Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5225747ybl;
        Tue, 27 Aug 2019 01:06:38 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy6v3SWjyg6Zjagg+HYseuIsVaVYaKR44RQvYti8RMnR4wqJPiiw4f4YKH3diMRSYMewNu2
X-Received: by 2002:a17:90a:ad94:: with SMTP id s20mr24528961pjq.42.1566893198058;
        Tue, 27 Aug 2019 01:06:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566893198; cv=none;
        d=google.com; s=arc-20160816;
        b=FpfgPmKJ9TOK9PckPyHlUjd6t+N4alcsSHqOFUtDDUEmXpgJUt/i+fNSmADL3CoRKp
         pScQhUTWUilVQlYOA6jkaAXTHNGrDf7wBAGDHbek8yNUHyluCHW0xbLcJmuwebPweucX
         otFCotgTWJaIiifYM/7z5kFLjb+yqgzo5MQeMxzCWoqRX+WO3GT8YgDKe/8ZG12VzOjb
         zC8chHvb2sbtjuGuHZcWhcbKhbkz6H8npToeLqGizLhjy4/ueEtL4YXP6QYDWNnS8053
         M0Pw0s2+xPNwu29dB/1Z22Rop8DxKq5OploX55Zl08t3xdVNRhu07eX7RSWxl7aHxdy/
         wELw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=k9jIWh62za6ZeahwQ9e8UK8N4o/sqORzWDTnIpa+7ro=;
        b=uB2D6ve8Kma/KfunF5qe0Nnmmw6DzBxvf4kutWCVho+JEu2YZGFVdOEIwKUKn6GlAZ
         x32OhJJwaxSjBRpfbYOOIYtQkkhm7Zli9F03F0OZmIUs/+b6vqSkUC5z5htllEfOFOUv
         rF0928qoGtnP2kHAHr9ug7o8YeQlwPDqCdwCZ4Imr4Dt8NsfOY/pvS5Uqf4mvtZoi3U2
         El/SIucRrDiJahPCJLeh1chCYYsfVTC6EMJwWovu5UthzjVFlHLHAcKBsc3Sg4NBiq+w
         uFrL6Wm0PaWTVOFYkztzX5nKG4W+r7mL9O0HbENuPEMpHogom6xrEQDnKWZ1EHcNdRDC
         nMug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="fJ7I/Hxa";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id z7si1938815pjt.100.2019.08.27.01.06.22;
        Tue, 27 Aug 2019 01:06:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="fJ7I/Hxa";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732750AbfH0IFQ (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Tue, 27 Aug 2019 04:05:16 -0400
Received: from mail.kernel.org ([198.145.29.99]:34900 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1732732AbfH0IFO (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Aug 2019 04:05:14 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 95AC6206BF;
        Tue, 27 Aug 2019 08:05:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1566893114;
        bh=7Vn7ib8nMqYoS5MEDSuMlDHlB/IsgW2zOkMypYsWhSw=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fJ7I/HxaDuGu4xlg7Gg4xD2RdZo+K3EsgcoGTfhEserpwKV386qJt9r8FcPFgNzaL
         8qZLWENtBRWfsnmye7R9iDEMz86FoNMcTsRj5gUwGbxGoBrNYdsCXCz62KkNKAteoM
         okygWWxwSysij07E1L5xr/nK35krU3dzLSM7ptVo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Sean Christopherson <sean.j.christopherson@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>
Subject: [PATCH 5.2 125/162] x86/retpoline: Dont clobber RFLAGS during CALL_NOSPEC on i386
Date:   Tue, 27 Aug 2019 09:50:53 +0200
Message-Id: <20190827072742.842069378@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190827072738.093683223@linuxfoundation.org>
References: <20190827072738.093683223@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Sean Christopherson <sean.j.christopherson@intel.com>

commit b63f20a778c88b6a04458ed6ffc69da953d3a109 upstream.

Use 'lea' instead of 'add' when adjusting %rsp in CALL_NOSPEC so as to
avoid clobbering flags.

KVM's emulator makes indirect calls into a jump table of sorts, where
the destination of the CALL_NOSPEC is a small blob of code that performs
fast emulation by executing the target instruction with fixed operands.

  adcb_al_dl:
     0x000339f8 <+0>:   adc    %dl,%al
     0x000339fa <+2>:   ret

A major motiviation for doing fast emulation is to leverage the CPU to
handle consumption and manipulation of arithmetic flags, i.e. RFLAGS is
both an input and output to the target of CALL_NOSPEC.  Clobbering flags
results in all sorts of incorrect emulation, e.g. Jcc instructions often
take the wrong path.  Sans the nops...

  asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n"
     0x0003595a <+58>:  mov    0xc0(%ebx),%eax
     0x00035960 <+64>:  mov    0x60(%ebx),%edx
     0x00035963 <+67>:  mov    0x90(%ebx),%ecx
     0x00035969 <+73>:  push   %edi
     0x0003596a <+74>:  popf
     0x0003596b <+75>:  call   *%esi
     0x000359a0 <+128>: pushf
     0x000359a1 <+129>: pop    %edi
     0x000359a2 <+130>: mov    %eax,0xc0(%ebx)
     0x000359b1 <+145>: mov    %edx,0x60(%ebx)

  ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK);
     0x000359a8 <+136>: mov    -0x10(%ebp),%eax
     0x000359ab <+139>: and    $0x8d5,%edi
     0x000359b4 <+148>: and    $0xfffff72a,%eax
     0x000359b9 <+153>: or     %eax,%edi
     0x000359bd <+157>: mov    %edi,0x4(%ebx)

For the most part this has gone unnoticed as emulation of guest code
that can trigger fast emulation is effectively limited to MMIO when
running on modern hardware, and MMIO is rarely, if ever, accessed by
instructions that affect or consume flags.

Breakage is almost instantaneous when running with unrestricted guest
disabled, in which case KVM must emulate all instructions when the guest
has invalid state, e.g. when the guest is in Big Real Mode during early
BIOS.

Fixes: 776b043848fd2 ("x86/retpoline: Add initial retpoline support")
Fixes: 1a29b5b7f347a ("KVM: x86: Make indirect calls in emulator speculation safe")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190822211122.27579-1-sean.j.christopherson@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/nospec-branch.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -192,7 +192,7 @@
 	"    	lfence;\n"					\
 	"       jmp    902b;\n"					\
 	"       .align 16\n"					\
-	"903:	addl   $4, %%esp;\n"				\
+	"903:	lea    4(%%esp), %%esp;\n"			\
 	"       pushl  %[thunk_target];\n"			\
 	"       ret;\n"						\
 	"       .align 16\n"					\