From: Peter Zijlstra <peterz@infradead.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Daniel Sneddon <daniel.sneddon@linux.intel.com>,
Pawan Gupta <pawan.kumar.gupta@linux.intel.com>,
Borislav Petkov <bp@suse.de>,
Andrew Cooper <Andrew.Cooper3@citrix.com>,
Thomas Gleixner <tglx@linutronix.de>,
x86@kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>
Subject: [PATCH] x86/nospec: Unwreck the RSB stuffing
Date: Tue, 16 Aug 2022 14:28:36 +0200 [thread overview]
Message-ID: <YvuNdDWoUZSBjYcm@worktop.programming.kicks-ass.net> (raw)
In-Reply-To: <20220809175513.979067723@linuxfoundation.org>
Replying here, because obviously there's no actual posting of this
patch... :/
> --- a/arch/x86/include/asm/nospec-branch.h
> +++ b/arch/x86/include/asm/nospec-branch.h
> @@ -118,13 +118,28 @@
> #endif
> .endm
>
> +.macro ISSUE_UNBALANCED_RET_GUARD
> + ANNOTATE_INTRA_FUNCTION_CALL
> + call .Lunbalanced_ret_guard_\@
> + int3
> +.Lunbalanced_ret_guard_\@:
> + add $(BITS_PER_LONG/8), %_ASM_SP
> + lfence
> +.endm
> +
> /*
> * A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
> * monstrosity above, manually.
> */
> -.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req
> +.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2
> +.ifb \ftr2
> ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
> +.else
> + ALTERNATIVE_2 "jmp .Lskip_rsb_\@", "", \ftr, "jmp .Lunbalanced_\@", \ftr2
> +.endif
> __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
> +.Lunbalanced_\@:
> + ISSUE_UNBALANCED_RET_GUARD
> .Lskip_rsb_\@:
> .endm
(/me deletes all the swear words and starts over)
This must absolutely be the most horrible patch you could come up with,
no? I suppose that's the price of me taking PTO :-(
Could you please test this; I've only compiled it.
---
Subject: x86/nospec: Unwreck the RSB stuffing
Commit 2b1299322016 ("x86/speculation: Add RSB VM Exit protections")
made a right mess of the RSB stuffing, rewrite the whole thing to not
suck.
Thanks to Andrew for the enlightening comment about Post-Barrier RSB
things so we can make this code less magical.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
---
cpufeatures.h | 2 +
nospec-branch.h | 80 +++++++++++++++++++++++++++-----------------------------
2 files changed, 41 insertions(+), 41 deletions(-)
diff --git a/arch/x86/include/asm/cpufeatures.h b/arch/x86/include/asm/cpufeatures.h
index 235dc85c91c3..1a31ae6d758b 100644
--- a/arch/x86/include/asm/cpufeatures.h
+++ b/arch/x86/include/asm/cpufeatures.h
@@ -420,6 +420,8 @@
#define X86_FEATURE_V_TSC_AUX (19*32+ 9) /* "" Virtual TSC_AUX */
#define X86_FEATURE_SME_COHERENT (19*32+10) /* "" AMD hardware-enforced cache coherency */
+#define X86_FEATURE_NEVER (-1) /* "" Logical complement of ALWAYS */
+
/*
* BUG word(s)
*/
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index e64fd20778b6..336f8e8cebf8 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -35,33 +35,44 @@
#define RSB_CLEAR_LOOPS 32 /* To forcibly overwrite all entries */
/*
+ * Common helper for __FILL_RETURN_BUFFER and __FILL_ONE_RETURN.
+ */
+#define __FILL_RETURN_SLOT \
+ ANNOTATE_INTRA_FUNCTION_CALL; \
+ call 772f; \
+ int3; \
+772:
+
+/*
+ * Stuff the entire RSB.
+ *
* Google experimented with loop-unrolling and this turned out to be
* the optimal version - two calls, each with their own speculation
* trap should their return address end up getting used, in a loop.
*/
-#define __FILL_RETURN_BUFFER(reg, nr, sp) \
- mov $(nr/2), reg; \
-771: \
- ANNOTATE_INTRA_FUNCTION_CALL; \
- call 772f; \
-773: /* speculation trap */ \
- UNWIND_HINT_EMPTY; \
- pause; \
- lfence; \
- jmp 773b; \
-772: \
- ANNOTATE_INTRA_FUNCTION_CALL; \
- call 774f; \
-775: /* speculation trap */ \
- UNWIND_HINT_EMPTY; \
- pause; \
- lfence; \
- jmp 775b; \
-774: \
- add $(BITS_PER_LONG/8) * 2, sp; \
- dec reg; \
- jnz 771b; \
- /* barrier for jnz misprediction */ \
+#define __FILL_RETURN_BUFFER(reg, nr) \
+ mov $(nr/2), reg; \
+771: \
+ __FILL_RETURN_SLOT \
+ __FILL_RETURN_SLOT \
+ add $(BITS_PER_LONG/8) * 2, %_ASM_SP; \
+ dec reg; \
+ jnz 771b; \
+ /* barrier for jnz misprediction */ \
+ lfence;
+
+/*
+ * Stuff a single RSB slot.
+ *
+ * To mitigate Post-Barrier RSB speculation, one CALL instruction must be
+ * forced to retire before letting a RET instruction execute.
