Received: by 10.223.185.116 with SMTP id b49csp2043758wrg;
        Thu, 15 Feb 2018 05:46:56 -0800 (PST)
X-Google-Smtp-Source: AH8x2260Fbw3czeXvrQRCUOcQE+htZwqNOX3wgV5Ch4zJ5E36SQBU/WTC+f5Wnw3YBj9LxNZcQVU
X-Received: by 10.101.77.140 with SMTP id p12mr2248067pgq.195.1518702416148;
        Thu, 15 Feb 2018 05:46:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518702416; cv=none;
        d=google.com; s=arc-20160816;
        b=qc6Ha376cTEM2wZ19oRuvSZ+QQtYLqHUXvtEpZY71k5yw1yYVqqVMM2vY5RFt8TMoN
         B66BxsXToem20eJG42vGg8yPGfs8HA49lECxSw2O1raUiyF82P+i3Spbky2mrypTDQb1
         xLTvRfFp4muDyTkGdD1JeH04Wh6lGSiEbBUblnI7asiOPNmbCU0RN5iBk5SRTzkLQLKR
         JfqkDsT3xKxrLcSHsFSp0jydLoru7BboiY+cUgfB2KTE2GLZHZG65Rb2sm5cE3Hm6Uv7
         T84q8Wder51mYvanhIxOiC4x5Q2Z0CmSJ1B81q4nTYpT1R/KcGCoxI2JV8xDlv51NV9T
         gm8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=iiaIgg+8GjID0v7PqoNqRFaKD6kfkXwn6Cd0ovMOccQ=;
        b=E9CA5jgVqJ0JY1V0HeMPEujYH2J6qm4FJ3eniOtMnHJ6NdDUGTZzhlIDnmSYsS3UBk
         gW/ThHojLjc6Zi1jRrbowtaHyN7xZM8G8Yo/94XfYpqDkGJW+7kSTyTEl3ABmLSrkTRt
         iZdgLy5j3saRyPp3McCsks9+Vg07K+wqjV1yTjSkjYGdgmknyNbvGKe7vLgr/4QZI1jx
         I2wZvMyLufEAg0L2IqlGukksd41M4lbHHaVNTH0JcswqTsJpsaQbousaHs4RKG6Afrlc
         GQV82geXIVVsErypztB5hvvfT2poX3Oef1JP/1CYbhjzLHGTMPcIEau7sCuO28JwQfBO
         aVEQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T1VppBpA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w34-v6si2706414pla.686.2018.02.15.05.46.41;
        Thu, 15 Feb 2018 05:46:56 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=T1VppBpA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1032845AbeBONp6 (ORCPT <rfc822;kkdevenda@gmail.com> + 99 others);
        Thu, 15 Feb 2018 08:45:58 -0500
Received: from mail-it0-f66.google.com ([209.85.214.66]:35712 "EHLO
        mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1031445AbeBONp5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 08:45:57 -0500
Received: by mail-it0-f66.google.com with SMTP id e1so604393ita.0
        for <linux-kernel@vger.kernel.org>; Thu, 15 Feb 2018 05:45:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=iiaIgg+8GjID0v7PqoNqRFaKD6kfkXwn6Cd0ovMOccQ=;
        b=T1VppBpAmhN5/s74SJN9u36ZgDuy/WI0TQGOW4jyrHRqWw/BKcokTdgbPapzSNzIuS
         9NtDWkBrvYMFamOEIst9LdSJxnVcuoWoK4W38pAWEzP2z9yo1h7a4LnbcrwMAxRoD+f0
         4qbsBlNCjI990geY8RBH7LQiK4K3TjYpTq59JGOhda17ou933lEIcco6RqLHoxlmFHWc
         +8sWl6u/P522PO1IW6o0C7lj/v98bYCVrSr9Jw9PI4rzuZwpdatJFqF4/YbnmYMuVQGk
         nn7ylV4r9tUG1AG8MM+pSvvON+HRdH0NktD9XDHHREZtMvIcvedrMRFJ4r8VQPpxkLbC
         ezyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=iiaIgg+8GjID0v7PqoNqRFaKD6kfkXwn6Cd0ovMOccQ=;
        b=Sc0I7GbxnNumxOo5l9E+Efd79YrkgRIH4iGJ9ICbeKKHCnvtPeMD7KRulWJl/NDvHm
         ew3DGSQ2theJcAGykUrUQbAyKl0w61I8G4T1o1yJ5PinGGBnwUE2pWO+F0zgLtKCqEmK
         CCyh0pSr4Qsq4yxRtDUzOZ4LrColZIYXrrbLaOoHTPTjnfEatAh4Q7uylkPN4x8s79en
         TVEE0y7GZK42hcUibRW5PO+oogZsjYxo3g2l3pavPiM9LwzAzbNrhZ5K9GIlvg6qz969
         xWhvMcY83SR672ZoyZVonzFCdhWtKKol97gkZKPo0Kb5fvlao3Dp2pK1nyCPH+tYkLSV
         UAMQ==
X-Gm-Message-State: APf1xPAHJfw+jrVSMCHif/uZz2QRKfOnmrMyxy0Tjsvrvf32h2VPBaSD
        BjVdLrvRtr7DMlB1GG1o20fRHu7VJvva1/TriQ==
X-Received: by 10.36.60.203 with SMTP id m194mr3280874ita.96.1518702356612;
 Thu, 15 Feb 2018 05:45:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.2.118.212 with HTTP; Thu, 15 Feb 2018 05:45:56 -0800 (PST)
In-Reply-To: <CALCETrXB+520uESCFVX2rH7NKkmr20+8YmmBONWUBmB1Cq97mQ@mail.gmail.com>
References: <20180214182113.27247-1-linux@dominikbrodowski.net>
 <20180214182113.27247-3-linux@dominikbrodowski.net> <CALCETrXvD7ZwtXnABT3XW7as4ogdSiyBsRUTY3t_LWtm7KiZeA@mail.gmail.com>
 <CAMzpN2iA6N7hq8zYBAiMq48emWnidDHvnOPg3h5pYGtBOZOm6Q@mail.gmail.com> <CALCETrXB+520uESCFVX2rH7NKkmr20+8YmmBONWUBmB1Cq97mQ@mail.gmail.com>
From:   Brian Gerst <brgerst@gmail.com>
Date:   Thu, 15 Feb 2018 08:45:56 -0500
Message-ID: <CAMzpN2j6E5o-eJtSTZtngn_m8_dAQ7=Wqg_SnHnUao1JhA11AQ@mail.gmail.com>
Subject: Re: [RFC PATCH 2/4] x86/entry/64: move ENTER_IRQ_STACK from interrupt
 macro to helper function
