Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp512841imw; Wed, 13 Jul 2022 02:55:18 -0700 (PDT) X-Google-Smtp-Source: AGRyM1tnEoxmq3JEqezj0h/VA8U0UMk19bTmBOOhORR9tDTLma4qqTAbRKLCPRZqcGRUybqBX1Z8 X-Received: by 2002:a17:902:edd1:b0:158:8318:b51e with SMTP id q17-20020a170902edd100b001588318b51emr2634672plk.89.1657706118371; Wed, 13 Jul 2022 02:55:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657706118; cv=none; d=google.com; s=arc-20160816; b=BHiUJpQQEVAZ74Wsv784/lTjQ7xOKZElydysJ/xjsA5S8CCt+X/6pR75E3WXE3EF8m QLSPVSt/pfkWWAV0FI6APHlKOf5H5XMMeL0pc+aFU0KKbAwvCkffkuQdgUNhf1+lLjwq AU1U1O69I4b5ajrrYBd6gFtsbCa0CRTVa8J4JLg1bQP4Kr5EcP8AKDgHuQ7DuGJ1n3cC IAV8rSUoqdBRvTtbOahtHX/S/8lQV88RVglRj1CHPUyd5cwnjxrl8gUll8ebfPoO1lLp Bvru+spUmmdx+tQ0PcQ1OteWy9ztggmKgRPHpnVkuC66N+tAMSSVYlwL3O/vktCOG+/s 776Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=iu/Gvbn1zK0U1w4KjsahsWiWxBTvbHb4Y4IJVd8CDks=; b=cJpnTi9qUTg/lWyV7xyFBNZDO3hCv+Nwyrzolu2ufYs4LL6OOM/73nqVxess6AAlVf MuE+bJAfp5ZCFrB8pdAaLjz6S9UtJgaL8frtyZmG46+iw/24xYpcyV8oJxMoyvNBdSQ7 TnpockQEOng6HwOadU6g8PfyhF1H5IfIC48qZ8dsQAMES8YQ9V/FpiLPIA9Wk/XpBmKU uuhxM0F3yxLrp9Q7ZH+oOaDwuu5ojugcGomWuVGfQHvDwDq0mH2Jtymro5lbnarYwx4A R2mCizAAdDcZp9BeqEP6nEjZbBeBMVnWA2W8BP5IGgQg3lnYyXHF1Og6JkWepQ/re8fb 0ojA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=CMZSyjYu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o4-20020a056a0015c400b00529eaaf6798si19023725pfu.222.2022.07.13.02.55.05; Wed, 13 Jul 2022 02:55:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=CMZSyjYu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235276AbiGMJvL (ORCPT + 99 others); Wed, 13 Jul 2022 05:51:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45986 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235352AbiGMJvJ (ORCPT ); Wed, 13 Jul 2022 05:51:09 -0400 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E3969F8979 for ; Wed, 13 Jul 2022 02:51:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=iu/Gvbn1zK0U1w4KjsahsWiWxBTvbHb4Y4IJVd8CDks=; b=CMZSyjYu2liUqwCCJQQR5lsAaa urxcvfXDlInV5XsxRX9DIUJAe/VE6kxRBzApADSHI2/N5sz8tTCvqRiJ7/an9jEXWwvYRCWJmVlOo 625Ill+RuC28ZZzbUJYvUHKMjawVD0jeAoS6AflBqhW4UHE9T6SshLJ1MVpUIAABDljNgiN669VRw uICAwiBHSYnL6SogTEQI7YUZdBKukBWR8GXcOxkgLJVTaXGen5/FN+J7fBtqNu4q0WLxcc7NJtQ6X kC4Cgoh04IXmwzljN+oNCJ4ycWHajmlSWWh9wmq6hemQ9rf0T6qbmezZIeFQsgGqmDZnEYlaptSQO onJZpPMg==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.94.2 #2 (Red Hat Linux)) id 1oBZ1A-0081TJ-Ev; Wed, 13 Jul 2022 09:50:52 +0000 Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 724993000D5; Wed, 13 Jul 2022 11:50:50 +0200 (CEST) Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id 55E12201ECFBD; Wed, 13 Jul 2022 11:50:50 +0200 (CEST) Date: Wed, 13 Jul 2022 11:50:50 +0200 From: Peter Zijlstra To: Alexandre Chartre Cc: Borislav Petkov , X86 ML , LKML Subject: Re: UNTRAIN_RET in native_irq_return_ldt Message-ID: References: <35b0d50f-12d1-10c3-f5e8-d6c140486d4a@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <35b0d50f-12d1-10c3-f5e8-d6c140486d4a@oracle.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 12, 2022 at 08:20:44PM +0200, Alexandre Chartre wrote: > > Hi, > > I think there is an issue in native_irq_return_ldt: UNTRAIN_RET is used and can > clobber %rax which is expected to be the user rax. and cx and dx.. > A simple fix would be to preserve %rax: > > diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S > index a4ba162e52c3..f1fe05289d84 100644 > --- a/arch/x86/entry/entry_64.S > +++ b/arch/x86/entry/entry_64.S > @@ -728,7 +728,11 @@ native_irq_return_ldt: > pushq %rdi /* Stash user RDI */ > swapgs /* to kernel GS */ > SWITCH_TO_KERNEL_CR3 scratch_reg=%rdi /* to kernel CR3 */ > + > + /* UNTRAIN_RET can clobber %rax, so preserve it */ > + movq %rax, %rdi > UNTRAIN_RET > + movq %rdi, %rax > movq PER_CPU_VAR(espfix_waddr), %rdi > movq %rax, (0*8)(%rdi) /* user RAX */ > Which still leaves cx and dx scrambled. > But I wonder if we really need to use UNTRAIN_RET in native_irq_return_ldt because > I think we reach this point from the kernel after untrain has already be done, > and it looks like we don't do ret afterward (the code just fixup the stack and > then iret). Yes, I think removing it is fine, the objtool unret validation also doesn't complain about it not being there (I really should have written that validation before doing these patches, not after, oh well).