lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251022094105.7ea30194@pumpkin>
Date: Wed, 22 Oct 2025 09:41:05 +0100
From: David Laight <david.laight.linux@...il.com>
To: "Kaplan, David" <David.Kaplan@....com>
Cc: Peter Zijlstra <peterz@...radead.org>, Thomas Gleixner
 <tglx@...utronix.de>, Borislav Petkov <bp@...en8.de>, Josh Poimboeuf
 <jpoimboe@...nel.org>, Pawan Gupta <pawan.kumar.gupta@...ux.intel.com>,
 Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>,
 "x86@...nel.org" <x86@...nel.org>, "H . Peter Anvin" <hpa@...or.com>,
 Alexander Graf <graf@...zon.com>, Boris Ostrovsky
 <boris.ostrovsky@...cle.com>, "linux-kernel@...r.kernel.org"
 <linux-kernel@...r.kernel.org>
Subject: Re: [RFC PATCH 31/56] x86/alternative: Prepend nops with retpolines

On Thu, 16 Oct 2025 13:27:53 +0000
"Kaplan, David" <David.Kaplan@....com> wrote:

> [AMD Official Use Only - AMD Internal Distribution Only]
> 
> > -----Original Message-----
> > From: Peter Zijlstra <peterz@...radead.org>
> > Sent: Thursday, October 16, 2025 6:23 AM
> > To: Kaplan, David <David.Kaplan@....com>
> > Cc: Thomas Gleixner <tglx@...utronix.de>; Borislav Petkov <bp@...en8.de>; Josh
> > Poimboeuf <jpoimboe@...nel.org>; Pawan Gupta
> > <pawan.kumar.gupta@...ux.intel.com>; Ingo Molnar <mingo@...hat.com>; Dave
> > Hansen <dave.hansen@...ux.intel.com>; x86@...nel.org; H . Peter Anvin
> > <hpa@...or.com>; Alexander Graf <graf@...zon.com>; Boris Ostrovsky
> > <boris.ostrovsky@...cle.com>; linux-kernel@...r.kernel.org
> > Subject: Re: [RFC PATCH 31/56] x86/alternative: Prepend nops with retpolines
> >
> > Caution: This message originated from an External Source. Use proper caution
> > when opening attachments, clicking links, or responding.
> >
> >
> > On Thu, Oct 16, 2025 at 01:07:17PM +0200, Peter Zijlstra wrote:  
> > > On Mon, Oct 13, 2025 at 09:34:19AM -0500, David Kaplan wrote:  
> > > > When patching retpolines, nops may be required for padding such as when
> > > > turning a 5-byte direct call into a 2-byte indirect call.  Previously,
> > > > these were appended at the end so the code becomes "call *reg;nop;nop;nop"
> > > > for example.  This was fine because it's always going from a larger
> > > > instruction to a smaller one.
> > > >
> > > > But this is a problem if the sequence is transformed from a 2-byte indirect
> > > > to the 5-byte direct call version at runtime because when the called
> > > > function returns, it will be in the middle of the 5-byte call instruction.
> > > >
> > > > To fix this, prepend the nops instead of appending them.  Consequently, the
> > > > return site of the called function is always the same.
> > > >  
> > >
> > > So this results in:
> > >
> > > NOP3; call *%r11
> > >
> > > And you're saying a task can be on the other side of that call and then
> > > return lines up. But what if the task is preempted right after that
> > > NOP3?
> > >
> > > Same for all the alternative patching; what ensures no task is currently
> > > having a register state that is in the middle of things?  
> >
> > Ah, I found it, you freeze everything, which puts it at safe points.  
> 
> Yes.  In fact, I think you were the one who pointed me in that direction :)

Does that help?
It'll stop the cpu prefetch queue containing garbage and let you flush the I-cache,
but I don't see how it can stop the return address after the NOP3 being on the
stack from an earlier interrupt, or even the nmi entry itself.

I'm not sure, but if the kernel is pre-emptable could a sleeping thread have
a stack that includes the address after the NOP3 - eg if an interrupt at
that point is what caused the reschedule.

Clearly using multiple prefixes doesn't have this problem.

	David 


> 
> Despite the freezer though, this patch is necessary in particular because stop_machine_nmi() uses an indirect branch to run the handler.  Which means that while patching is going on, all cores are inside a function which is going to return to after the indirect call site.  And so that needs to be the end of the 5 (or 6) byte sequence.
> 
> --David Kaplan
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