* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc [not found] ` <[email protected]> @ 2022-03-16 19:02 ` Dave Hansen 2022-03-16 19:21 ` Borislav Petkov 2022-03-16 19:31 ` Borislav Petkov 1 sibling, 1 reply; 8+ messages in thread From: Dave Hansen @ 2022-03-16 19:02 UTC (permalink / raw) To: Borislav Petkov, linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Peter Zijlstra On 3/16/22 11:45, Jamie Heilman wrote: > int3: 0000 [#1] PREEMPT SMP PTI > CPU: 0 PID: 2435 Comm: qemu-system-x86 Not tainted 5.17.0-rc8-sls #1 > Hardware name: Dell Inc. Precision WorkStation T3400 /0TP412, BIOS A14 04/30/2012 > RIP: 0010:setc+0x5/0x8 [kvm] > Code: 00 00 0f 1f 00 0f b6 05 43 24 06 00 c3 cc 0f 1f 80 00 00 00 00 0f 90 c0 c3 cc 0f 1f 00 0f 91 c0 c3 cc 0f 1f 00 0f 92 c0 c3 cc <0f> 1f 00 0f 93 c0 c3 cc 0f 1f 00 0f 94 c0 c3 cc 0f 1f 00 0f 95 c0 > RSP: 0018:ffffc90000a1fc68 EFLAGS: 00000283 > RAX: 0000000000000281 RBX: 0000000000000006 RCX: 0000000000000005 > RDX: ffffffffa01a4024 RSI: 0000000000000000 RDI: 0000000000000000 > RBP: ffff88810ef76900 R08: 0000000000000000 R09: 0000000000000000 > R10: ffff88810ee54000 R11: 0000000000000000 R12: ffffffffa01d5720 > R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810ef76900 > FS: 00007f23ecd79640(0000) GS:ffff888233c00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000000000000000 CR3: 0000000108df8000 CR4: 00000000000426f0 > Call Trace: > <TASK> > ? x86_emulate_insn+0x76b/0xe00 [kvm] Ooh, fun! This hit one of the new int3's in "ASM_RET" in "setc" in arch/x86/kvm/emulate.c: FOP_SETCC(setc) Did the extra 'int3' screw up some presumed jump offset or something? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc 2022-03-16 19:02 ` system locks up with CONFIG_SLS=Y; 5.17.0-rc Dave Hansen @ 2022-03-16 19:21 ` Borislav Petkov 0 siblings, 0 replies; 8+ messages in thread From: Borislav Petkov @ 2022-03-16 19:21 UTC (permalink / raw) To: Dave Hansen Cc: linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Peter Zijlstra On Wed, Mar 16, 2022 at 12:02:59PM -0700, Dave Hansen wrote: > This hit one of the new int3's in "ASM_RET" in "setc" in > arch/x86/kvm/emulate.c: > > FOP_SETCC(setc) > > Did the extra 'int3' screw up some presumed jump offset or something? Yap, looks like it. I wonder how no one managed to hit this yet... Jamie, does this fix it, per chance? --- diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index f667bd8df533..e88ce4171c4a 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -430,8 +430,11 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); FOP_END /* Special case for SETcc - 1 instruction per cc */ + +#define SETCC_ALIGN 8 + #define FOP_SETCC(op) \ - ".align 4 \n\t" \ + ".align " __stringify(SETCC_ALIGN) " \n\t" \ ".type " #op ", @function \n\t" \ #op ": \n\t" \ ASM_ENDBR \ @@ -1049,7 +1052,7 @@ static int em_bsr_c(struct x86_emulate_ctxt *ctxt) static __always_inline u8 test_cc(unsigned int condition, unsigned long flags) { u8 rc; - void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf); + void (*fop)(void) = (void *)em_setcc + SETCC_ALIGN * (condition & 0xf); flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF; asm("push %[flags]; popf; " CALL_NOSPEC -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc [not found] ` <[email protected]> 2022-03-16 19:02 ` system locks up with CONFIG_SLS=Y; 5.17.0-rc Dave Hansen @ 2022-03-16 19:31 ` Borislav Petkov 2022-03-16 20:15 ` Jamie Heilman 1 sibling, 1 reply; 8+ messages in thread From: Borislav Petkov @ 2022-03-16 19:31 UTC (permalink / raw) To: Jamie Heilman Cc: linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Peter Zijlstra On Wed, Mar 16, 2022 at 06:45:25PM +0000, Jamie Heilman wrote: > Yep that worked, here's output, you can see the network get set up and > then