Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp37780pxp; Tue, 15 Mar 2022 23:05:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw8Ax2NQcZFRPyFgEXC/g61xjAZRfaU2Z44VHebPP3qWcTWUQWAEj0QI5s11llIn3iUvkYC X-Received: by 2002:a17:906:2ecd:b0:6d3:d7c9:8fa4 with SMTP id s13-20020a1709062ecd00b006d3d7c98fa4mr24886755eji.144.1647410703322; Tue, 15 Mar 2022 23:05:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647410703; cv=none; d=google.com; s=arc-20160816; b=YNVD6hzUARuLlDzOgP/ArmD60Adhkd4QaUJe4IKqAWW5EHs7xz7jvgn5xw5B4xyVoV ytefldzdJldlm4xlPSYQlffX3vbu3hhDk265y/Cylf5z6KkKqlumFEUKF4RP8qbg3KmJ r2txct0C68qtf420JQ5wnON+A22bCENXFN+i5bEnpQ4rzNKSvv7z5wb7DpdzgSJV7FvZ veOu9jSKqFP8SjEsenPyHzm6tuUfrOX3kfioWPvF1e77YvYum6VJ/zqZNIKYRF5xxXWK B+MgtAQa8pMI+bLANl2VW1aUzy0MqoSMsaIcVGqCJQv3W34yrmx+EWnnsAfEa/tNrcon v8dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Ky05SS0dLP9h7QzHiJvGTANI4WZNzfmgs3YRQLEcx58=; b=nlo8YBy7lpXZ/SPsxI9xhPDZPYr7uFzDf5oLzjvcN7acosa2WQIiZx7DVdbVysaMyC WEHcGxkJrIUAHqo+5VZ8MwEhMLRfNdsFQHLIHYx+Iggh5R/yiOj+EAnzKv14PXdJ2pZv +LwH2Kp38hCJyQFoToZn3PsNQeknVCrmEYwM5oHUsConOYD9pDISkcvynAQwOvTbSVhS RCb1JDORORy2KsVaw/mHkTHYGcObmdWsDdQXp/5N0q8KkqByIubT3FXezHyAaMNp/GlN XK93bc+v7VRTnhn3QnmWqNXA2tFbMdkADO5HtnJkQScm136q9B1tfJqsTQ1c5+YB/o39 uRcQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=curqcvVd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i27-20020a170906091b00b006ced85cc07asi533763ejd.715.2022.03.15.23.04.14; Tue, 15 Mar 2022 23:05:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=curqcvVd; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243354AbiCOJCg (ORCPT + 99 others); Tue, 15 Mar 2022 05:02:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238477AbiCOJCd (ORCPT ); Tue, 15 Mar 2022 05:02:33 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 638604D9E9; Tue, 15 Mar 2022 02:01:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=Ky05SS0dLP9h7QzHiJvGTANI4WZNzfmgs3YRQLEcx58=; b=curqcvVdYc3eIzjLKBHdPBB9+s G3CwawKkSnWcWe6FAT9Vz/58zfyVv4TM8srf1+VSlJPsk3Aahsqii4DBP1/rb6wr65CiyLm13zRe3 ElM5AeTzBAdRDPr3XWS3mefEnMhKdRwfB4MXMbXoyYMnk5zTu7BFKjskib6kon2UVE85hkVc73af1 smWSajASTzMJKZsausXwWrtVdjkLWaYDroy0Ovq5molIR90WGUNnSBaiAdFbCRI38BkiP412HDAne eYfgh5WA+y2vKx0ZMh95NyHBnv1HrOjdzMJGRuFXgsnXabC0Imcq1LWDdqoTguIens/OQ/TxUZxRe A5LWBuVA==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=worktop.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1nU32r-004ro6-Eg; Tue, 15 Mar 2022 09:00:45 +0000 Received: by worktop.programming.kicks-ass.net (Postfix, from userid 1000) id 42AC8986205; Tue, 15 Mar 2022 10:00:43 +0100 (CET) Date: Tue, 15 Mar 2022 10:00:43 +0100 From: Peter Zijlstra To: Kumar Kartikeya Dwivedi Cc: Alexei Starovoitov , X86 ML , joao@overdrivepizza.com, hjl.tools@gmail.com, Josh Poimboeuf , Andrew Cooper , LKML , Nick Desaulniers , Kees Cook , Sami Tolvanen , Mark Rutland , alyssa.milburn@intel.com, Miroslav Benes , Steven Rostedt , Masami Hiramatsu , Daniel Borkmann , Andrii Nakryiko , bpf Subject: Re: [PATCH v4 00/45] x86: Kernel IBT Message-ID: <20220315090043.GB8939@worktop.programming.kicks-ass.net> References: <20220309190917.w3tq72alughslanq@ast-mbp.dhcp.thefacebook.com> <20220312154407.GF28057@worktop.programming.kicks-ass.net> <20220314204402.rpd5hqzzev4ugtdt@apollo> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220314204402.rpd5hqzzev4ugtdt@apollo> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 15, 2022 at 02:14:02AM +0530, Kumar Kartikeya Dwivedi wrote: > [ Note: I have no experience with trampoline code or IBT so what follows might > be incorrect. ] > > In case of fexit and fmod_ret, we call original function (but skip > X86_PATCH_SIZE bytes), with ENDBR we must also skip those 4 bytes, but in some > cases like bpf_fentry_test1, for which this test has fmod_ret prog, compiler > (gcc 11) emits endbr64, but not for do_init_module, for which we do fexit. > > This means for do_init_module module, orig_call += X86_PATCH_SIZE + > ENDBR_INSN_SIZE would skip more bytes than needed to emit call to original > function, which explains why I was seeing crash in the middle of > 'mov edx, 0x10' instruction. > > The diff below fixes the problem for me, and allows the test to pass. > > diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c > index b98e1c95bcc4..760c9a3c075f 100644 > --- a/arch/x86/net/bpf_jit_comp.c > +++ b/arch/x86/net/bpf_jit_comp.c > @@ -2031,11 +2031,14 @@ int arch_prepare_bpf_trampoline(struct bpf_tramp_image *im, void *image, void *i > > ip_off = stack_size; > > - if (flags & BPF_TRAMP_F_SKIP_FRAME) > + if (flags & BPF_TRAMP_F_SKIP_FRAME) { > /* skip patched call instruction and point orig_call to actual > * body of the kernel function. > */ > - orig_call += X86_PATCH_SIZE + ENDBR_INSN_SIZE; > + if (is_endbr(*(u32 *)orig_call)) > + orig_call += ENDBR_INSN_SIZE; > + orig_call += X86_PATCH_SIZE; > + } > > prog = image; Hmm, so I was under the impression that this was targeting the NOP from emit_prologue(), and that has an unconditional ENDBR. If this is instead targeting the 'start of random kernel function' then yes, what you propose will work. (obviously, once we go do more complicated CFI schemes, all this needs revisiting yet again). I don't seem able to run this mod_race test, it keeps saying: tgl-build# ./test_progs -v -t mod_race bpf_testmod.ko is already unloaded. Loading bpf_testmod.ko... Successfully loaded bpf_testmod.ko. Summary: 0/0 PASSED, 0 SKIPPED, 0 FAILED Successfully unloaded bpf_testmod.ko. Which I'm taking to mean I'm doing it wrong... so I can't immediately verify, but your proposal looks sane so I'll fold it in. Thanks!