[PATCH V3 8/9] x86/speculation: Add return address unwind hints to retpoline and RSB stuffing

From: Alexandre Chartre
Date: Tue Apr 14 2020 - 06:55:51 EST

Next message: Alexandre Chartre: "[PATCH V3 4/9] objtool: Handle return instruction with intra-function call"
Previous message: Peter Zijlstra: "Re: [PATCH 2/2] sched: remove distribute_running from CFS bandwidth"
In reply to: Alexandre Chartre: "[PATCH V3 2/9] objtool: Allow branches within the same alternative."
Next in thread: Alexandre Chartre: "[PATCH V3 4/9] objtool: Handle return instruction with intra-function call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The retpoline and RSB stuffing code modify the stack to change return
addresses of intra-function calls. Add return address unwind hints so
that objtool can be aware of these tweaks. This requires a little
refactoring of the __FILL_RETURN_BUFFER macro for adding hints to
assembly and C code.

Signed-off-by: Alexandre Chartre <alexandre.chartre@xxxxxxxxxx>
---
arch/x86/include/asm/nospec-branch.h | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index b0db793fd083..20594ea99c21 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -9,6 +9,7 @@
#include <asm/alternative-asm.h>
#include <asm/cpufeatures.h>
#include <asm/msr-index.h>
+#include <asm/unwind_hints.h>

/*
* This should be used immediately before a retpoline alternative. It tells
@@ -43,7 +44,7 @@
* the optimal version â two calls, each with their own speculation
* trap should their return address end up getting used, in a loop.
*/
-#define __FILL_RETURN_BUFFER(reg, nr, sp) \
+#define __FILL_RETURN_BUFFER_BEGIN(reg, nr, sp) \
mov $(nr/2), reg; \
771: \
call 772f; \
@@ -58,12 +59,19 @@
lfence; \
jmp 775b; \
774: \
- dec reg; \
+ dec reg;
+
+#define __FILL_RETURN_BUFFER_END(sp) \
add $(BITS_PER_LONG/8) * 2, sp; \
jnz 771b;

#ifdef __ASSEMBLY__

+#define __FILL_RETURN_BUFFER(reg, nr, sp) \
+ __FILL_RETURN_BUFFER_BEGIN(reg, nr, sp) \
+ UNWIND_HINT_RADDR_DELETE 2; \
+ __FILL_RETURN_BUFFER_END(sp)
+
/*
* This should be used immediately before an indirect jump/call. It tells
* objtool the subsequent indirect jump/call is vouched safe for retpoline
@@ -88,6 +96,7 @@
lfence
jmp .Lspec_trap_\@
.Ldo_rop_\@:
+ UNWIND_HINT_RADDR_ALTER
mov \reg, (%_ASM_SP)
ret
.endm
@@ -237,6 +246,11 @@ enum ssb_mitigation {
extern char __indirect_thunk_start[];
extern char __indirect_thunk_end[];

+#define __FILL_RETURN_BUFFER(reg, nr, sp) \
+ __stringify(__FILL_RETURN_BUFFER_BEGIN(reg, nr, sp)) \
+ UNWIND_HINT_RADDR_DELETE(2) \
+ __stringify(__FILL_RETURN_BUFFER_END(sp))
+
/*
* On VMEXIT we must ensure that no RSB predictions learned in the guest
* can be followed in the host, by overwriting the RSB completely. Both
@@ -250,7 +264,7 @@ static inline void vmexit_fill_RSB(void)

asm volatile (ANNOTATE_NOSPEC_ALTERNATIVE
ALTERNATIVE("jmp 910f",
- __stringify(__FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1)),
+ __FILL_RETURN_BUFFER(%0, RSB_CLEAR_LOOPS, %1),
X86_FEATURE_RETPOLINE)
"910:"
: "=r" (loops), ASM_CALL_CONSTRAINT
--
2.18.2

Next message: Alexandre Chartre: "[PATCH V3 4/9] objtool: Handle return instruction with intra-function call"
Previous message: Peter Zijlstra: "Re: [PATCH 2/2] sched: remove distribute_running from CFS bandwidth"
In reply to: Alexandre Chartre: "[PATCH V3 2/9] objtool: Allow branches within the same alternative."
Next in thread: Alexandre Chartre: "[PATCH V3 4/9] objtool: Handle return instruction with intra-function call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]