Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp23575rdh; Wed, 22 Nov 2023 16:43:43 -0800 (PST) X-Google-Smtp-Source: AGHT+IEpRnueSL9CrcfIzH3pNEYj25s49bZvYyFmn4HMuD6ah6Wu0mDL4KNT93FKfrIL0fKDvT07 X-Received: by 2002:aa7:88c6:0:b0:6cb:634a:c83a with SMTP id k6-20020aa788c6000000b006cb634ac83amr5159812pff.33.1700700223075; Wed, 22 Nov 2023 16:43:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700700223; cv=none; d=google.com; s=arc-20160816; b=log62831N+pMAspxkUKUvjW5FSRLql3azqTPhMirIH1MsxFD2ipBxHuMc5YbxbWomV 6ODglrh8y2O9L8cIHU/fgvGt3D/4f3GZgPAuNMW644YssldsetX8yGvEBk8YWXT7Z+rA oIkeYzVrVkqGjtQb5J87G6cEMGvmCu4fmQO8nohKkZqGkL5ZgDbRax+Lc4eEQuvqg3ed lUuz5rNLIRBDKC+2h2rG4mPBdDZJynNJReS4lyraaP/QZrieOySSXlvV8W7YB1bPtPlR DpTF04TqzjL4CVWHXiFCM6qehgQN1OrQm3ziurXRFb8VBZjW8rA3PQj3Nx7t1Kbe90OM azGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=I4mDM3fOhLxMKv9Qsj/stPbdPgmQsMFznGIuQOD753M=; fh=mGJ0odcufW7ZLqbjqEBhzMNQ0zfOHDKDFiWFIuMVtAM=; b=sY7jFCey/BmrXb35dpruj6GOUd+Vyt5/16VZ9qCA0/FE+9oAYwXvfcFJBLAOIZulTW 46RMKr8IER5F+3HXrJahpDbJNCQd+LPaHzeUNTVTWV8NxZ08637zxTlmGuF2jxwr5YrR 6KWN//or3gBQ+WismRhhO5OSU1likYikfyxfZEHJ3bom/ITVk7Kt1UgxEHV8AgJyZCIK WaxYep5qWpHXQel8FIDjNTGu2v0QMa/4jaCY3h5cuywcJJZ/9t/ekFtp69Xv6BGsL9rw 3kzHF0yw9r2pGiGsx+VtcozFA1fBwSaVevXwx1rXfnucamKbSefxTXxCB+0WqGCwcPK0 o0Jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=AAhYVkDN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id q11-20020a056a00084b00b006c3b92140ebsi175395pfk.151.2023.11.22.16.43.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Nov 2023 16:43:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=AAhYVkDN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 14BFE8341C06; Wed, 22 Nov 2023 16:43:40 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229513AbjKWAnX (ORCPT + 99 others); Wed, 22 Nov 2023 19:43:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58996 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229481AbjKWAnW (ORCPT ); Wed, 22 Nov 2023 19:43:22 -0500 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94BEC10E; Wed, 22 Nov 2023 16:43:18 -0800 (PST) Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-32daeed7771so202121f8f.3; Wed, 22 Nov 2023 16:43:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700700197; x=1701304997; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=I4mDM3fOhLxMKv9Qsj/stPbdPgmQsMFznGIuQOD753M=; b=AAhYVkDNOyIif9CmavrWY98Y86DL8k4oXHyIICTLTPAj9elVkBZ1tLDetXk2YZ+13R UCvnB01W5jQR8s2sUMDm1TVemTOY5uqjvUVS2JAWQldwwAwZrOj1M4/pXnyAHTwHWhFw JZPXvJT3Ywvu0srodVY0D6zIwY68ESp3GrWXF8qvRTdYzUfnuPtSyl0f7N8pDEQeKwti OGFni6YSI8V6Ah9lxEfBySkReoT91kKG+x4UB9n3oOFO/BK1dgmmwfVwl0Sgf4LhYvmO SHs48AaSkdUhRHoMLHgrYeJyJasOD3PT+JXOiwsFyGeMXVuuIUyi/47VSnt2Z9vQlmkv gf4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700700197; x=1701304997; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=I4mDM3fOhLxMKv9Qsj/stPbdPgmQsMFznGIuQOD753M=; b=YOSK155JLFZseJpEYjJ1ddyUuEEAwQDd5okf24v63C9PjeCw0UJy8L9+dVItJ+4TWY ZGs6IuoG1BBlRdIeiLf7xL9L52Bk2VyWKsLdDkNMJjWYkliDO3P43aZ/HB9uyAARD/3M Koa2oUTlYGHhXRb1Os4pdVv4WTCYu5eXV68ykkjTnZQ7JxOCnlhaDcGFkw56Cmf6yBp2 Zx41sWoauX/IFmOWWnH9+AsB2NIZOkKL5AvocwFQOTPtRQvPOwokjw6caawbSEuYtm+I ihdVZuw6SHJKBMDOOp6pyMsKv42IEG73TfgGylXsYn0S90jgZsqdOyWpBuVRamoT7/bR UQ7g== X-Gm-Message-State: AOJu0YwNen8GTt81BW5vW2GxVp5uuEnCeQVd6n4s3oVelGk/s65SlqlM Yu9ffR/i9kEAeL3izrCWXLPswUkeQzcoaah3NLM= X-Received: by 2002:a05:6000:128d:b0:332:cc15:6bae with SMTP id f13-20020a056000128d00b00332cc156baemr2454118wrx.20.1700700196781; Wed, 22 Nov 2023 16:43:16 -0800 (PST) MIME-Version: 1.0 References: <20231120144642.591358648@infradead.org> <20231120154948.708762225@infradead.org> <20231122021817.ggym3biyfeksiplo@macbook-pro-49.dhcp.thefacebook.com> <20231122111517.GR8262@noisy.programming.kicks-ass.net> In-Reply-To: <20231122111517.GR8262@noisy.programming.kicks-ass.net> From: