Received: by 2002:a05:7412:1492:b0:e2:908c:2ebd with SMTP id s18csp434639rdh;
        Mon, 21 Aug 2023 23:16:33 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IF+6ua1t8/9Sk578bY7J9FMDCgpWJ3D1NqkGxEsJ+B04ppcCFPzVoUJw/KZpkegrzz5m0cH
X-Received: by 2002:a17:902:d50c:b0:1bb:d586:d29a with SMTP id b12-20020a170902d50c00b001bbd586d29amr13643497plg.34.1692684992491;
        Mon, 21 Aug 2023 23:16:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1692684992; cv=none;
        d=google.com; s=arc-20160816;
        b=lk4M0o5WJwSBPe4A9c8LoFleXgZ8dCBCY5h6uaUiJeNOLjy8SA7MU7vIpF8uaxGFfZ
         aIatz05tgM9ixMzk2HGJ17WqffCkJg2gjl1Bw1oSkTqUVIza7xnSKoEc4AF+QkRtE81O
         ov0dvd0137xWY1/0yRFRysVfpnvUSOpvop2V4Idi1lurfrYk8/DXXcszz8y0uUFv7o99
         yoQo9pZmlWmdPbCQsB7V/10yMPIa6PYE41npBNZih5FmHWjz6q82HmcZmfiKIJk2fqDZ
         Laf1g/e9NJMu/G5uIhWRZclDfIOuxF6aJPd22PodKMtSXSnxDTepQEkISqKd+Ul9/dg0
         CAxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=wOI1JQ5QSPSpxQxjELm5sjj6nxa06nXxeVZonAVdRiY=;
        fh=Im1+QDs9vUxkmj6ikDGiYf49sLJ71JxKowiAnR/2zyk=;
        b=XbpN7Jmw6CVnP1YJI7OSruwyJPucTmYZaJswd6J6NhVNHfnT74bxONwof/2qGMdlkn
         rkZUNI6IUsRYEy7lTQMi2nK4wtcORxhkvw+d6QXd/TzTV6BHvRlYYH04RZB6Ibi4cXHI
         WSGcm1QVTRhdt4kJxcCqpF2shtSyG3erwo6sGaowbPBnicrWXMXvO7Suks0QX+eU73/d
         zRJv7ITyXuSdjny7GLXhwHaJaf9eT4fQX21En/ncZgIcXn9jbruSiKjtNR4h1H9mnO9a
         Cqu6Itk5dJApoBzs/eAGjpYNj5QbmV7OoptEhdMWYSu+1BRfWMx9gIH9Scp3w0hbcjaG
         F6NQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hoWYIIbE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id u13-20020a170902e80d00b001b9f75c8bfasi1107024plg.424.2023.08.21.23.16.08;
        Mon, 21 Aug 2023 23:16:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=hoWYIIbE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231311AbjHVCWh (ORCPT <rfc822;arvinlake4755@gmail.com>
        + 99 others); Mon, 21 Aug 2023 22:22:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38710 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230526AbjHVCWf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Aug 2023 22:22:35 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43F6BDB
        for <linux-kernel@vger.kernel.org>; Mon, 21 Aug 2023 19:22:33 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id CBC54646F3
        for <linux-kernel@vger.kernel.org>; Tue, 22 Aug 2023 02:22:32 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id BF53CC433C7;
        Tue, 22 Aug 2023 02:22:31 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1692670952;
        bh=XPEg5hUhI7aGUhMtVHHgnDv/L9i0G9LNRyzRNkNkFdQ=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=hoWYIIbE+vK0DxVQ4dcG9LGDVUpnwr9HGaXmBDi/yhO9VB71fFJrYQeGbymbpZ4JA
         /Kn75DtzlOoIF//ehC5WIxJ2O2AQqv/m4T2MPBLxZX2hgLo595E7JwvNcHDnYreIIE
         C3EahmqtWp2fzqmAfYEfsFU+qrx9ndALzI/4mwTnd+82aOierotcTrPJx5mOhSH5nP
         9GwKEfPE5eMJX7UNM0X07sR7Cjz2J2Nn/cP1n3MjfqPZvJLfeRZ9V3T5p4mqMDu3zl
         8IyyOpj3lRduE3GoEFZqHR9p8e0U9+r+OuSqMeimNvNQuN0ht+seuT6JxqAaYJXJz6
         0qgqkh2WA58iA==
Date:   Mon, 21 Aug 2023 19:22:29 -0700
From:   Josh Poimboeuf <jpoimboe@kernel.org>
To:     Andrew Cooper <andrew.cooper3@citrix.com>
Cc:     LKML <linux-kernel@vger.kernel.org>, x86@kernel.org,
        Borislav Petkov <bp@alien8.de>,
        Peter Zijlstra <peterz@infradead.org>,
        Babu Moger <babu.moger@amd.com>, David.Kaplan@amd.com,
        Nikolay Borisov <nik.borisov@suse.com>,
        gregkh@linuxfoundation.org, Thomas Gleixner <tglx@linutronix.de>
Subject: Re: [PATCH RFC 4/4] x86/srso: Use CALL-based return thunks to reduce
 overhead
Message-ID: <20230822022229.xlctyccmgdxiy6ic@treble>
References: <20230821112723.3995187-1-andrew.cooper3@citrix.com>
 <20230821112723.3995187-5-andrew.cooper3@citrix.com>
 <20230821151636.onk2e6tlhmjg5yz5@treble>
 <810fa94b-9417-0076-1232-d263ef882027@citrix.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <810fa94b-9417-0076-1232-d263ef882027@citrix.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Aug 22, 2023 at 12:01:29AM +0100, Andrew Cooper wrote:
> On 21/08/2023 4:16 pm, Josh Poimboeuf wrote:
> > On Mon, Aug 21, 2023 at 12:27:23PM +0100, Andrew Cooper wrote:
> >> The SRSO safety depends on having a CALL to an {ADD,LEA}/RET sequence which
> >> has been made safe in the BTB.  Specifically, there needs to be no pertubance
> >> to the RAS between a correctly predicted CALL and the subsequent RET.
> >>
> >> Use the new infrastructure to CALL to a return thunk.  Remove
> >> srso_fam1?_safe_ret() symbols and point srso_fam1?_return_thunk().
> >>
> >> This removes one taken branch from every function return, which will reduce
> >> the overhead of the mitigation.  It also removes one of three moving pieces
> >> from the SRSO mess.
> > So, the address of whatever instruction comes after the 'CALL
> > srso_*_return_thunk' is added to the RSB/RAS, and that might be
> > speculated to when the thunk returns.  Is that a concern?
> 
> That is very intentional, and key to the safety.
> 
> Replacing a RET with a CALL/{ADD,LEA}/RET sequence is a form of
> retpoline thunk.  The only difference with regular retpolines is that
> the intended target is already on the stack, and not in a GPR.
> 
> 
> If the CALL mispredicts, it doesn't matter.  When decode catches up
> (allegedly either instantaneously on Fam19h, or a few cycles late on
> Fam17h), the top of the RAS is corrected will point at the INT3
> following the CALL instruction.

That's the thing though, at least with my kernel/compiler combo there's
no INT3 after the JMP __x86_return_thunk, and there's no room to patch
one in after the CALL, as the JMP and CALL are both 5 bytes.

-- 
Josh