boom: Thx, that was very useful. Does this below fix it, per chance: --- diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index f667bd8df533..e88ce4171c4a 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -430,8 +430,11 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); FOP_END /* Special case for SETcc - 1 instruction per cc */ + +#define SETCC_ALIGN 8 + #define FOP_SETCC(op) \ - ".align 4 \n\t" \ + ".align " __stringify(SETCC_ALIGN) " \n\t" \ ".type " #op ", @function \n\t" \ #op ": \n\t" \ ASM_ENDBR \ @@ -1049,7 +1052,7 @@ static int em_bsr_c(struct x86_emulate_ctxt *ctxt) static __always_inline u8 test_cc(unsigned int condition, unsigned long flags) { u8 rc; - void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf); + void (*fop)(void) = (void *)em_setcc + SETCC_ALIGN * (condition & 0xf); flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF; asm("push %[flags]; popf; " CALL_NOSPEC -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc 2022-03-16 19:31 ` Borislav Petkov @ 2022-03-16 20:15 ` Jamie Heilman 2022-03-16 21:23 ` Borislav Petkov 0 siblings, 1 reply; 8+ messages in thread From: Jamie Heilman @ 2022-03-16 20:15 UTC (permalink / raw) To: Borislav Petkov Cc: linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Peter Zijlstra Borislav Petkov wrote: > On Wed, Mar 16, 2022 at 06:45:25PM +0000, Jamie Heilman wrote: > > Yep that worked, here's output, you can see the network get set up and > > then boom: > > Thx, that was very useful. Does this below fix it, per chance: It does indeed! > --- > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index f667bd8df533..e88ce4171c4a 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -430,8 +430,11 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); > FOP_END > > /* Special case for SETcc - 1 instruction per cc */ > + > +#define SETCC_ALIGN 8 > + > #define FOP_SETCC(op) \ > - ".align 4 \n\t" \ > + ".align " __stringify(SETCC_ALIGN) " \n\t" \ > ".type " #op ", @function \n\t" \ > #op ": \n\t" \ > ASM_ENDBR \ > @@ -1049,7 +1052,7 @@ static int em_bsr_c(struct x86_emulate_ctxt *ctxt) > static __always_inline u8 test_cc(unsigned int condition, unsigned long flags) > { > u8 rc; > - void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf); > + void (*fop)(void) = (void *)em_setcc + SETCC_ALIGN * (condition & 0xf); > > flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF; > asm("push %[flags]; popf; " CALL_NOSPEC > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette -- Jamie Heilman http://audible.transient.net/~jamie/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc 2022-03-16 20:15 ` Jamie Heilman @ 2022-03-16 21:23 ` Borislav Petkov 2022-03-16 21:37 ` Jamie Heilman 2022-03-16 22:02 ` Peter Zijlstra 0 siblings, 2 replies; 8+ messages in thread From: Borislav Petkov @ 2022-03-16 21:23 UTC (permalink / raw) To: Jamie Heilman Cc: linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Peter Zijlstra, Paolo Bonzini, Sean Christopherson, kvm + kvm folks. On Wed, Mar 16, 2022 at 08:15:43PM +0000, Jamie Heilman wrote: > It does indeed! Thanks, here's a proper patch. I've added your Reported-by and Tested-by tags - I hope that's ok. --- From: Borislav Petkov <[email protected]> Date: Wed, 16 Mar 2022 22:05:52 +0100 Subject: [PATCH] kvm/emulate: Fix SETcc emulation function offsets with SLS The commit in Fixes started adding INT3 after RETs as a mitigation against straight-line speculation. The fastop SETcc implementation in kvm's insn emulator uses macro magic to generate all possible SETcc functions and to jump to them when emulating the respective instruction. However, it hardcodes the size and alignment of those functions to 4: a three-byte SETcc insn and a single-byte RET. BUT, with SLS, there's an INT3 that gets slapped after the RET, which brings the whole scheme out of alignment: 15: 0f 90 c0 seto %al 18: c3 ret 19: cc int3 1a: 0f 1f 00 nopl (%rax) 1d: 0f 91 c0 setno %al 20: c3 ret 21: cc int3 22: 0f 1f 00 nopl (%rax) 25: 0f 92 c0 setb %al 28: c3 ret 29: cc int3 and this explodes like this: int3: 0000 [#1] PREEMPT SMP PTI CPU: 0 PID: 2435 Comm: qemu-system-x86 Not tainted 5.17.0-rc8-sls #1 Hardware name: Dell Inc. Precision WorkStation T3400 /0TP412, BIOS A14 04/30/2012 RIP: 0010:setc+0x5/0x8 [kvm] Code: 00 00 0f 1f 00 0f b6 05 43 24 06 00 c3 cc 0f 1f 80 00 00 00 00 0f 90 c0 c3 cc 0f 1f 00 0f 91 c0 c3 cc 0f 1f 00 0f 92 c0 c3 cc <0f> 1f 00 0f 93 c0 c3 cc 0f 1f 00 0f 94 c0 c3 cc 0f 1f 00 0f 95 c0 Call Trace: <TASK> ? x86_emulate_insn [kvm] ? x86_emulate_instruction [kvm] ? vmx_handle_exit [kvm_intel] ? kvm_arch_vcpu_ioctl_run [kvm] ? kvm_vcpu_ioctl [kvm] ? __x64_sys_ioctl ? do_syscall_64+0x40/0xa0 ? entry_SYSCALL_64_after_hwframe+0x44/0xae </TASK> Align everything to 8 and use a macro for that instead of hard-coding naked numbers. Fixes: e463a09af2f0 ("x86: Add straight-line-speculation mitigation") Reported-by: Jamie Heilman <[email protected]> Signed-off-by: Borislav Petkov <[email protected]> Tested-by: Jamie Heilman <[email protected]> Link: https://lore.kernel.org/r/[email protected] --- arch/x86/kvm/emulate.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c index f667bd8df533..e88ce4171c4a 100644 --- a/arch/x86/kvm/emulate.c +++ b/arch/x86/kvm/emulate.c @@ -430,8 +430,11 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); FOP_END /* Special case for SETcc - 1 instruction per cc */ + +#define SETCC_ALIGN 8 + #define FOP_SETCC(op) \ - ".align 4 \n\t" \ + ".align " __stringify(SETCC_ALIGN) " \n\t" \ ".type " #op ", @function \n\t" \ #op ": \n\t" \ ASM_ENDBR \ @@ -1049,7 +1052,7 @@ static int em_bsr_c(struct x86_emulate_ctxt *ctxt) static __always_inline u8 test_cc(unsigned int condition, unsigned long flags) { u8 rc; - void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf); + void (*fop)(void) = (void *)em_setcc + SETCC_ALIGN * (condition & 0xf); flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF; asm("push %[flags]; popf; " CALL_NOSPEC -- 2.29.2 -- Regards/Gruss, Boris. https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc 2022-03-16 21:23 ` Borislav Petkov @ 2022-03-16 21:37 ` Jamie Heilman 2022-03-16 22:02 ` Peter Zijlstra 1 sibling, 0 replies; 8+ messages in thread From: Jamie Heilman @ 2022-03-16 21:37 UTC (permalink / raw) To: Borislav Petkov Cc: linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Peter Zijlstra, Paolo Bonzini, Sean Christopherson, kvm Borislav Petkov wrote: > + kvm folks. > > On Wed, Mar 16, 2022 at 08:15:43PM +0000, Jamie Heilman wrote: > > It does indeed! > > Thanks, here's a proper patch. I've added your Reported-by and Tested-by > tags - I hope that's ok. Yeah, absolutely. -- Jamie Heilman http://audible.transient.net/~jamie/ ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: system locks up with CONFIG_SLS=Y; 5.17.0-rc 2022-03-16 21:23 ` Borislav Petkov 2022-03-16 21:37 ` Jamie Heilman @ 2022-03-16 22:02 ` Peter Zijlstra [not found] ` <[email protected]> 1 sibling, 1 reply; 8+ messages in thread From: Peter Zijlstra @ 2022-03-16 22:02 UTC (permalink / raw) To: Borislav Petkov Cc: Jamie Heilman, linux-kernel, Thomas Gleixner, Ingo Molnar, Dave Hansen, x86, Paolo Bonzini, Sean Christopherson, kvm On Wed, Mar 16, 2022 at 10:23:37PM +0100, Borislav Petkov wrote: > diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c > index f667bd8df533..e88ce4171c4a 100644 > --- a/arch/x86/kvm/emulate.c > +++ b/arch/x86/kvm/emulate.c > @@ -430,8 +430,11 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); > FOP_END > > /* Special case for SETcc - 1 instruction per cc */ > + > +#define SETCC_ALIGN 8 I'd suggest writing that like: #define SETCC_ALIGN (4 * (1 + IS_ENABLED(CONFIG_SLS))) That way people can enjoy smaller text when they don't do the whole SLS thing.... Also, it appears to me I added an ENDBR to this in tip/x86/core, well, that needs fixing too. Tomorrow tho. > + > #define FOP_SETCC(op) \ > - ".align 4 \n\t" \ > + ".align " __stringify(SETCC_ALIGN) " \n\t" \ > ".type " #op ", @function \n\t" \ > #op ": \n\t" \ > ASM_ENDBR \ > @@ -1049,7 +1052,7 @@ static int em_bsr_c(struct x86_emulate_ctxt *ctxt) > static __always_inline u8 test_cc(unsigned int condition, unsigned long flags) > { > u8 rc; > - void (*fop)(void) = (void *)em_setcc + 4 * (condition & 0xf); > + void (*fop)(void) = (void *)em_setcc + SETCC_ALIGN * (condition & 0xf); > > flags = (flags & EFLAGS_MASK) | X86_EFLAGS_IF; > asm("push %[flags]; popf; " CALL_NOSPEC > -- > 2.29.2 > > -- > Regards/Gruss, > Boris. > > https://people.kernel.org/tglx/notes-about-netiquette ^ permalink raw reply [flat|nested] 8+ messages in thread
[parent not found: <[email protected]>]
[parent not found: <[email protected]>]
[parent not found: <YjMVpfe/[email protected]>]
[parent not found: <[email protected]>]
[parent not found: <[email protected]>]
[parent not found: <[email protected]>]
[parent not found: <[email protected]>]
[parent not found: <[email protected]>]
* Re: [PATCH -v1.2] kvm/emulate: Fix SETcc emulation function offsets with SLS [not found] ` <[email protected]> @ 2022-03-20 14:17 ` Boris Petkov 0 siblings, 0 replies; 8+ messages in thread From: Boris Petkov @ 2022-03-20 14:17 UTC (permalink / raw) To: Paolo Bonzini Cc: Peter Zijlstra, Jamie Heilman, linux-kernel, Ingo Molnar, Dave Hansen, Thomas Gleixner, Sean Christopherson, x86, kvm On March 20, 2022 2:04:02 PM UTC, Paolo Bonzini <[email protected]> wrote: >So this is what I squashed in: > >diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c >index f321abb9a4a8..e86d610dc6b7 100644 >--- a/arch/x86/kvm/emulate.c >+++ b/arch/x86/kvm/emulate.c >@@ -430,7 +430,19 @@ static int fastop(struct x86_emulate_ctxt *ctxt, fastop_t fop); > > /* Special case for SETcc - 1 instruction per cc */ > >-#define SETCC_ALIGN (4 * (1 + IS_ENABLED(CONFIG_SLS))) >+/* >+ * Depending on .config the SETcc functions look like: >+ * >+ * SETcc %al [3 bytes] >+ * RET [1 byte] >+ * INT3 [1 byte; CONFIG_SLS] >+ * >+ * Which gives possible sizes 4 or 5. When rounded up to the >+ * next power-of-two alignment they become 4 or 8. >+ */ >+#define SETCC_LENGTH (4 + IS_ENABLED(CONFIG_SLS)) >+#define SETCC_ALIGN (4 << IS_ENABLED(CONFIG_SLS)) >+static_assert(SETCC_LENGTH <= SETCC_ALIGN); > > #define FOP_SETCC(op) \ > ".align " __stringify(SETCC_ALIGN) " \n\t" \ > >Paolo Ack. Thanks. -- Sent from a small device: formatting sux and brevity is inevitable. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-03-20 14:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <[email protected]>
[not found] ` <[email protected]>
[not found] ` <[email protected]>
2022-03-16 19:02 ` system locks up with CONFIG_SLS=Y; 5.17.0-rc Dave Hansen
2022-03-16 19:21 ` Borislav Petkov
2022-03-16 19:31 ` Borislav Petkov
2022-03-16 20:15 ` Jamie Heilman
2022-03-16 21:23 ` Borislav Petkov
2022-03-16 21:37 ` Jamie Heilman
2022-03-16 22:02 ` Peter Zijlstra
[not found] ` <[email protected]>
[not found] ` <[email protected]>
[not found] ` <YjMVpfe/[email protected]>
[not found] ` <[email protected]>
[not found] ` <[email protected]>
[not found] ` <[email protected]>
[not found] ` <[email protected]>
[not found] ` <[email protected]>
2022-03-20 14:17 ` [PATCH -v1.2] kvm/emulate: Fix SETcc emulation function offsets with SLS Boris Petkov
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox