From: Andi Kleen <andi@firstfloor.org>
To: tglx@linutronix.de
Cc: x86@kernel.org, dwmw@amazon.co.uk, linux-kernel@vger.kernel.org,
pjt@google.com, torvalds@linux-foundation.org,
gregkh@linux-foundation.org, peterz@infradead.org,
luto@amacapital.net, thomas.lendacky@amd.com,
arjan.van.de.ven@intel.com, Andi Kleen <ak@linux.intel.com>
Subject: [PATCH 4/4] x86/retpoline: Fill return buffer on interrupt return to kernel
Date: Fri, 12 Jan 2018 10:45:50 -0800 [thread overview]
Message-ID: <20180112184550.6573-5-andi@firstfloor.org> (raw)
In-Reply-To: <20180112184550.6573-1-andi@firstfloor.org>
From: Andi Kleen <ak@linux.intel.com>
Interrupts can have rather deep call chains on top of the original
call chain. Fill the return buffer on Skylake when returning from
an interrupt to the kernel, to avoid return buffer underflows
later.
This only needs to be done when returning to the kernel,
so interrupts interrupting user space are not impacted.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
---
arch/x86/entry/entry_32.S | 16 +++++++++++++---
arch/x86/entry/entry_64.S | 22 ++++++++++++++++++++++
2 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
index bbecb7c2f6cb..a58b0ae7121c 100644
--- a/arch/x86/entry/entry_32.S
+++ b/arch/x86/entry/entry_32.S
@@ -65,7 +65,6 @@
# define preempt_stop(clobbers) DISABLE_INTERRUPTS(clobbers); TRACE_IRQS_OFF
#else
# define preempt_stop(clobbers)
-# define resume_kernel restore_all
#endif
.macro TRACE_IRQS_IRET
@@ -349,8 +348,17 @@ ENTRY(resume_userspace)
jmp restore_all
END(ret_from_exception)
-#ifdef CONFIG_PREEMPT
ENTRY(resume_kernel)
+ /*
+ * Interrupts/faults could cause the return buffer of the CPU
+ * to overflow, which would lead to a underflow later,
+ * which may lead to a uncontrolled indirect branch.
+ * Fill the return buffer when returning to the kernel.
+ */
+ FILL_RETURN_BUFFER %eax, RSB_FILL_LOOPS, X86_FEATURE_RETURN_UNDERFLOW
+5:
+
+#ifdef CONFIG_PREEMPT
DISABLE_INTERRUPTS(CLBR_ANY)
.Lneed_resched:
cmpl $0, PER_CPU_VAR(__preempt_count)
@@ -359,8 +367,10 @@ ENTRY(resume_kernel)
jz restore_all
call preempt_schedule_irq
jmp .Lneed_resched
-END(resume_kernel)
+#else
+ jmp restore_all
#endif
+END(resume_kernel)
GLOBAL(__begin_SYSENTER_singlestep_region)
/*
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 3caac129cd07..36ee97fac6af 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -792,6 +792,15 @@ retint_kernel:
TRACE_IRQS_IRETQ
GLOBAL(restore_regs_and_return_to_kernel)
+ /*
+ * Interrupts/faults could cause the return buffer of the CPU
+ * to overflow, which would lead to a underflow later,
+ * which may lead to a uncontrolled indirect branch.
+ * Fill the return buffer when returning to the kernel.
+ */
+ FILL_RETURN_BUFFER %rax, RSB_FILL_LOOPS, X86_FEATURE_RETURN_UNDERFLOW
+4:
+
#ifdef CONFIG_DEBUG_ENTRY
/* Assert that pt_regs indicates kernel mode. */
testb $3, CS(%rsp)
@@ -1660,6 +1669,10 @@ nested_nmi:
nested_nmi_out:
popq %rdx
+ /*
+ * No need to clear return buffer here because the outter NMI will do it,
+ * and we assume two NMIs will not overflow the return buffer.
+ */
/* We are returning to kernel mode, so this cannot result in a fault. */
iretq
@@ -1757,6 +1770,15 @@ end_repeat_nmi:
nmi_swapgs:
SWAPGS_UNSAFE_STACK
nmi_restore:
+ /*
+ * NMI could cause the return buffer of the CPU
+ * to overflow, which would lead to a underflow later,
+ * which may lead to a uncontrolled indirect branch.
+ * Fill the return buffer when returning to the kernel.
+ */
+
+ FILL_RETURN_BUFFER %rax, RSB_FILL_LOOPS, X86_FEATURE_RETURN_UNDERFLOW
+5:
POP_EXTRA_REGS
POP_C_REGS
--
2.14.3
next prev parent reply other threads:[~2018-01-12 18:46 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-12 18:45 Improve retpoline for Skylake Andi Kleen
2018-01-12 18:45 ` [PATCH 1/4] x86/retpoline: Add new mode RETPOLINE_UNDERFLOW Andi Kleen
2018-01-12 22:13 ` Dominik Brodowski
2018-01-12 22:57 ` Andi Kleen
2018-01-12 18:45 ` [PATCH 2/4] x86/retpoline: Avoid return buffer underflows on context switch Andi Kleen
2018-01-12 18:45 ` [PATCH 3/4] x86/retpoline: Fill return buffer after idle Andi Kleen
2018-01-12 18:45 ` Andi Kleen [this message]
2018-01-12 19:12 ` Improve retpoline for Skylake David Woodhouse
2018-01-12 19:21 ` Andi Kleen
2018-01-12 22:03 ` Henrique de Moraes Holschuh
2018-01-15 8:26 ` Jon Masters
2018-01-15 9:06 ` David Woodhouse
2018-01-15 10:03 ` Thomas Gleixner
2018-01-15 10:20 ` David Woodhouse
2018-01-15 16:57 ` Andy Lutomirski
2018-01-15 17:38 ` Andrew Cooper
2018-01-15 17:56 ` Van De Ven, Arjan
2018-01-15 18:06 ` Andy Lutomirski
2018-01-15 18:07 ` David Woodhouse
2018-01-15 18:10 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180112184550.6573-5-andi@firstfloor.org \
--to=andi@firstfloor.org \
--cc=ak@linux.intel.com \
--cc=arjan.van.de.ven@intel.com \
--cc=dwmw@amazon.co.uk \
--cc=gregkh@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox