Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752091AbeADCc4 (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Wed, 3 Jan 2018 21:32:56 -0500
Received: from www.llwyncelyn.cymru ([82.70.14.225]:42600 "EHLO fuzix.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751991AbeADCcz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 3 Jan 2018 21:32:55 -0500
Date: Thu, 4 Jan 2018 02:32:32 +0000
From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: Brian Gerst <brgerst@gmail.com>
Cc: Andi Kleen <andi@firstfloor.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        gregkh@linux-foundation.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Tim Chen <tim.c.chen@linux.intel.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        David Woodhouse <dwmw@amazon.co.uk>,
        Andi Kleen <ak@linux.intel.com>
Subject: Re: [PATCH v2 01/12] x86/retpoline: Define retpoline indirect thunk
 and macros
Message-ID: <20180104023232.0460184b@alans-desktop>
In-Reply-To: <CAMzpN2gk1_mj7xZsj39yycctJqEdpHYOS0N6XoGjTtZHp=tmsg@mail.gmail.com>
References: <20180104020019.1173-1-andi@firstfloor.org>
        <20180104020019.1173-2-andi@firstfloor.org>
        <CAMzpN2gk1_mj7xZsj39yycctJqEdpHYOS0N6XoGjTtZHp=tmsg@mail.gmail.com>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

> > +ENTRY(__x86.indirect_thunk)
> > +       CFI_STARTPROC
> > +       call    retpoline_call_target
> > +2:
> > +       lfence          /* stop speculation */
> > +       jmp     2b
> > +retpoline_call_target:
> > +#ifdef CONFIG_64BIT
> > +       lea     8(%rsp), %rsp
> > +#else
> > +       lea     4(%esp), %esp
> > +#endif
> > +       ret
> > +       CFI_ENDPROC
> > +ENDPROC(__x86.indirect_thunk)
> > +
> > +       EXPORT_SYMBOL(__x86.indirect_thunk)
> > --
> > 2.14.3
> >  
> 
> Can someone actually explain WTF this mess is trying to accomplish?

Think of it as an 'indirect call that doesn't speculate' instruction.
There isn't one in the processor but this specific sequence happens to
make the micro-architecture do just that as efficiently as possible.

What it's actually doing on the non-speculated path (ie the reachable
code) is to call, put the address we want to hit over the existing return
address and then return, to the address we want to indirectly go to.

It's faster than doing a far branch or flushing branch predictors and the
like.

Alan