Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp415471rdg; Tue, 10 Oct 2023 14:23:14 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGShMbVr/uxawipFWPIPeIdrv1h7C4C7OYLpDXgroxKP9jyyWqUfBFpmsVv8wZ4MBTKCHyI X-Received: by 2002:a17:90b:3109:b0:26b:36a4:feeb with SMTP id gc9-20020a17090b310900b0026b36a4feebmr22465600pjb.8.1696972994612; Tue, 10 Oct 2023 14:23:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696972994; cv=none; d=google.com; s=arc-20160816; b=y2CTTZ5pE5NxDfpNNTx+skVD7Tsnt9zdAapsxvN+2e4ozSAPCqWwQpWaSLhMqz1gaz mV70+JT3udtGs+KdjGvAhppqH0guf3Qrrs6QQvlTfVHpBYo2MDtUBXHLhmrMdir4NQLY vNn0HnyhAlYbL9N+99GR5cbjXG4q7ZqmCb4mlYvYEFpK4x/zXMSIvXwpXuDnwyDtmFGL qTQUyII2D0mIAuFfBHMepRdk9fFpPqj79p4JGTTo725e6RkBc86yWb+E2nb3MQFCiAN+ IJWPZ5WsdjUZZQ4/bruTqSgAOcLSURN2ODr+BoAUkNSqz3V/ipf2duxD/R9cx3PHa5Od 5WFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=zXKP/Nt6xuKMdBZ17WOe0Ac837AF3BYKGmeeY5yMfKE=; fh=yXBcsD2KmditorKQ7BPae2LMAHb3dAzAjF2RyeLSvHs=; b=GdjK/J1C8Ao8+vIuBPH2uUUrUZO9hBoF1I4ebGHqBY73ykVjm5Eq5ehf3doMOvI64Q LxDn4VJ70cuj7GjdgWI1d/LAZtb1637eYzrg/3gFdJq8EHqIs7AXq2gcAfvjCgDpq1i5 I3uE/9ez6Fna5NaPTEO09jrMOb8MKHl6dXrthRvdyQJF1shXRj4QCWub6PuttubZSpxs W1D4vIrPMhELWHq3HRu+ToaFT6hiiJRd539APSOkh7Ith28vWJK4bFSGWayKmh67KHZD abLLi1NJofft0+cK3Oanb22BL0Dh/9y+rSHMwo5FFgyWlcKB0qbqiPt65ny7OvWKhS/v fTtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mqn294FH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id d1-20020a17090ad3c100b0027cfe711365si635051pjw.51.2023.10.10.14.23.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Oct 2023 14:23:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mqn294FH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 7BFC481CFF09; Tue, 10 Oct 2023 14:23:12 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344006AbjJJVXA (ORCPT + 99 others); Tue, 10 Oct 2023 17:23:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232348AbjJJVW6 (ORCPT ); Tue, 10 Oct 2023 17:22:58 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF05991 for ; Tue, 10 Oct 2023 14:22:56 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2179CC433C8; Tue, 10 Oct 2023 21:22:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1696972976; bh=92/rhgJQgW0IguxjkQ9zaKQHYtda7wa0gYMUcGbkklM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=mqn294FHXWs1B31Ge4hykxr4U+h1xE6UxW0tpkkQ1D1Ti/IWGMsPBF5cRUx60I1Zk DTK1gMSErrojn8g17ciTgNC6Zchs7we/+XQ0We03H+rtQ+0ah/ozwdnOl4wm+bAPPc 4m42vrmToJIGm1Zmyz/FBJOZkkhFrwESUm8Pf0s52ZQUzSq7sY6jGv9kjs8JbVzpun pNcB9gmv5qjFG36Nx0xx/WRwfwEuP8JBPhbVJhXm0HFNwrWyXMhYsM2qCTXNuwd+Fv SaRxpO23n5nyndsoFwNgdWFNxnFV2k6mwsX1KjyEhLEz++E61Hs3PeV00iA89fpngY LHRZOcBtXmmrQ== Date: Tue, 10 Oct 2023 14:22:54 -0700 From: Josh Poimboeuf To: Borislav Petkov Cc: Peter Zijlstra , David Kaplan , x86@kernel.org, luto@kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk section" Message-ID: <20231010212254.ypk2wdogno55shit@treble> References: <20231010171020.462211-1-david.kaplan@amd.com> <20231010171020.462211-2-david.kaplan@amd.com> <20231010174833.GG14330@noisy.programming.kicks-ass.net> <20231010195721.p5pb273kevg7ydxz@treble> <20231010200429.GIZSWuTWSUM9aId7a6@fat_crate.local> <20231010201912.7pjksbparssqu34k@treble> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20231010201912.7pjksbparssqu34k@treble> X-Spam-Status: No, score=2.4 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 10 Oct 2023 14:23:12 -0700 (PDT) X-Spam-Level: ** On Tue, Oct 10, 2023 at 01:19:12PM -0700, Josh Poimboeuf wrote: > On Tue, Oct 10, 2023 at 10:04:29PM +0200, Borislav Petkov wrote: > > On Tue, Oct 10, 2023 at 12:57:21PM -0700, Josh Poimboeuf wrote: > > > Also we could make objtool properly detect the non-relocated jump > > > target. > > > > I was wondering about that... I guess it can compute the JMP target and > > compare it to the address of __x86_return_thunk? > > Fine, you twisted my arm ;-) > > This seems to do the trick. Lemme write up a proper patch. Here is said patch. ---8<--- From: Josh Poimboeuf Subject: [PATCH] objtool: Fix return thunk patching in retpolines With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail call to a return thunk ('JMP __x86_return_thunk'). Objtool annotates all such return sites so they can be patched during boot by apply_returns(). The implementation of __x86_return_thunk() is just a bare RET. It's only meant to be used temporarily until apply_returns() patches all return sites with either a JMP to another return thunk or an actual RET. The following commit e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines broke objtool's detection of return sites in retpolines. Since retpolines and return thunks are now in the same section, the compiler no longer uses relocations for the intra-section jumps between the retpolines and the return thunk, causing objtool to overlook them. As a result, none of the retpolines' return sites get patched. Each one stays at 'JMP __x86_return_thunk', effectively a bare RET. Fix it by teaching objtool to detect when a non-relocated jump target is a return thunk. Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") Reported-by: David Kaplan Signed-off-by: Josh Poimboeuf --- tools/objtool/check.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index e308d1ba664e..556469db4239 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file) return -1; } + /* + * Since retpolines are in the same section as the return + * thunk, they might not use a relocation when branching to it. + */ + if (jump_dest->sym && jump_dest->sym->return_thunk) { + add_return_call(file, insn, true); + continue; + } + /* * Cross-function jump. */ -- 2.41.0