[tip: x86/urgent] x86/kvm: Fix FASTOP_SIZE when return thunks are enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The following commit has been merged into the x86/urgent branch of tip:

Commit-ID:     3652dee22a2a321d6dabe1ea0aa4b2b3c87da8dc
Gitweb:        https://git.kernel.org/tip/3652dee22a2a321d6dabe1ea0aa4b2b3c87da8dc
Author:        Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
AuthorDate:    Wed, 13 Jul 2022 14:12:41 -03:00
Committer:     Borislav Petkov <bp@xxxxxxx>
CommitterDate: Thu, 14 Jul 2022 09:59:10 +02:00

x86/kvm: Fix FASTOP_SIZE when return thunks are enabled

The return thunk call makes the fastop functions larger, just like IBT
does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled.

Otherwise, functions will be incorrectly aligned and when computing
their position for differently sized operators, they will execute in the
middle or end of a function, which may as well be an int3, leading to a
crash like:

  int3: 0000 [#1] SMP NOPTI
  CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
  RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
  Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
  Call Trace:
   <TASK>
   ? fastop
   x86_emulate_insn
   x86_emulate_instruction
   ? kvm_arch_vcpu_load
   ? vmx_prepare_switch_to_host
   complete_emulated_mmio
   kvm_arch_vcpu_ioctl_run
   kvm_vcpu_ioctl
   ? kvm_vcpu_ioctl
   ? __fget_files
   ? __fget_files
   __x64_sys_ioctl
   do_syscall_64
   ? syscall_exit_to_user_mode
   ? do_syscall_64
   ? syscall_exit_to_user_mode
   ? __x64_sys_writev
   ? do_syscall_64
   ? exit_to_user_mode_prepare
   ? syscall_exit_to_user_mode
   ? do_syscall_64
   ? do_syscall_64
   ? do_syscall_64
   ? do_syscall_64
   entry_SYSCALL_64_after_hwframe
  ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
Signed-off-by: Borislav Petkov <bp@xxxxxxx>
Link: https://lore.kernel.org/r/CA%2BG9fYtntg7=zWSs-dm%2Bn_AUr_u0eBOU0zrwWqMeXZ%2BSF6_bLw@xxxxxxxxxxxxxx
---
 arch/x86/kvm/emulate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index db96bf7..d779eea 100644
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -190,7 +190,7 @@
 #define X16(x...) X8(x), X8(x)
 
 #define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
-#define FASTOP_SIZE (8 * (1 + HAS_KERNEL_IBT))
+#define FASTOP_SIZE (8 * (1 + (HAS_KERNEL_IBT | IS_ENABLED(CONFIG_RETHUNK))))
 
 struct opcode {
 	u64 flags;
[Index of Archives]     [Linux Stable Commits]     [Linux Stable Kernel]     [Linux Kernel]     [Linux USB Devel]     [Linux Video &Media]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux