Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1277493ybt; Thu, 2 Jul 2020 01:07:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwxyrUbqatQAJZ6FWtJB0MY2luuwJceEo22Ykn251F5oDNrdIb3Rf1ZOJiqpTX7LyFFgZKo X-Received: by 2002:a17:906:70d5:: with SMTP id g21mr9552526ejk.340.1593677275979; Thu, 02 Jul 2020 01:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593677275; cv=none; d=google.com; s=arc-20160816; b=M4Wknp1WL35EEo0xf+MtVpF3bbNk2u8M6Rwt8ZVzSqenIigeewGaCUNCjZ2Tvg/Hxk j4IfdTT/mHVDSKsylKm3KsLDai18/qJDUL66GuUNdnRNo6aeH/lzS5aVFK8wFNE/xRL1 l7xCvy2btry8ld2oakUh+EdcK+G2vPkpTmdPxmpCbl8yO6ZTWpzv2OKuIy+BYwSGU38n OrJxffotOi7CcONHIi59JHXQ/6pZYU+dxz/xs/7n4J2rUyGkTNknXwkhpYXpH3UXq3AI b3hn4/YmjazgbXxOoXUA8QmvSG4mCp4lr/pkyp1+8wmaNPMzMqrLhGEGatBTyYk3Dfqo THQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=1Shbc8XBEGOupz0+BIqRfrqP5vs699lFBc+50af7Ag8=; b=tmf6xsuZfyOn/bisfhX68pJinFbQu57NODWO9aa1Ef02EPdDUY8SbzsCPPRMydUMP0 o0l6BBP5qSESHVWbfaXKcnGKO3PfmsOPPFS9ppwhODRyfq/vKOI73IakiB4QZ5v9z11L uhHLwWgxD5lvNK9huQfUwDCEjjkhwnlWAxuHWF104zH2OA77ZL7tpFm2kraoldEm2YvJ unNac8CgmICcRp36wR0s0Xf45dMZqDnBeOHaHnCV27yYbY4Z93xXsz47BNbxkkXdtJDD p5EOQD+49Fbkc2hkuIrs9bQe/IUUUZnxNXO1HUXBKN4TjsJVi0yVDDDSgC1I26+avbdK xZtA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=sj1ZI8qv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g20si5197899edq.447.2020.07.02.01.07.32; Thu, 02 Jul 2020 01:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=casper.20170209 header.b=sj1ZI8qv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726292AbgGBIFS (ORCPT + 99 others); Thu, 2 Jul 2020 04:05:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44210 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725954AbgGBIFR (ORCPT ); Thu, 2 Jul 2020 04:05:17 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A527FC08C5C1 for ; Thu, 2 Jul 2020 01:05:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=1Shbc8XBEGOupz0+BIqRfrqP5vs699lFBc+50af7Ag8=; b=sj1ZI8qvkQGYW1AfsMtwcP8rPq HcmQ5l7jhJEw/pMnBEqVmf8VrcNH7YVmQywmr19wk9gXy5ONFRkGfOsHIsBBpI+fddXVcJBraSJhv q/sVFchhHcgHNdTmuZSbGTbAhhokf888HFa0zxiAQHdLg0W3MXPC6L9tHYXeLsyFWuL7zkSwTctla ItiG6iNtAcnVjMl1WTWzw5GjMYswjw+AtDWVr8qrTI/EmX39L0QIZelk7P0ZWhBqoNXZzhlwHP39i sgksfeOHfsWAuKEldkps95B7Y1ON0ewYxaTUfjPHuWe9aWTT0KY8hARZ3zNFKoWLUQ1ApVZPF2+1a Si7OiR8Q==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jquDZ-0007Od-34; Thu, 02 Jul 2020 08:05:13 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 0164330015A; Thu, 2 Jul 2020 10:05:11 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id E6679264F8CB1; Thu, 2 Jul 2020 10:05:10 +0200 (CEST) Date: Thu, 2 Jul 2020 10:05:10 +0200 From: Peter Zijlstra To: Josh Poimboeuf Cc: Linus Torvalds , Andy Lutomirski , Andy Lutomirski , the arch/x86 maintainers , Linux Kernel Mailing List Subject: Re: objtool clac/stac handling change.. Message-ID: <20200702080510.GY4781@hirez.programming.kicks-ass.net> References: <5F1767D0-416A-4BA4-9DFF-E82D1EA3F5EE@amacapital.net> <20200701205108.wtgfnijav7lgfiqe@treble> <20200702000041.movaiqpyzdmhlu67@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200702000041.movaiqpyzdmhlu67@treble> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 01, 2020 at 07:00:41PM -0500, Josh Poimboeuf wrote: > On Wed, Jul 01, 2020 at 02:02:42PM -0700, Linus Torvalds wrote: > > So the objtool rule might be: > > > > - in a STAC region, no exception handlers at all except for that > > ex_handler_uaccess case > > > > - and that case will clear AC if it triggers. > > > > and maybe such an objtool check would show some case where I'm wrong, > > and we do some MSR read other other fault thing within a STAC region. > > That _sounds_ wrong to me, but maybe we have reason to do so that I > > just can't think or right now? > > Here's an attempt at implementing this, in case anybody wants to play > with it. Usual disclaimers apply... Looks about right, two niggles below. > @@ -2335,6 +2340,35 @@ static void fill_alternative_cfi(struct objtool_file *file, struct instruction * > } > } > > +static int handle_stac(struct symbol *func, struct instruction *insn, > + struct insn_state *state) > +{ > + if (state->uaccess) { > + WARN_FUNC("recursive UACCESS enable", insn->sec, insn->offset); > + return -1; > + } > + > + state->uaccess = true; > + return 0; > +} > + > +static int handle_clac(struct symbol *func, struct instruction *insn, > + struct insn_state *state) > +{ > + if (!state->uaccess && func) { > + WARN_FUNC("redundant UACCESS disable", insn->sec, insn->offset); > + return -1; > + } > + > + if (func_uaccess_safe(func) && !state->uaccess_stack) { > + WARN_FUNC("UACCESS-safe disables UACCESS", insn->sec, insn->offset); > + return -1; > + } > + > + state->uaccess = false; > + return 0; > +} For both these we return -1 on error and then all callers convert it to 1. So why not have this return 1 and pass any !0 value through? > /* > * Follow the branch starting at the given instruction, and recursively follow > * any other branches (jumps). Meanwhile, track the frame pointer state at > @@ -2393,6 +2427,17 @@ static int validate_branch(struct objtool_file *file, struct symbol *func, > if (alt->skip_orig) > skip_orig = true; > > + if (alt->exception) { > + if (!alt->uaccess && state.uaccess) { > + WARN_FUNC("non-user-access exception with uaccess enabled", > + sec, insn->offset); > + return 1; > + } This is Linus' new rule that AC code should not get any exceptions except ex_handler_uaccess. > + > + if (alt->uaccess && handle_clac(func, insn, &state)) > + return 1; And this is ex_handler_uaccess() mucking with regs->flags, right? Might want a comment. > + } > + > ret = validate_branch(file, func, alt->insn, state); > if (ret) { > if (backtrace)