00 56 48 8b 74 24 08 48 89 7c 24 08 [ 1.402412] RSP: 0018:00007ffe253461f8 EFLAGS: 000100c6 [ 1.402413] RAX: 000055e5c94f7000 RBX: 00007f3d8d9b4e80 RCX: 00007f3d8d9b8f9b [ 1.402414] RDX: 0000000000000000 RSI: 00007ffe253461ec RDI: 0000000000000000 [ 1.402415] RBP: 00007ffe25346290 R08: 0000000000000000 R09: 0000000000000022 [ 1.402416] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3d8d993000 [ 1.402417] R13: 0000002300000007 R14: 0000000000000007 R15: 00007ffe253462a0 [ 1.402419] FS: 0000000000000000(0000) GS:ffff906d3bc00000(0000) knlGS:ffff906d3bc00000 [ 1.402420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.402421] CR2: 00007ffe253461e8 CR3: 00000001002a8003 CR4: 00000000007706f0 [ 1.402422] PKRU: 55555554 [ 1.402423] Kernel panic - not syncing: Fatal exception in interrupt [ 1.402551] Dumping ftrace buffer: [ 1.402552] (ftrace buffer empty) [ 1.402552] Kernel Offset: 0x29400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) ^ Note the KASLR offset ~~~~~~~~~~~~~~~~~~~~~ Disassembling the code stream in the trace ... : eb 08 48 89 c7 48 0f ba ef 3f 48 81 cf 00 08 00 00 48 81 cf 00 10 00 00 0f 22 df 58 5f 5c 0f 01 f8 0f 00 2c 25 00 00 60 ab 0f 0b 48 0f 07 cc 0f 1f 44 00 00 56 48 8b 74 24 08 48 89 7c 24 08 .. gives: jmp 0xa mov rdi, rax bts rdi, 0x3f or rdi, 0x800 or rdi, 0x1000 mov cr3, rdi pop rax pop rdi pop rsp swapgs verw word ptr [0xffffffffab600000] <----- mds_verw_sel ud2 sysretq int3 nop dword ptr [rax + rax] push rsi mov rsi, qword ptr [rsp + 8] mov qword ptr [rsp + 8], rdi $ objdump -S --disassemble=mds_verw_sel vmlinux ffffffff82200000 <mds_verw_sel>: ffffffff82200000: 18 00 sbb %al,(%rax) Adding KASLR offset to mds_verw_sel: 0xffffffff82200000 + 0x29400000 = 0xffffffffab600000 which is the address of mds_verw_sel after KASLR that we saw in the code stream disassembly. To me it looks like fixed addresses for VERW is working as intended. Please let me know if I am missing something. It will be great if someone can independently verify this. Even with fixed addressing working with KASLR it may still be a good idea to stick with RIP relative addresses as they are less likely to be broken with relocation. And sorry for the noise.
On 29. 02. 24, 10:14, Pawan Gupta wrote: > On Wed, Feb 28, 2024 at 05:39:27PM -0800, Pawan Gupta wrote: >> On Tue, Feb 27, 2024 at 10:43:53AM +0100, Jiri Slaby wrote: >>> On 27. 02. 24, 9:47, Nikolay Borisov wrote: >>>> >>>> >>>> On 27.02.24 г. 1:52 ч., Pawan Gupta wrote: >>>>> Macro used for MDS mitigation executes VERW with relative addressing for >>>>> the operand. This is unnecessary and creates a problem for backports on >>>>> older kernels that don't support relocations in alternatives. Relocation >>>>> support was added by commit 270a69c4485d ("x86/alternative: Support >>>>> relocations in alternatives"). Also asm for fixed addressing is much >>>>> more cleaner than relative RIP addressing. >>>>> >>>>> Simplify the asm by using fixed addressing for VERW operand. >>>>> >>>>> Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") >>>>> Reported-by: Nikolay Borisov <nik.borisov@suse.com> >>>>> Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ >>>>> Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> >>>>> --- >>>>> arch/x86/include/asm/nospec-branch.h | 2 +- >>>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>>>> >>>>> diff --git a/arch/x86/include/asm/nospec-branch.h >>>>> b/arch/x86/include/asm/nospec-branch.h >>>>> index 2aa52cab1e46..ab19c7f1167b 100644 >>>>> --- a/arch/x86/include/asm/nospec-branch.h >>>>> +++ b/arch/x86/include/asm/nospec-branch.h >>>>> @@ -323,7 +323,7 @@ >>>>> * Note: Only the memory operand variant of VERW clears the CPU >>>>> buffers. >>>>> */ >>>>> .macro CLEAR_CPU_BUFFERS >>>>> - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), >>>>> X86_FEATURE_CLEAR_CPU_BUF >>>>> + ALTERNATIVE "", __stringify(verw mds_verw_sel), >>>>> X86_FEATURE_CLEAR_CPU_BUF >>>> >>>> Actually thinking about it more and discussing with Jiri (cc'ed), will >>>> this work with KASLR enabled? >>> >>> I might of course be wrong. We appear to rely on the asm+linker here. >> >> You were right, with KASLR enabled, instructions with fixed addressing >> in alternatives don't get relocated. I guess we will have to keep >> rip-relative as is. Thanks for catching that. > > Looks like this is not settled yet, it was naive of me to trust gdb on > /proc/kcore earlier with KASLR enabled. > > With the below debug patch it appears the relocation with fixed > addresses is working as expected with KASLR enabled. As I wrote already, asm+linker converts the fixed address to rip-rela anyway: https://lore.kernel.org/all/fd8f2df0-563e-4f5c-aca4-bc92a14e9426@kernel.org/ I also raised questions in there: ==== The assembler generates a relocation for the fixed address anyway. And the linker resolves it as rip-relative. At least the pair from my binutils-2.42. But if it generates a rip-relative address, is < 6.5 with no support of rip-rel in alternatives still fine? Another question: can we rely on the assembler to generate a relocation and on the linker to resolve it as rip-relative? ==== thanks,
