Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp542181pxb; Wed, 18 Aug 2021 08:12:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyPkiQpcfNfV+26uSCYZ4z3Eq/1Ssr8o+utFXnBXjXsN9y8i817IxoCkIUH/pSVJgupZnBG X-Received: by 2002:a50:9fa3:: with SMTP id c32mr10864740edf.354.1629299540362; Wed, 18 Aug 2021 08:12:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629299540; cv=none; d=google.com; s=arc-20160816; b=kpXEEcBFfR/rcGsQ7foQmM3D7bImJZmlJ23np1tGZwH0beOhQoqWkVtTnXYp3PplfF oPTqcG40nrA1Bizo3cLLCLvecZvU6RXRIbVo0ApapUILw2NmE7waeWNSQb7Nvr4w4YjE xFZMwJ63ke3J7feTc7wtJSG2Tz95bnwK8f6ENNt/K/XcYEFnvMM3uaIinoVj/CcZU9SG AAPdu7TA5ipif1U9Q7TaBtzkRANpA64qmiG0aWDRMW+PmVRhspGBpSBhjI5KYPwZkP3N ow2tk4FvAWzOkdVCLYwN2IMdJoABjIq4gvMGgcAL5pYGxJqz/L2Ekr2cp6pdR/QogMyO IQyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=BATSV86SaK5afBXIFxzdzZX4j4EhGdui2K0OHBJGQcw=; b=yRQXn8B4h8LWYdo54Jdtvy2OUwTf2Bfin9Z42+4aZ/zZNqPcBgg69GQWPmCg9k4Sux kTJiyYGZZmoYDwqeXsNSSh3CsUf+CF0mqYPTWM1fWxZT7WpPgsIlcV4s+ga6b4jPdEWu hlKlQIY15Lf4MBfugu/+nnIBF5TiimwF/6xZ0YDZJJv0N7OgowFkJXgGhg+F/PHbG7Aw L/yARMdkIuJS84832TFXbqjJoC3ZLlyMY6TQ1yc9qnB+Rklpu/BUHVD+JO4Ott1pR6ns waRgi/I7H2NF8rPDLZWo/P22SCQc4bLzXXz6TelO7rENbqJoWpzMtkKWVoYg9gjRfIiU RhAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nKyY7H15; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l9si58171edr.73.2021.08.18.08.11.48; Wed, 18 Aug 2021 08:12:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=nKyY7H15; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239703AbhHRPML (ORCPT + 99 others); Wed, 18 Aug 2021 11:12:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239472AbhHRPMK (ORCPT ); Wed, 18 Aug 2021 11:12:10 -0400 Received: from mail-pj1-x102a.google.com (mail-pj1-x102a.google.com [IPv6:2607:f8b0:4864:20::102a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6F51BC061764 for ; Wed, 18 Aug 2021 08:11:35 -0700 (PDT) Received: by mail-pj1-x102a.google.com with SMTP id 28-20020a17090a031cb0290178dcd8a4d1so5413011pje.0 for ; Wed, 18 Aug 2021 08:11:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=BATSV86SaK5afBXIFxzdzZX4j4EhGdui2K0OHBJGQcw=; b=nKyY7H15ZclPASn0mrCWStoJsQEVzP5/BmW4V3jtYB1HxVdnZRQQ4l+PtPCRG/dTV6 xfDqZKumuBc2DNoifQ7E+k+2RHNCKiMDNP3onIJnlrl5OiL/2iza72Z9iX+5k4rKwpSO /m3Ffp/F03wd5BcOk1ihua3YxRddIsYpot1qTBRf+xRtenjeQ4qFFoOSIN66Jft6TSfW c2t4wMFRzHKGD7LvgQQ/GVhG8mAh1vCDNxP/Inly9yMM79tpqdyKRQdjifrNITzwA6c7 yGxl1c2NhdVpvxPZ2G3/l6okDceS2O7mIXsDYuviCR6t29nOh+UDrTcg3BH0FRZEUvzE zLIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=BATSV86SaK5afBXIFxzdzZX4j4EhGdui2K0OHBJGQcw=; b=G4HynvfoL5Dn8Z6hQAgs7Nm1xy4HRAo2lRa7tjRT/ZJDHN3FaF+IZaDQUwoXz7szgu GABA7zaIjZqmLfxYaBtTggcRUS05ZxlRV6K1aVf+LuadGZM0NvOGWV8cemwfgtDoL5LX QhMq+PwWepvHh6UFUdwFLwSNFy9SYMVBRhycEJDy9Ej7oXkAheUN3/hCUohFDZq4rowd kyXEqHpvMUKQidp4YvN3HMEEzwAHDHjQuQ2dkGjgI+CE8XTIrJ4RXYK6BMX6LbchJMqH LemLbvtkud6UhncrJPCvPqEzwMPAac601I46prHTqx6kLFGhjsKYYQnXEmBlDljNjYqJ muJA== X-Gm-Message-State: AOAM5306wT1RCx/ikYxr89s83VSuYaNh++QO0RQZupjuIiC4GKis43af lAg1klkeA3I7erHKPTI/QPSQ8A== X-Received: by 2002:a17:90b:1e03:: with SMTP id pg3mr9751970pjb.203.1629299494765; Wed, 18 Aug 2021 08:11:34 -0700 (PDT) Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157]) by smtp.gmail.com with ESMTPSA id m7sm28291pfc.212.2021.08.18.08.11.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Aug 2021 08:11:34 -0700 (PDT) Date: Wed, 18 Aug 2021 15:11:28 +0000 From: Sean Christopherson To: Kees Cook Cc: linux-kernel@vger.kernel.org, Paolo Bonzini , Vitaly Kuznetsov , Wanpeng Li , Jim Mattson , Joerg Roedel , Thomas Gleixner , Ingo Molnar , Borislav Petkov , x86@kernel.org, "H. Peter Anvin" , kvm@vger.kernel.org, "Gustavo A. R. Silva" , Greg Kroah-Hartman , Andrew Morton , linux-wireless@vger.kernel.org, netdev@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-staging@lists.linux.dev, linux-block@vger.kernel.org, linux-kbuild@vger.kernel.org, clang-built-linux@googlegroups.com, Rasmus Villemoes , linux-hardening@vger.kernel.org Subject: Re: [PATCH v2 53/63] KVM: x86: Use struct_group() to zero decode cache Message-ID: References: <20210818060533.3569517-1-keescook@chromium.org> <20210818060533.3569517-54-keescook@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210818060533.3569517-54-keescook@chromium.org> Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Tue, Aug 17, 2021, Kees Cook wrote: > arch/x86/kvm/emulate.c | 3 +-- > arch/x86/kvm/kvm_emulate.h | 19 +++++++++++-------- > 2 files changed, 12 insertions(+), 10 deletions(-) > > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index 2837110e66ed..2608a047e769 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -5377,8 +5377,7 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop) > > void init_decode_cache(struct x86_emulate_ctxt *ctxt) > { > - memset(&ctxt->rip_relative, 0, > - (void *)&ctxt->modrm - (void *)&ctxt->rip_relative); > + memset(&ctxt->decode_cache, 0, sizeof(ctxt->decode_cache)); > > ctxt->io_read.pos = 0; > ctxt->io_read.end = 0; > diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h > index 68b420289d7e..9b8afcb8ad39 100644 > --- a/arch/x86/kvm/kvm_emulate.h > +++ b/arch/x86/kvm/kvm_emulate.h > @@ -341,14 +341,17 @@ struct x86_emulate_ctxt { > * the rest are initialized unconditionally in x86_decode_insn > * or elsewhere > */ > - bool rip_relative; > - u8 rex_prefix; > - u8 lock_prefix; > - u8 rep_prefix; > - /* bitmaps of registers in _regs[] that can be read */ > - u32 regs_valid; > - /* bitmaps of registers in _regs[] that have been written */ > - u32 regs_dirty; > + struct_group(decode_cache, This is somewhat misleading because half of this struct is the so called "decode cache", not just these six fields. KVM's "optimization" is quite ridiculous as this has never been such a hot path that saving a few mov instructions would be noticeable. And hilariously, the "optimization" is completely unnecessary because both gcc and clang are clever enough to batch the first five into a movq even when zeroing the fields individually. So, I would much prefer to go with the following: From dbdca1f4cd01fee418c252e54c360d518b2b1ad6 Mon Sep 17 00:00:00 2001 From: Sean Christopherson Date: Wed, 18 Aug 2021 08:03:08 -0700 Subject: [PATCH] KVM: x86: Replace memset() "optimization" with normal per-field writes Explicitly zero select fields in the emulator's decode cache instead of zeroing the fields via a gross memset() that spans six fields. gcc and clang are both clever enough to batch the first five fields into a single quadword MOV, i.e. memset() and individually zeroing generate identical code. Removing the wart also prepares KVM for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(). No functional change intended. Reported-by: Kees Cook Signed-off-by: Sean Christopherson --- arch/x86/kvm/emulate.c | 9 +++++++-- arch/x86/kvm/kvm_emulate.h | 6 +----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index 2837110e66ed..bf81fd017e7f 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -5377,8 +5377,13 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop) void init_decode_cache(struct x86_emulate_ctxt *ctxt) { - memset(&ctxt->rip_relative, 0, - (void *)&ctxt->modrm - (void *)&ctxt->rip_relative); + /* Clear fields that are set conditionally but read without a guard. */ + ctxt->rip_relative = false; + ctxt->rex_prefix = 0; + ctxt->lock_prefix = 0; + ctxt->rep_prefix = 0; + ctxt->regs_valid = 0; + ctxt->regs_dirty = 0; ctxt->io_read.pos = 0; ctxt->io_read.end = 0; diff --git a/arch/x86/kvm/kvm_emulate.h b/arch/x86/kvm/kvm_emulate.h index 68b420289d7e..bc1fecacccd4 100644 --- a/arch/x86/kvm/kvm_emulate.h +++ b/arch/x86/kvm/kvm_emulate.h @@ -336,11 +336,7 @@ struct x86_emulate_ctxt { fastop_t fop; }; int (*check_perm)(struct x86_emulate_ctxt *ctxt); - /* - * The following six fields are cleared together, - * the rest are initialized unconditionally in x86_decode_insn - * or elsewhere - */ + bool rip_relative; u8 rex_prefix; u8 lock_prefix; -- 2.33.0.rc1.237.g0d66db33f3-goog > + bool rip_relative; > + u8 rex_prefix; > + u8 lock_prefix; > + u8 rep_prefix; > + /* bitmaps of registers in _regs[] that can be read */ > + u32 regs_valid; > + /* bitmaps of registers in _regs[] that have been written */ > + u32 regs_dirty; > + ); > + > /* modrm */ > u8 modrm; > u8 modrm_mod; > -- > 2.30.2 >