Received: by 2002:a05:7412:6592:b0:d7:7d3a:4fe2 with SMTP id m18csp1220732rdg; Fri, 11 Aug 2023 14:00:19 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEXSsgHtgOjmwq0qqX5HgLBkpvUJTYvdez9B/AUP0Xkam2HiLJ8LeDD349vknBpBFbXQXrZ X-Received: by 2002:a17:906:10d2:b0:99b:50ea:2f96 with SMTP id v18-20020a17090610d200b0099b50ea2f96mr3688673ejv.12.1691787619089; Fri, 11 Aug 2023 14:00:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691787619; cv=none; d=google.com; s=arc-20160816; b=PTtpAQpqDiES1HGC4TjiWqpFR/b6Q+O54i4qXDdFb4ufdd6cR1DtQj8aVkDiLQEl3C zzOr5DckhyvIktUO4jPHrXggVy826GF+8BfA7ccnszRNKH/5UJsWCNtHkI/ekcvpic4d wXgnFDJT8TS9flwdxk9iPkCP+xMrURXKJyFWQhDVLCkf0pV4GesCalf+5C1h+kg8IDMP cblHjPSmP+nckjUyTCCjV/LT2FolI+zEUhDIDS5+/zz/DjxD/UoMx+/SR06NX9haRvzt 3uAwLPVnm5+u2NoA80UTXTQLeWCGOsQIX3eZg+93lCCUp8zhFretitCuCwzgPiTDVn1H 4IGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=hEXEFCPFrqRQrjxHQ3PIoyRZxwjD4HNZdhhYwTXt60M=; fh=Uo0tycy0xRN8qDH8PDGixtOnD7Im9De7yasLMCRPmD8=; b=KZJ3hQUh0xn2fE6/qWENfQczDvZEjikysWk7eXYvEElDs7H/Rts8ezKbUpjTQQHlNn Ei02AHQ0fwyoAVascrXgiM6UM8QRECmimci7yooutpdE8M0H3Y1z5EjvrnfxRQ0Ml0aA S9/9YcTA7JS9GTJOOQREufSrUOjcEo5SsWOrjv9q1kHqKDCvmMozDQv1snH70/n+jIis YItuNLbgZF8Td3f2jko8VS/v4Fzs0jaJa1p4xXIZsOVncR+YAKOEZWfl25uab9Adtfwe uHfXZH1q5yVKwqaM5uFiSzGcNotQNhcdl+3rBM6SIcMHGPbbQGSmKSIn4QACgzeE6Fhj tBkg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LDa+NjgO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ju14-20020a17090798ae00b00993860a6d36si4342968ejc.374.2023.08.11.13.59.54; Fri, 11 Aug 2023 14:00:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=LDa+NjgO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236287AbjHKSsm (ORCPT + 99 others); Fri, 11 Aug 2023 14:48:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41138 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233418AbjHKSsk (ORCPT ); Fri, 11 Aug 2023 14:48:40 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 48E6930DC for ; Fri, 11 Aug 2023 11:47:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1691779673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hEXEFCPFrqRQrjxHQ3PIoyRZxwjD4HNZdhhYwTXt60M=; b=LDa+NjgOgbSSm6Kip7uTb/jGS+mFjCXIxku2SaHv+/GghsyXaV2XBhQDGAmsHFjbef4WBa qpLALwyCtAM4GBOxDT5Vj8LlZj2p2SzEw6H43A9ZuBmHrIpiW6EOhYeucW/oXdmfdXwfsz TucMHg3Hd/4nT4B6nw053crc8PzImd8= Received: from mail-lj1-f199.google.com (mail-lj1-f199.google.com [209.85.208.199]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-423-5f6BQd4WM6qllt61u7DuIw-1; Fri, 11 Aug 2023 14:47:52 -0400 X-MC-Unique: 5f6BQd4WM6qllt61u7DuIw-1 Received: by mail-lj1-f199.google.com with SMTP id 38308e7fff4ca-2b9c22c3d68so13804791fa.1 for ; Fri, 11 Aug 2023 11:47:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691779671; x=1692384471; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hEXEFCPFrqRQrjxHQ3PIoyRZxwjD4HNZdhhYwTXt60M=; b=jS12Wvj/ZVkkBmYG6AkGIQzdwcCNppvG2nzl72TVAEadhxnew1sLjqlGgLj4NL5OX5 8audMI8mPrezZsSfPU+orTl2HzXEKe3z2rRyJ09KLUgR5W19uCKgamdl35HcxxMdhBaJ AmieubWFyIZGQ/7KjXZpQuss7yCd6xFzsam6lfA4hEVIvRaELHukJjX5FCMmyBNT0sYD N/6YWKcs0z7C/VS1NxP5qh+74x+LNFJKPr3k/nbhBUbMTavAa0m5yXcexsuEBGXSP5RV DzDdYzztC6Vi64YADxsVk2S1SH+CW2HYDEcy6ljnpONyxGt0V64YKSiYvVY84fbJ7PbX kgFA== X-Gm-Message-State: AOJu0YxIPVRzIECz72pzMZ5eHTxf9MtWn8SjscjofPdJTAYXFi6t5l5n DpDOjzrmlhjVok9SkITiKwRgjftz7a6ulG2xX07uFkGkcLeMr0qkSM+5mjxs5JvnXnSteDBRlaC VMoVk+d/OAsaILpdQ/S76rPA= X-Received: by 2002:a05:651c:1184:b0:2b9:b7ad:71a6 with SMTP id w4-20020a05651c118400b002b9b7ad71a6mr1850770ljo.25.1691779670828; Fri, 11 Aug 2023 11:47:50 -0700 (PDT) X-Received: by 2002:a05:651c:1184:b0:2b9:b7ad:71a6 with SMTP id w4-20020a05651c118400b002b9b7ad71a6mr1850764ljo.25.1691779670488; Fri, 11 Aug 2023 11:47:50 -0700 (PDT) Received: from [192.168.1.86] (85-23-20-79.bb.dnainternet.fi. [85.23.20.79]) by smtp.gmail.com with ESMTPSA id u20-20020a2e2e14000000b002ba123cb784sm967450lju.99.2023.08.11.11.47.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 11 Aug 2023 11:47:49 -0700 (PDT) Message-ID: <8edc91f9-ce20-9528-a496-5b6e650bb63f@redhat.com> Date: Fri, 11 Aug 2023 21:47:49 +0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [PATCH] x86/retpoline: Don't clobber RFLAGS during srso_safe_ret() Content-Language: en-US To: Sean Christopherson , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org Cc: linux-kernel@vger.kernel.org, Srikanth Aithal , kvm@vger.kernel.org, Paolo Bonzini References: <20230811155255.250835-1-seanjc@google.com> From: =?UTF-8?Q?Mika_Penttil=c3=a4?= In-Reply-To: <20230811155255.250835-1-seanjc@google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/11/23 18:52, Sean Christopherson wrote: > Use 'lea' instead of 'add' when adjusting %rsp in srso_safe_ret() so as to > avoid clobbering flags. Drop one of the INT3 instructions to account for > the LEA consuming one more byte than the ADD. > > KVM's emulator makes indirect calls into a jump table of sorts, where > the destination of each call is a small blob of code that performs fast > emulation by executing the target instruction with fixed operands. > > E.g. to emulate ADC, fastop() invokes adcb_al_dl(): > > adcb_al_dl: > 0xffffffff8105f5f0 <+0>: adc %dl,%al > 0xffffffff8105f5f2 <+2>: jmp 0xffffffff81a39270 <__x86_return_thunk> > > A major motivation for doing fast emulation is to leverage the CPU to > handle consumption and manipulation of arithmetic flags, i.e. RFLAGS is > both an input and output to the target of the call. fastop() collects > the RFLAGS result by pushing RFLAGS onto the stack and popping them back > into a variable (held in RDI in this case) > > asm("push %[flags]; popf; " CALL_NOSPEC " ; pushf; pop %[flags]\n" > > 0xffffffff81062be7 <+71>: mov 0xc0(%r8),%rdx > 0xffffffff81062bee <+78>: mov 0x100(%r8),%rcx > 0xffffffff81062bf5 <+85>: push %rdi > 0xffffffff81062bf6 <+86>: popf > 0xffffffff81062bf7 <+87>: call *%rsi > 0xffffffff81062bf9 <+89>: nop > 0xffffffff81062bfa <+90>: nop > 0xffffffff81062bfb <+91>: nop > 0xffffffff81062bfc <+92>: pushf > 0xffffffff81062bfd <+93>: pop %rdi > > and then propagating the arithmetic flags into the vCPU's emulator state: > > ctxt->eflags = (ctxt->eflags & ~EFLAGS_MASK) | (flags & EFLAGS_MASK); > > 0xffffffff81062be0 <+64>: and $0xfffffffffffff72a,%r9 > 0xffffffff81062bfe <+94>: and $0x8d5,%edi > 0xffffffff81062c0d <+109>: or %rdi,%r9 > 0xffffffff81062c1a <+122>: mov %r9,0x10(%r8) > > The failures can be most easily reproduced by running the "emulator" test > in KVM-Unit-Tests. > > If you're feeling a bit of deja vu, see commit b63f20a778c8 > ("x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386"). > > Fixes: fb3bd914b3ec ("x86/srso: Add a Speculative RAS Overflow mitigation") > Reported-by: Srikanth Aithal > Closes: https://lore.kernel.org/all/de474347-122d-54cd-eabf-9dcc95ab9eae@amd.com > Cc: stable@vger.kernel.org > Cc: kvm@vger.kernel.org > Cc: Paolo Bonzini > Signed-off-by: Sean Christopherson > --- > > Those that fail to learn from history are doomed to repeat it. :-D > > arch/x86/lib/retpoline.S | 7 +++---- > 1 file changed, 3 insertions(+), 4 deletions(-) > > diff --git a/arch/x86/lib/retpoline.S b/arch/x86/lib/retpoline.S > index 2cff585f22f2..132cedbf9e57 100644 > --- a/arch/x86/lib/retpoline.S > +++ b/arch/x86/lib/retpoline.S > @@ -164,7 +164,7 @@ __EXPORT_THUNK(srso_untrain_ret_alias) > /* Needs a definition for the __x86_return_thunk alternative below. */ > SYM_START(srso_safe_ret_alias, SYM_L_GLOBAL, SYM_A_NONE) > #ifdef CONFIG_CPU_SRSO > - add $8, %_ASM_SP > + lea 8(%_ASM_SP), %_ASM_SP > UNWIND_HINT_FUNC > #endif > ANNOTATE_UNRET_SAFE > @@ -239,7 +239,7 @@ __EXPORT_THUNK(zen_untrain_ret) > * SRSO untraining sequence for Zen1/2, similar to zen_untrain_ret() > * above. On kernel entry, srso_untrain_ret() is executed which is a > * > - * movabs $0xccccccc308c48348,%rax > + * movabs $0xccccc30824648d48,%rax > * > * and when the return thunk executes the inner label srso_safe_ret() > * later, it is a stack manipulation and a RET which is mispredicted and > @@ -252,11 +252,10 @@ SYM_START(srso_untrain_ret, SYM_L_GLOBAL, SYM_A_NONE) > .byte 0x48, 0xb8 > > SYM_INNER_LABEL(srso_safe_ret, SYM_L_GLOBAL) > - add $8, %_ASM_SP > + lea 8(%_ASM_SP), %_ASM_SP > ret > int3 > int3 > - int3 > lfence > call srso_safe_ret > int3 > > base-commit: 25aa0bebba72b318e71fe205bfd1236550cc9534 Don't we have the same kind of problems with __x86_return_skl ? --Mika