To:     Andy Lutomirski <luto@kernel.org>
Cc:     Dominik Brodowski <linux@dominikbrodowski.net>,
        LKML <linux-kernel@vger.kernel.org>,
        Ingo Molnar <mingo@kernel.org>, X86 ML <x86@kernel.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Andi Kleen <ak@linux.intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Dan Williams <dan.j.williams@intel.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Feb 14, 2018 at 10:11 PM, Andy Lutomirski <luto@kernel.org> wrote:
> On Thu, Feb 15, 2018 at 12:48 AM, Brian Gerst <brgerst@gmail.com> wrote:
>> On Wed, Feb 14, 2018 at 7:17 PM, Andy Lutomirski <luto@kernel.org> wrote:
>>> On Wed, Feb 14, 2018 at 6:21 PM, Dominik Brodowski
>>> <linux@dominikbrodowski.net> wrote:
>>>> Moving the switch to IRQ stack from the interrupt macro to the helper
>>>> function requires some trickery: All ENTER_IRQ_STACK really cares about
>>>> is where the "original" stack -- meaning the GP registers etc. -- is
>>>> stored. Therefore, we need to offset the stored RSP value by 8 whenever
>>>> ENTER_IRQ_STACK is called from within a function. In such cases, and
>>>> after switching to the IRQ stack, we need to push the "original" return
>>>> address (i.e. the return address from the call to the interrupt entry
>>>> function) to the IRQ stack.
>>>>
>>>> This trickery allows us to carve another 1k from the text size:
>>>>
>>>>    text    data     bss     dec     hex filename
>>>>   17905       0       0   17905    45f1 entry_64.o-orig
>>>>   16897       0       0   16897    4201 entry_64.o
>>>>
>>>> Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
>>>> ---
>>>>  arch/x86/entry/entry_64.S | 53 +++++++++++++++++++++++++++++++----------------
>>>>  1 file changed, 35 insertions(+), 18 deletions(-)
>>>>
>>>> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
>>>> index de8a0da0d347..3046b12a1acb 100644
>>>> --- a/arch/x86/entry/entry_64.S
>>>> +++ b/arch/x86/entry/entry_64.S
>>>> @@ -449,10 +449,18 @@ END(irq_entries_start)
>>>>   *
>>>>   * The invariant is that, if irq_count != -1, then the IRQ stack is in use.
>>>>   */
>>>> -.macro ENTER_IRQ_STACK regs=1 old_rsp
>>>> +.macro ENTER_IRQ_STACK regs=1 old_rsp save_ret=0
>>>>         DEBUG_ENTRY_ASSERT_IRQS_OFF
>>>>         movq    %rsp, \old_rsp
>>>>
>>>> +       .if \save_ret
>>>> +       /*
>>>> +        * If save_ret is set, the original stack contains one additional
>>>> +        * entry -- the return address.
>>>> +        */
>>>> +       addq    $8, \old_rsp
>>>> +       .endif
>>>> +
>>>
>>> This is a bit alarming in that you now have live data below RSP.  For
>>> x86_32, this would be a big no-no due to NMI.  For x86_64, it might
>>> still be bad if there are code paths where NMI is switched to non-IST
>>> temporarily, which was the case at some point and might still be the
>>> case.  (I think it is.)  Remember that the x86_64 *kernel* ABI has no
>>> red zone.
>>>
>>> It also means that, if you manage to hit vmalloc_fault() in here when
>>> you touch the IRQ stack, you're dead.  IOW you hit:
>>>
>>>         movq    \old_rsp, PER_CPU_VAR(irq_stack_union + IRQ_STACK_SIZE - 8)
>>>
>>> which gets #PF and eats your return pointer.  Debugging this will be
>>> quite nasty because you'll only hit it on really huge systems after a
>>> thread gets migrated, and even then only if you get unlucky on your
>>> stack alignment.
>>>
>>> So can you find another way to do this?
>>
>> It's adding 8 to the temp register, not %rsp.
>
> Duh.

Even if you get a #PF when writing to the IRQ stack (which should
never happen in the first place since per-cpu memory is mapped at boot
time), RSP would still be below the return address and the fault won't
overwrite it.

That said, the word it writes to the top of the IRQ stack is
vulnerable for a short window between when it switches RSP to the IRQ
stack and when it pushes old_rsp.  That would only affect the unwinder
during a NMI in that window though since it pushes old_rsp again.  So
I'd say commit 29955909 doesn't work exactly as advertised.  But that
has nothing to do with this patch.

--
Brian Gerst