Alexei Starovoitov Date: Wed, 22 Nov 2023 16:43:05 -0800 Message-ID: Subject: Re: [PATCH 2/2] x86/cfi,bpf: Fix BPF JIT call To: Peter Zijlstra Cc: Paul Walmsley , Palmer Dabbelt , Albert Ou , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , X86 ML , "H. Peter Anvin" , "David S. Miller" , David Ahern , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Arnd Bergmann , Sami Tolvanen , Kees Cook , Nathan Chancellor , Nick Desaulniers , linux-riscv , LKML , Network Development , bpf , linux-arch , clang-built-linux , Josh Poimboeuf , Joao Moreira , Mark Rutland Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 22 Nov 2023 16:43:40 -0800 (PST) On Wed, Nov 22, 2023 at 3:15=E2=80=AFAM Peter Zijlstra wrote: > > > To be very explicit, let me list all the various forms of function > calls: > > Traditional: > > foo: > ... code here ... > ret > > direct caller: > > call foo > > indirect caller: > > lea foo(%rip), %r11 > call *%r11 > > IBT: > > foo: > endbr64 > ... code here ... > ret > > direct caller: > > call foo / call foo+4 > > indirect caller: > > lea foo(%rip), %r11 > ... > call *%r11 > > > kCFI: > > __cfi_foo: > movl $0x12345678, %rax > (11 nops when CALL_PADDING) > foo: > endbr64 (when also IBT) > ... code here ... > ret > > direct caller: > > call foo / call foo+4 > > indirect caller: > > lea foo(%rip), %r11 > ... > movl $(-0x12345678), %r10d > addl -15(%r11), %r10d (or -4 without CALL_PADDING) > je 1f > ud2 > 1:call *%r11 > > > FineIBT (builds as kCFI + CALL_PADDING + IBT + RETPOLINE and runtime > patches things to look like): > > __cfi_foo: > endbr64 > subl $0x12345678, %r10d > jz foo > ud2 > nop > foo: > osp nop3 (was endbr64) > ... code here ... > ret > > direct caller: > > call foo / call foo+4 > > indirect caller: > > lea foo(%rip), %r11 > ... > movl $0x12345678, %r10d > subl $16, %r11 > nop4 > call *%r11 Got it. That helps a lot! You kind of have this comment scattered through arch/x86/kernel/alternative= .c but having it in one place like above would go a long way. Could you please add it to arch/x86/net/bpf_jit_comp.c or arch/x86/include/asm/cfi.h next to enum cfi_mode ? > > I'm not sure doing cfi_bpf_hash check in JITed code is completely solvi= ng the problem. > > From bpf_dispatcher_*_func() calling into JITed will work, > > but this emit_prologue() is doing the same job for all bpf progs. > > Some bpf progs call each other directly and indirectly. > > bpf_dispatcher_*_func() -> JITed_BPF_A -> JITed_BPF_B. > > A into B can be a direct call (which cfi doesn't care about) and > > indirect via emit_bpf_tail_call_indirect()->emit_indirect_jump(). > > Should we care about fineibt/kcfi there too? > > The way I understood the tail-call thing to work is that it jumps to > bpf_prog + X86_TAIL_CALL_OFFSET, we already emit an extra ENDBR there to > make this work. > > So the A -> B indirect call is otherwise unadornen and only needs ENDBR. > > Ideally that would use kCFI/FineIBT but since it also skips some of the > setup, this gets to be non-trivial, so I've let this be as is. I see. yeah. The setup is not trivial indeed. Keep as-is is fine. > So the kCFI thing is 'new' but readily inspected by objdump or godbolt: > > https://godbolt.org/z/sGe18z3ca > > (@Sami, that .Ltmp15 thing, I don't see that in the kernel, what > compiler flag makes that go away?) I also noticed this discrepancy. It doesn't seem to be used. Looks weird to spend 8 bytes to store -sizeof(ud2) > As to FineIBT, that has a big comment in arch/x86/kernel/alternative.c > where I rewrite the kCFI thing into FineIBT. I can refer there to avoid > duplicating comments, would that work? Just the above comment somewhere would work. I wouldn't worry about duplication. This is tricky stuff. When gcc folks get around implementing kcfi they will find it useful too.