Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755207AbdGSVum (ORCPT <rfc822;w@1wt.eu>);
        Wed, 19 Jul 2017 17:50:42 -0400
Received: from mail-pg0-f51.google.com ([74.125.83.51]:38248 "EHLO
        mail-pg0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755129AbdGSVuk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Jul 2017 17:50:40 -0400
Date: Wed, 19 Jul 2017 14:50:38 -0700
From: Matthias Kaehlcke <mka@chromium.org>
To: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Andrey Rybainin <ryabinin.a.a@gmail.com>,
        Chris J Arges <chris.j.arges@canonical.com>,
        Borislav Petkov <bp@suse.de>, Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, "H . Peter Anvin" <hpa@zytor.com>,
        x86@kernel.org, linux-kernel@vger.kernel.org,
        Douglas Anderson <dianders@chromium.org>,
        Michael Davidson <md@google.com>, Greg Hackmann <ghackmann@google.com>,
        Nick Desaulniers <ndesaulniers@google.com>,
        Stephen Hines <srhines@google.com>, Kees Cook <keescook@chromium.org>,
        Arnd Bergmann <arnd@arndb.de>, Bernhard.Rosenkranzer@linaro.org
Subject: Re: [PATCH] Revert "x86/uaccess: Add stack frame output operand in
 get_user() inline asm"
Message-ID: <20170719215038.GO95735@google.com>
References: <20170712223630.gb237t4vhrqeu5zd@treble>
 <20170712232213.GE95735@google.com>
 <20170713180001.mvwzdmudht56hdk5@treble>
 <20170713184748.GF95735@google.com>
 <75850bb7-a60e-057d-d88b-afa0c79e94a0@gmail.com>
 <20170713203416.isvijqbwbcgupgj7@treble>
 <20170713211245.GG95735@google.com>
 <20170713213406.gx4ixkx6kxa4ppps@treble>
 <20170713215704.GJ95735@google.com>
 <20170719174630.kz5g553evcrnirmr@treble>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20170719174630.kz5g553evcrnirmr@treble>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3467
Lines: 76

El Wed, Jul 19, 2017 at 12:46:31PM -0500 Josh Poimboeuf ha dit:

> On Thu, Jul 13, 2017 at 02:57:04PM -0700, Matthias Kaehlcke wrote:
> > El Thu, Jul 13, 2017 at 04:34:06PM -0500 Josh Poimboeuf ha dit:
> > 
> > > On Thu, Jul 13, 2017 at 02:12:45PM -0700, Matthias Kaehlcke wrote:
> > > > El Thu, Jul 13, 2017 at 03:34:16PM -0500 Josh Poimboeuf ha dit:
> > > > > And yet another one to try (clobbering sp) :-)
> > > > > 
> > > > > diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> > > > > index 11433f9..21f0c39 100644
> > > > > --- a/arch/x86/include/asm/uaccess.h
> > > > > +++ b/arch/x86/include/asm/uaccess.h
> > > > > @@ -166,12 +166,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
> > > > >  ({									\
> > > > >  	int __ret_gu;							\
> > > > >  	register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX);		\
> > > > > -	register void *__sp asm(_ASM_SP);				\
> > > > >  	__chk_user_ptr(ptr);						\
> > > > >  	might_fault();							\
> > > > > -	asm volatile("call __get_user_%P4"				\
> > > > > -		     : "=a" (__ret_gu), "=r" (__val_gu), "+r" (__sp)	\
> > > > > -		     : "0" (ptr), "i" (sizeof(*(ptr))));		\
> > > > > +	asm volatile("call __get_user_%P3"				\
> > > > > +		     : "=a" (__ret_gu), "=r" (__val_gu)			\
> > > > > +		     : "0" (ptr), "i" (sizeof(*(ptr)))			\
> > > > > +		     : "sp");						\
> > > > >  	(x) = (__force __typeof__(*(ptr))) __val_gu;			\
> > > > >  	__builtin_expect(__ret_gu, 0);					\
> > > > >  })
> > > > 
> > > > This compiles with both gcc and clang, clang does not corrupt the
> > > > stack pointer. I wouldn't be able to tell though if it forces a stack
> > > > frame if it doesn't already exist, as the original patch intends.
> > > 
> > > Whether it forces the stack frame on clang is a very minor issue
> > > compared to the double fault.
> > 
> > I totally agree, I was mainly concerned about not breaking the
> > solution that currently works with gcc.
> > 
> > > That really only matters when you want to use
> > > CONFIG_STACK_VALIDATION to get 100% reliable stacktraces with frame
> > > pointers.  And that feature is currently very GCC-specific.  So you
> > > probably don't need to worry about that for now, at least until you want
> > > to do live patching with a clang-compiled kernel.
> > 
> > Eventually I expect that there will be interest in live patching
> > clang-compiled kernels, however at this stage it probably isn't an
> > overly important feature.
> > 
> > > IIRC, clobbering SP does at least force the stack frame on GCC, though I
> > > need to double check that.  I can try to work up an official patch in
> > > the next week or so (need to do some testing first).
> > 
> > Sounds great.
> > 
> > Thanks again for looking into this and coming up with a solution!
> 
> After doing some testing, I don't think this approach is going to work
> after all.  In addition to forcing the stack frame, it also causes GCC
> to add an unnecessary extra instruction to the epilogue of each affected
> function:
> 
>   lea    -0x10(%rbp),%rsp
> 
> We shouldn't be inserting extra instructions like that.  I also don't
> think the other suggestion of turning the '__sp' register variable into
> a global variable is a very good solution either, as that just wastes
> memory for no reason.
> 
> It would be nice if both compilers could agree on a way to support this.

Thanks for the update, Josh.

I will ask compiler folks to bring this up with LLVM.