+ *
+ * On PBRSB-vulnerable CPUs, it is not safe for a RET to be executed
+ * before this point.
+ */
+#define __FILL_ONE_RETURN \
+ __FILL_RETURN_SLOT \
+ add $(BITS_PER_LONG/8), %_ASM_SP; \
lfence;
#ifdef __ASSEMBLY__
@@ -132,28 +143,15 @@
#endif
.endm
-.macro ISSUE_UNBALANCED_RET_GUARD
- ANNOTATE_INTRA_FUNCTION_CALL
- call .Lunbalanced_ret_guard_\@
- int3
-.Lunbalanced_ret_guard_\@:
- add $(BITS_PER_LONG/8), %_ASM_SP
- lfence
-.endm
-
/*
* A simpler FILL_RETURN_BUFFER macro. Don't make people use the CPP
* monstrosity above, manually.
*/
-.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2
-.ifb \ftr2
- ALTERNATIVE "jmp .Lskip_rsb_\@", "", \ftr
-.else
- ALTERNATIVE_2 "jmp .Lskip_rsb_\@", "", \ftr, "jmp .Lunbalanced_\@", \ftr2
-.endif
- __FILL_RETURN_BUFFER(\reg,\nr,%_ASM_SP)
-.Lunbalanced_\@:
- ISSUE_UNBALANCED_RET_GUARD
+.macro FILL_RETURN_BUFFER reg:req nr:req ftr:req ftr2=X86_FEATURE_NEVER
+ ALTERNATIVE_2 "jmp .Lskip_rsb_\@", \
+ __stringify(__FILL_RETURN_BUFFER(\reg,\nr)), \ftr, \
+ __stringify(__FILL_ONE_RETURN), \ftr2
+
.Lskip_rsb_\@:
.endm
next prev parent reply other threads:[~2022-08-16 12:29 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-09 18:00 [PATCH 5.19 00/21] 5.19.1-rc1 review Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 01/21] block: fix default IO priority handling again Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 02/21] tools/vm/slabinfo: Handle files in debugfs Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 03/21] ACPI: video: Force backlight native for some TongFang devices Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 04/21] ACPI: video: Shortening quirk list by identifying Clevo by board_name only Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 05/21] ACPI: APEI: Better fix to avoid spamming the console with old error logs Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 06/21] crypto: arm64/poly1305 - fix a read out-of-bound Greg Kroah-Hartman
2022-08-09 18:00 ` [PATCH 5.19 07/21] ata: sata_mv: Fixes expected number of resources now IRQs are gone Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 08/21] arm64: set UXN on swapper page tables Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 09/21] Bluetooth: hci_qca: Return wakeup for qca_wakeup Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 10/21] Bluetooth: hci_bcm: Add BCM4349B1 variant Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 11/21] Bluetooth: hci_bcm: Add DT compatible for CYW55572 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 12/21] dt-bindings: bluetooth: broadcom: Add BCM4349B1 DT binding Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 13/21] Bluetooth: btusb: Add support of IMC Networks PID 0x3568 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 14/21] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04CA:0x4007 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 15/21] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x04C5:0x1675 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 16/21] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0CB8:0xC558 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 17/21] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3587 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 18/21] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x13D3:0x3586 Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 19/21] macintosh/adb: fix oob read in do_adb_query() function Greg Kroah-Hartman
2022-08-09 18:01 ` [PATCH 5.19 20/21] x86/speculation: Add RSB VM Exit protections Greg Kroah-Hartman
2022-08-16 12:28 ` Peter Zijlstra [this message]
2022-08-16 12:33 ` [PATCH] x86/nospec: Unwreck the RSB stuffing Greg Kroah-Hartman
2022-08-16 12:36 ` Borislav Petkov
2022-08-16 12:42 ` Greg Kroah-Hartman
2022-08-16 16:34 ` Daniel Sneddon
2022-08-16 12:52 ` Andrew Cooper
2022-08-16 13:01 ` Borislav Petkov
2022-08-16 22:34 ` Pawan Gupta
2022-08-16 17:34 ` Daniel Sneddon
2022-08-16 18:04 ` Daniel Sneddon
2022-08-16 18:14 ` Boris Petkov
2022-08-17 6:55 ` Peter Zijlstra
2022-08-19 10:33 ` Peter Zijlstra
2022-08-19 11:35 ` [tip: x86/urgent] " tip-bot2 for Peter Zijlstra
2022-08-09 18:01 ` [PATCH 5.19 21/21] x86/speculation: Add LFENCE to RSB fill sequence Greg Kroah-Hartman
2022-08-09 22:13 ` [PATCH 5.19 00/21] 5.19.1-rc1 review Florian Fainelli
2022-08-10 1:08 ` Zan Aziz
2022-08-10 4:10 ` Shuah Khan
2022-08-10 5:26 ` Ron Economos
2022-08-10 7:51 ` Naresh Kamboju
2022-08-10 8:28 ` Bagas Sanjaya
2022-08-10 13:33 ` Guenter Roeck
2022-08-10 14:20 ` Justin Forbes
2022-08-10 21:49 ` Rudi Heitbaum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YvuNdDWoUZSBjYcm@worktop.programming.kicks-ass.net \
--to=peterz@infradead.org \
--cc=Andrew.Cooper3@citrix.com \
--cc=bp@suse.de \
--cc=daniel.sneddon@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pawan.kumar.gupta@linux.intel.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox