Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp116467pxk; Wed, 2 Sep 2020 16:24:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJznlGQbGSpnbJWfUKi7Sz+OIdYf+01JIHgrDxvTc/6YpDZK0V1enR3a7Bj4AW4uMLXiG/Aa X-Received: by 2002:a17:907:2713:: with SMTP id w19mr450794ejk.357.1599089048986; Wed, 02 Sep 2020 16:24:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599089048; cv=none; d=google.com; s=arc-20160816; b=oy+b34mF5am/Km1fsr0tKI3fqDo4p5bIzLQFyUppzCXh5XpnxZjLlB+yf5di6uleQQ AAupCiIC+5WZN4CSbPWHKYQbW/unTpF1tO+R32h/kDDJiOg4AZR2qmdh8Lc4BFNW3JYb rTY9I7/HJNwpWSywUkEh9t75mMIpKT1XUZIAWccE++z4xf5LbonqJ3Qz2+mXHIS4aQ7T jpCrKX/gp4+ozTLtHXCI6jdoi+9itaGPQ+8V4Xb7kC5NhG4VJ/bioxA8pvle58+SjU4q ZRTA+nbLmADWwpvNUIXMtaJTleWrtqZs5btn27j3uBZL9QMlkA8XzzUBqfSIO+BYfXIr lSPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=H5ja8wXXPTL1aHYYfv6bducjfQ0UQ02ZI62OStXU/P8=; b=R5bYh9B6zhPzldRSTISERBEw4JWOQsUMpDPZRXmM9WwXol8kwC0rgOUGv3t1dbWlay zpSu40knSDH7qQsU452mPs2pmArh6l8a0MXJ3CeXFiby22BaHpXK/ipt9035z4u5aSjW yPK4xlao1r6rfACawHP7M39nHuGxp6TEokBW7RSujoipL6laN3oh3z+w1TMbBJseyn9+ 5xZhSsuqqk60uk13+U3vOu0jA3IGRhuUKEOE2Kc2o8i/8GZfDORo+F90Rp/5h0ppzFHh pr+hsEfqHWkMm620qkYKe0U0+HCwd6SqI+W5Lzt+R9ocNTop/kirdXESzd24zW8ya2mj QZAg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j2si449556edt.312.2020.09.02.16.23.42; Wed, 02 Sep 2020 16:24:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726594AbgIBXV7 (ORCPT + 99 others); Wed, 2 Sep 2020 19:21:59 -0400 Received: from mail-qk1-f194.google.com ([209.85.222.194]:34950 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726523AbgIBXV6 (ORCPT ); Wed, 2 Sep 2020 19:21:58 -0400 Received: by mail-qk1-f194.google.com with SMTP id p25so1462797qkp.2 for ; Wed, 02 Sep 2020 16:21:55 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=H5ja8wXXPTL1aHYYfv6bducjfQ0UQ02ZI62OStXU/P8=; b=HvNj1S148+SzbQgHJEyiPn/eIKOnVcF69AhPFSLPbF+zpvfXBX8RI/NnMDyyqk7TFf KBOV+ZA39gksamNpNV4slUyVVV7U5eDnf7meZemS5un2tGrnpU6qvCCGVw1v96/JfRZs DHFjQiudOiYAo2po9gJKpX2szyqm9mbOLE1oFujgkXrjodC9DuWAqcmZLkHFdqr61D4p Cjq1Z6vhiH+v6gEcDeEc1qZSsGPzP2aCLkc5M8pO8yUl3KGtt8wJ2/duVBwni+i2kbE1 qiQh5DteN7CjeNz7ad6F7m+divO/lt4quMDwiDuANrQBxmMSaA4a+puNpM7pPrOY5p4d RSEg== X-Gm-Message-State: AOAM531arYtfLXgPYil1kIixB4zySulEqnySrGYZIfR9iEtyklc8/iKg 65noSiROrBcjRv12sd2JQVQ= X-Received: by 2002:a37:8047:: with SMTP id b68mr379008qkd.299.1599088915036; Wed, 02 Sep 2020 16:21:55 -0700 (PDT) Received: from rani.riverdale.lan ([2001:470:1f07:5f3::b55f]) by smtp.gmail.com with ESMTPSA id y10sm876573qkf.47.2020.09.02.16.21.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Sep 2020 16:21:54 -0700 (PDT) From: Arvind Sankar To: Linus Torvalds Cc: Miguel Ojeda , Sedat Dilek , Segher Boessenkool , Thomas Gleixner , Nick Desaulniers , "Paul E. McKenney" , Ingo Molnar , Arnd Bergmann , Borislav Petkov , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , "H. Peter Anvin" , "Kirill A. Shutemov" , Kees Cook , Peter Zijlstra , Juergen Gross , Andy Lutomirski , Andrew Cooper , LKML , clang-built-linux , Will Deacon , nadav.amit@gmail.com, Nathan Chancellor Subject: [PATCH v3] x86/asm: Replace __force_order with memory clobber Date: Wed, 2 Sep 2020 19:21:52 -0400 Message-Id: <20200902232152.3709896-1-nivedita@alum.mit.edu> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200823212550.3377591-1-nivedita@alum.mit.edu> References: <20200823212550.3377591-1-nivedita@alum.mit.edu> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The CRn accessor functions use __force_order as a dummy operand to prevent the compiler from reordering CRn reads/writes with respect to each other. The fact that the asm is volatile should be enough to prevent this: volatile asm statements should be executed in program order. However GCC 4.9.x and 5.x have a bug that might result in reordering. This was fixed in 8.1, 7.3 and 6.5. Versions prior to these, including 5.x and 4.9.x, may reorder volatile asm statements with respect to each other. There are some issues with __force_order as implemented: - It is used only as an input operand for the write functions, and hence doesn't do anything additional to prevent reordering writes. - It allows memory accesses to be cached/reordered across write functions, but CRn writes affect the semantics of memory accesses, so this could be dangerous. - __force_order is not actually defined in the kernel proper, but the LLVM toolchain can in some cases require a definition: LLVM (as well as GCC 4.9) requires it for PIE code, which is why the compressed kernel has a definition, but also the clang integrated assembler may consider the address of __force_order to be significant, resulting in a reference that requires a definition. Fix this by: - Using a memory clobber for the write functions to additionally prevent caching/reordering memory accesses across CRn writes. - Using a dummy input operand with an arbitrary constant address for the read functions, instead of a global variable. This will prevent reads from being reordered across writes, while allowing memory loads to be cached/reordered across CRn reads, which should be safe. Tested-by: Nathan Chancellor Tested-by: Sedat Dilek Signed-off-by: Arvind Sankar Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82602 Link: https://lore.kernel.org/lkml/20200527135329.1172644-1-arnd@arndb.de/ --- Changes from v2: - Clarify commit log and source comment some more Changes from v1: - Add lore link to email thread and mention state of 5.x/4.9.x in commit log arch/x86/boot/compressed/pgtable_64.c | 9 --------- arch/x86/include/asm/special_insns.h | 28 ++++++++++++++------------- arch/x86/kernel/cpu/common.c | 4 ++-- 3 files changed, 17 insertions(+), 24 deletions(-) diff --git a/arch/x86/boot/compressed/pgtable_64.c b/arch/x86/boot/compressed/pgtable_64.c index c8862696a47b..7d0394f4ebf9 100644 --- a/arch/x86/boot/compressed/pgtable_64.c +++ b/arch/x86/boot/compressed/pgtable_64.c @@ -5,15 +5,6 @@ #include "pgtable.h" #include "../string.h" -/* - * __force_order is used by special_insns.h asm code to force instruction - * serialization. - * - * It is not referenced from the code, but GCC < 5 with -fPIE would fail - * due to an undefined symbol. Define it to make these ancient GCCs work. - */ -unsigned long __force_order; - #define BIOS_START_MIN 0x20000U /* 128K, less than this is insane */ #define BIOS_START_MAX 0x9f000U /* 640K, absolute maximum */ diff --git a/arch/x86/include/asm/special_insns.h b/arch/x86/include/asm/special_insns.h index 59a3e13204c3..d6e3bb9363d2 100644 --- a/arch/x86/include/asm/special_insns.h +++ b/arch/x86/include/asm/special_insns.h @@ -11,45 +11,47 @@ #include /* - * Volatile isn't enough to prevent the compiler from reordering the - * read/write functions for the control registers and messing everything up. - * A memory clobber would solve the problem, but would prevent reordering of - * all loads stores around it, which can hurt performance. Solution is to - * use a variable and mimic reads and writes to it to enforce serialization + * The compiler should not reorder volatile asm statements with respect to each + * other: they should execute in program order. However GCC 4.9.x and 5.x have + * a bug (which was fixed in 8.1, 7.3 and 6.5) where they might reorder + * volatile asm. The write functions are not affected since they have memory + * clobbers preventing reordering. To prevent reads from being reordered with + * respect to writes, use a dummy memory operand. */ -extern unsigned long __force_order; + +#define __FORCE_ORDER "m"(*(unsigned int *)0x1000UL) void native_write_cr0(unsigned long val); static inline unsigned long native_read_cr0(void) { unsigned long val; - asm volatile("mov %%cr0,%0\n\t" : "=r" (val), "=m" (__force_order)); + asm volatile("mov %%cr0,%0\n\t" : "=r" (val) : __FORCE_ORDER); return val; } static __always_inline unsigned long native_read_cr2(void) { unsigned long val; - asm volatile("mov %%cr2,%0\n\t" : "=r" (val), "=m" (__force_order)); + asm volatile("mov %%cr2,%0\n\t" : "=r" (val) : __FORCE_ORDER); return val; } static __always_inline void native_write_cr2(unsigned long val) { - asm volatile("mov %0,%%cr2": : "r" (val), "m" (__force_order)); + asm volatile("mov %0,%%cr2": : "r" (val) : "memory"); } static inline unsigned long __native_read_cr3(void) { unsigned long val; - asm volatile("mov %%cr3,%0\n\t" : "=r" (val), "=m" (__force_order)); + asm volatile("mov %%cr3,%0\n\t" : "=r" (val) : __FORCE_ORDER); return val; } static inline void native_write_cr3(unsigned long val) { - asm volatile("mov %0,%%cr3": : "r" (val), "m" (__force_order)); + asm volatile("mov %0,%%cr3": : "r" (val) : "memory"); } static inline unsigned long native_read_cr4(void) @@ -64,10 +66,10 @@ static inline unsigned long native_read_cr4(void) asm volatile("1: mov %%cr4, %0\n" "2:\n" _ASM_EXTABLE(1b, 2b) - : "=r" (val), "=m" (__force_order) : "0" (0)); + : "=r" (val) : "0" (0), __FORCE_ORDER); #else /* CR4 always exists on x86_64. */ - asm volatile("mov %%cr4,%0\n\t" : "=r" (val), "=m" (__force_order)); + asm volatile("mov %%cr4,%0\n\t" : "=r" (val) : __FORCE_ORDER); #endif return val; } diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c index c5d6f17d9b9d..178499f90366 100644 --- a/arch/x86/kernel/cpu/common.c +++ b/arch/x86/kernel/cpu/common.c @@ -359,7 +359,7 @@ void native_write_cr0(unsigned long val) unsigned long bits_missing = 0; set_register: - asm volatile("mov %0,%%cr0": "+r" (val), "+m" (__force_order)); + asm volatile("mov %0,%%cr0": "+r" (val) : : "memory"); if (static_branch_likely(&cr_pinning)) { if (unlikely((val & X86_CR0_WP) != X86_CR0_WP)) { @@ -378,7 +378,7 @@ void native_write_cr4(unsigned long val) unsigned long bits_changed = 0; set_register: - asm volatile("mov %0,%%cr4": "+r" (val), "+m" (cr4_pinned_bits)); + asm volatile("mov %0,%%cr4": "+r" (val) : : "memory"); if (static_branch_likely(&cr_pinning)) { if (unlikely((val & cr4_pinned_mask) != cr4_pinned_bits)) { -- 2.26.2