[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211015165635.GH174703@worktop.programming.kicks-ass.net>
Date: Fri, 15 Oct 2021 18:56:35 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Borislav Petkov <bp@...en8.de>
Cc: x86@...nel.org, jpoimboe@...hat.com, andrew.cooper3@...rix.com,
linux-kernel@...r.kernel.org, alexei.starovoitov@...il.com,
ndesaulniers@...gle.com
Subject: Re: [PATCH 4/9] x86/alternative: Implement .retpoline_sites support
On Fri, Oct 15, 2021 at 04:24:08PM +0200, Borislav Petkov wrote:
> On Wed, Oct 13, 2021 at 02:22:21PM +0200, Peter Zijlstra wrote:
> > +static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes)
> > +{
> > + void (*target)(void);
> > + int reg, i = 0;
> > +
> > + if (cpu_feature_enabled(X86_FEATURE_RETPOLINE))
> > + return -1;
> > +
> > + target = addr + insn->length + insn->immediate.value;
> > + reg = (target - &__x86_indirect_thunk_rax) /
> > + (&__x86_indirect_thunk_rcx - &__x86_indirect_thunk_rax);
>
> I guess you should compute those values once so that it doesn't have to
> do them for each function invocation. And it does them here when I look
> at the asm it generates.
Takes away the simplicity of the thing. It can't know these values at
compile time (due to external symbols etc..) although I suppose LTO
might be able to fix that.
Other than that, the above is the trivial form of reverse indexing an
array.
> > +
> > + if (WARN_ON_ONCE(reg & ~0xf))
> > + return -1;
>
> Sanity-checking the alignment of those thunks?
Nah, the target address of the instruction; if that's not a retpoline
thunk (for whatever raisin) then the computation will not result in a
valid reg and we should bail.
> > +
> > + i = emit_indirect(insn->opcode.bytes[0], reg, bytes);
> > + if (i < 0)
> > + return i;
> > +
> > + for (; i < insn->length;)
> > + bytes[i++] = BYTES_NOP1;
>
> Why not:
>
> nop_len = insn->length - i;
> if (nop_len) {
> memcpy(&bytes[i], x86_nops[nop_len], nop_len);
> i += nop_len;
> }
>
> and then you save yourself the optimize_nops() call because it'll take
> the right-sized NOP directly.
That's not immediately safe; if for some reason or other the original
instrucion is 15 bytes long, and we generated 2 bytes, then we need 13
nop bytes, the above will then do an out-of-bound array access (due to
the nops array only doing 8 byte nops at max).
I wanted this code to be simple and obvious.
Powered by blists - more mailing lists