On Thu, Feb 29, 2024 at 10:19:09AM +0100, Jiri Slaby wrote: > On 29. 02. 24, 10:14, Pawan Gupta wrote: > > On Wed, Feb 28, 2024 at 05:39:27PM -0800, Pawan Gupta wrote: > > > On Tue, Feb 27, 2024 at 10:43:53AM +0100, Jiri Slaby wrote: > > > > On 27. 02. 24, 9:47, Nikolay Borisov wrote: > > > > > > > > > > > > > > > On 27.02.24 г. 1:52 ч., Pawan Gupta wrote: > > > > > > Macro used for MDS mitigation executes VERW with relative addressing for > > > > > > the operand. This is unnecessary and creates a problem for backports on > > > > > > older kernels that don't support relocations in alternatives. Relocation > > > > > > support was added by commit 270a69c4485d ("x86/alternative: Support > > > > > > relocations in alternatives"). Also asm for fixed addressing is much > > > > > > more cleaner than relative RIP addressing. > > > > > > > > > > > > Simplify the asm by using fixed addressing for VERW operand. > > > > > > > > > > > > Fixes: baf8361e5455 ("x86/bugs: Add asm helpers for executing VERW") > > > > > > Reported-by: Nikolay Borisov <nik.borisov@suse.com> > > > > > > Closes: https://lore.kernel.org/lkml/20558f89-299b-472e-9a96-171403a83bd6@suse.com/ > > > > > > Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com> > > > > > > --- > > > > > > arch/x86/include/asm/nospec-branch.h | 2 +- > > > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > > > > > diff --git a/arch/x86/include/asm/nospec-branch.h > > > > > > b/arch/x86/include/asm/nospec-branch.h > > > > > > index 2aa52cab1e46..ab19c7f1167b 100644 > > > > > > --- a/arch/x86/include/asm/nospec-branch.h > > > > > > +++ b/arch/x86/include/asm/nospec-branch.h > > > > > > @@ -323,7 +323,7 @@ > > > > > > * Note: Only the memory operand variant of VERW clears the CPU > > > > > > buffers. > > > > > > */ > > > > > > .macro CLEAR_CPU_BUFFERS > > > > > > - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), > > > > > > X86_FEATURE_CLEAR_CPU_BUF > > > > > > + ALTERNATIVE "", __stringify(verw mds_verw_sel), > > > > > > X86_FEATURE_CLEAR_CPU_BUF > > > > > > > > > > Actually thinking about it more and discussing with Jiri (cc'ed), will > > > > > this work with KASLR enabled? > > > > > > > > I might of course be wrong. We appear to rely on the asm+linker here. > > > > > > You were right, with KASLR enabled, instructions with fixed addressing > > > in alternatives don't get relocated. I guess we will have to keep > > > rip-relative as is. Thanks for catching that. > > > > Looks like this is not settled yet, it was naive of me to trust gdb on > > /proc/kcore earlier with KASLR enabled. > > > > With the below debug patch it appears the relocation with fixed > > addresses is working as expected with KASLR enabled. > > As I wrote already, asm+linker converts the fixed address to rip-rela > anyway: > > https://lore.kernel.org/all/fd8f2df0-563e-4f5c-aca4-bc92a14e9426@kernel.org/ > > I also raised questions in there: > ==== > The assembler generates a relocation for the fixed address anyway. And > the linker resolves it as rip-relative. At least the pair from my > binutils-2.42. > > But if it generates a rip-relative address, is < 6.5 with no support of > rip-rel in alternatives still fine? In that case backports < 6.5 can do: +.macro CLEAR_CPU_BUFFERS + ALTERNATIVE "jmp .Lskip_verw_\@", "", X86_FEATURE_CLEAR_CPU_BUF + verw _ASM_RIP(mds_verw_sel) +.Lskip_verw_\@: +.endm As done in Nikolay's 5.4 backport: https://lore.kernel.org/stable/20240226122237.198921-3-nik.borisov@suse.com/ > Another question: can we rely on the assembler to generate a relocation > and on the linker to resolve it as rip-relative? This is definitely not my area of expertise, but with the above approach VERW should be inlined always, and rip-relative should be resolved as with any other instruction.
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 2aa52cab1e46..ab19c7f1167b 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -323,7 +323,7 @@ * Note: Only the memory operand variant of VERW clears the CPU buffers. */ .macro CLEAR_CPU_BUFFERS - ALTERNATIVE "", __stringify(verw _ASM_RIP(mds_verw_sel)), X86_FEATURE_CLEAR_CPU_BUF + ALTERNATIVE "", __stringify(verw mds_verw_sel), X86_FEATURE_CLEAR_CPU_BUF .endm #else /* __ASSEMBLY__ */