Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp397674rdg;
        Tue, 10 Oct 2023 13:43:00 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHbl8kozBKkt+VrshzVbmuKqbOBjZZyb1qcVS6jatIOOD6+0lfe40mAWiHn7RharUUBcorR
X-Received: by 2002:a05:6358:784:b0:13a:4855:d885 with SMTP id n4-20020a056358078400b0013a4855d885mr21540949rwj.10.1696970580467;
        Tue, 10 Oct 2023 13:43:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696970580; cv=none;
        d=google.com; s=arc-20160816;
        b=cJgOWdECxm5YXKbLs8JgZRfTqk/b1/XNaAxdnBoLcoLc8ReQGvyOcHvd4khFy605Rh
         8iLwp6zHE8SNln9XK1Yq/Vw4lXh1julpLLD/wzbkDNrGsNxBEoFDHFHR18EEYnphHkQY
         w2Fvc8uF2uVNZQLLWUfNpFsW+buO4Zqk8N8nP6H1N6ZJRVDIkQUx3ukiTGk273OyrYeO
         uGinkGQagTWPNsVw7iJuF4cTQvu+utxPRX9/ZDMLBe4dAv7vYsMrDNe21k2RQQmwcegU
         bnFlCiNjkAlI5Jv1sERQJpSzvCePboJqF2IhfucGuFT8D6jlXzSL3gKcXHK3v7bmJkfQ
         GK2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=3hLzUUAqQA2LVdYihFBpoLpthne89bNj5sfLzx1qiGc=;
        fh=7QXnpgeVLngJOa0an8szNan2v+x8OzDbHI/UyNpY0Ww=;
        b=Tx6cKlJN7W1W9g374pQ/JGmHY1jkSx8aFLBwYanmbuWfe0guDDL0c4SUXZd3ZlIQW4
         Djm4XszvxrP+HdE2UyLcz8+syQ8zJsiM6oHSnxu90J2t0cIRHXTw3CiTkuNFGH7VUZoO
         H8HEnLMXs0UW+XkVKF8iD28jTz040zFMMrwySFgmz3zqQg8WufXMlRynzPTXqtzMwUtC
         1bodYLdyKDQR03BBUCiJaJmx8v0XpQ0srGMsutz8/zCCgqFFu3yZ4n16I2NXyhqT+OMQ
         /VIZME4jaFwJ3YVBUateFEvG6QuU/6T5/E7Ip0GxUVMR2Ob2vrAK0yXLolZwNDV5cEFx
         3GxQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gZbToJHH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
        by mx.google.com with ESMTPS id cw4-20020a056a00450400b0068a140568b4si652301pfb.348.2023.10.10.13.43.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Oct 2023 13:43:00 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=gZbToJHH;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id 0525A8054BF2;
	Tue, 10 Oct 2023 13:42:52 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1343781AbjJJUln (ORCPT <rfc822;tarbal@gmail.com> + 99 others);
        Tue, 10 Oct 2023 16:41:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33448 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S234481AbjJJUlY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Oct 2023 16:41:24 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A1728E1
        for <linux-kernel@vger.kernel.org>; Tue, 10 Oct 2023 13:41:21 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DC287C433C9;
        Tue, 10 Oct 2023 20:41:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1696970481;
        bh=Bnd4fS4lpjScJDelZFnaw36gFOCQV836uDYvVRt8kkQ=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=gZbToJHHyHxLcoLX35DZpTmHZT8E9+CnT+QCi9O3Ap12TByUHcnAU4luy715JPUqB
         6BgyxBmQIewMxNXWzgApFnAvQsG1oJ2UD+i47yIeUokz6VyOjkEHwwep6S0maEnf1f
         tp8vfNqc5+tsWyQCrpCBSYw2Sql76KjTSW8HpfvOV8lvVsqC5g6WyFhIMOUA7Y+UZd
         lDRjyFYanrwzfQcpkc5YvrTfHP7jJxGystAzljEAG6eb+W9+731yMi/44p6KQo7fQq
         H8zhOMRBWeidZOkrLK2ZH8IUzcbwRwXQnu25lnNQDZGGytKy+5c16tfZukuZ/f7e80
         clGoL8NlVEMzQ==
Date:   Tue, 10 Oct 2023 13:41:19 -0700
From:   Josh Poimboeuf <jpoimboe@kernel.org>
To:     "Kaplan, David" <David.Kaplan@amd.com>
Cc:     "x86@kernel.org" <x86@kernel.org>,
        "luto@kernel.org" <luto@kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 3/3] x86/retpoline: Ensure default return thunk isn't
 used at runtime
Message-ID: <20231010204119.76i7vwecmeo6ex6d@treble>
References: <20231010171020.462211-1-david.kaplan@amd.com>
 <20231010171020.462211-4-david.kaplan@amd.com>
 <20231010193643.su6iqjniuxqqke6d@treble>
 <SN6PR12MB2702315F5C39E5354D63E68E94CDA@SN6PR12MB2702.namprd12.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <SN6PR12MB2702315F5C39E5354D63E68E94CDA@SN6PR12MB2702.namprd12.prod.outlook.com>
X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 10 Oct 2023 13:42:52 -0700 (PDT)
X-Spam-Level: **

On Tue, Oct 10, 2023 at 08:14:33PM +0000, Kaplan, David wrote:
> [AMD Official Use Only - General]
> 
> > -----Original Message-----
> > From: Josh Poimboeuf <jpoimboe@kernel.org>
> > Sent: Tuesday, October 10, 2023 2:37 PM
> > To: Kaplan, David <David.Kaplan@amd.com>
> > Cc: x86@kernel.org; luto@kernel.org; linux-kernel@vger.kernel.org
> > Subject: Re: [PATCH 3/3] x86/retpoline: Ensure default return thunk isn't used
> > at runtime
> >
> > >   *
> > > - * This code is only used during kernel boot or module init.  All
> > > + * This code is only used during kernel boot.  All
> > >   * 'JMP __x86_return_thunk' sites are changed to something else by
> > >   * apply_returns().
> > > + *
> > > + * This thunk is turned into a ud2 to ensure it is never used at runtime.
> > > + * Alternative instructions are applied after apply_returns().
> > >   */
> > >  SYM_CODE_START(__x86_return_thunk)
> > >       UNWIND_HINT_FUNC
> > >       ANNOTATE_NOENDBR
> > > -     ANNOTATE_UNRET_SAFE
> > > -     ret
> > > +     ALTERNATIVE __stringify(ANNOTATE_UNRET_SAFE;ret),"ud2",
> > > + X86_FEATURE_RETHUNK
> >
> > If it's truly never used after boot (even for non-rethunk cases) then can we use
> > X86_FEATURE_ALWAYS?
> >
> 
> I think that could work.  There is one subtlety though I'll point out:
> 
> The use of __x86_return_thunk when X86_FEATURE_RETHUNK is set is a
> potential security issue, as it means the required return thunk is not
> being used.  The use of __x86_return_thunk when X86_FEATURE_RETHUNK is
> not set is only a performance issue, as it means there is a return
> that was not rewritten to be an inline 'ret' by apply_returns().
> 
> The ud2 was primarily intended to capture cases where there is a
> potential security hole, while it is a bit overkill just to point out
> a return that was not optimized.

Even if it's not a security hole, I'd still view it as a major BUG() as
it would directly contradict our understanding (and the comments above)
and could cause performance or other correctness issues that would
otherwise go unnoticed.

So I think an unconditional UD2 is warranted.

-- 
Josh