Patch "x86/kvm: fix FASTOP_SIZE when return thunks are enabled" has been added to the 5.18-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    x86/kvm: fix FASTOP_SIZE when return thunks are enabled

to the 5.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch
and it can be found in the queue-5.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 84e7051c0bc1f2a13101553959b3a9d9a8e24939 Mon Sep 17 00:00:00 2001
From: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
Date: Wed, 13 Jul 2022 14:12:41 -0300
Subject: x86/kvm: fix FASTOP_SIZE when return thunks are enabled

From: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>

commit 84e7051c0bc1f2a13101553959b3a9d9a8e24939 upstream.

The return thunk call makes the fastop functions larger, just like IBT
does. Consider a 16-byte FASTOP_SIZE when CONFIG_RETHUNK is enabled.

Otherwise, functions will be incorrectly aligned and when computing their
position for differently sized operators, they will executed in the middle
or end of a function, which may as well be an int3, leading to a crash
like:

[   36.091116] int3: 0000 [#1] SMP NOPTI
[   36.091119] CPU: 3 PID: 1371 Comm: qemu-system-x86 Not tainted 5.15.0-41-generic #44
[   36.091120] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[   36.091121] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
[   36.091185] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
[   36.091186] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202
[   36.091188] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000
[   36.091188] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200
[   36.091189] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002
[   36.091190] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70
[   36.091190] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000
[   36.091191] FS:  00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000
[   36.091192] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.091192] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0
[   36.091195] PKRU: 55555554
[   36.091195] Call Trace:
[   36.091197]  <TASK>
[   36.091198]  ? fastop+0x5a/0xa0 [kvm]
[   36.091222]  x86_emulate_insn+0x7b8/0xe90 [kvm]
[   36.091244]  x86_emulate_instruction+0x2f4/0x630 [kvm]
[   36.091263]  ? kvm_arch_vcpu_load+0x7c/0x230 [kvm]
[   36.091283]  ? vmx_prepare_switch_to_host+0xf7/0x190 [kvm_intel]
[   36.091290]  complete_emulated_mmio+0x297/0x320 [kvm]
[   36.091310]  kvm_arch_vcpu_ioctl_run+0x32f/0x550 [kvm]
[   36.091330]  kvm_vcpu_ioctl+0x29e/0x6d0 [kvm]
[   36.091344]  ? kvm_vcpu_ioctl+0x120/0x6d0 [kvm]
[   36.091357]  ? __fget_files+0x86/0xc0
[   36.091362]  ? __fget_files+0x86/0xc0
[   36.091363]  __x64_sys_ioctl+0x92/0xd0
[   36.091366]  do_syscall_64+0x59/0xc0
[   36.091369]  ? syscall_exit_to_user_mode+0x27/0x50
[   36.091370]  ? do_syscall_64+0x69/0xc0
[   36.091371]  ? syscall_exit_to_user_mode+0x27/0x50
[   36.091372]  ? __x64_sys_writev+0x1c/0x30
[   36.091374]  ? do_syscall_64+0x69/0xc0
[   36.091374]  ? exit_to_user_mode_prepare+0x37/0xb0
[   36.091378]  ? syscall_exit_to_user_mode+0x27/0x50
[   36.091379]  ? do_syscall_64+0x69/0xc0
[   36.091379]  ? do_syscall_64+0x69/0xc0
[   36.091380]  ? do_syscall_64+0x69/0xc0
[   36.091381]  ? do_syscall_64+0x69/0xc0
[   36.091381]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[   36.091384] RIP: 0033:0x7efdfe6d1aff
[   36.091390] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[   36.091391] RSP: 002b:00007efdfce8c460 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[   36.091393] RAX: ffffffffffffffda RBX: 000000000000ae80 RCX: 00007efdfe6d1aff
[   36.091393] RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 000000000000000c
[   36.091394] RBP: 0000558f1609e220 R08: 0000558f13fb8190 R09: 00000000ffffffff
[   36.091394] R10: 0000558f16b5e950 R11: 0000000000000246 R12: 0000000000000000
[   36.091394] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
[   36.091396]  </TASK>
[   36.091397] Modules linked in: isofs nls_iso8859_1 kvm_intel joydev kvm input_leds serio_raw sch_fq_codel dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua ipmi_devintf ipmi_msghandler drm msr ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net net_failover crypto_simd ahci xhci_pci cryptd psmouse virtio_blk libahci xhci_pci_renesas failover
[   36.123271] ---[ end trace db3c0ab5a48fabcc ]---
[   36.123272] RIP: 0010:xaddw_ax_dx+0x9/0x10 [kvm]
[   36.123319] Code: 00 0f bb d0 c3 cc cc cc cc 48 0f bb d0 c3 cc cc cc cc 0f 1f 80 00 00 00 00 0f c0 d0 c3 cc cc cc cc 66 0f c1 d0 c3 cc cc cc cc <0f> 1f 80 00 00 00 00 0f c1 d0 c3 cc cc cc cc 48 0f c1 d0 c3 cc cc
[   36.123320] RSP: 0018:ffffb1f541143c98 EFLAGS: 00000202
[   36.123321] RAX: 0000000089abcdef RBX: 0000000000000001 RCX: 0000000000000000
[   36.123321] RDX: 0000000076543210 RSI: ffffffffc073c6d0 RDI: 0000000000000200
[   36.123322] RBP: ffffb1f541143ca0 R08: ffff9f1803350a70 R09: 0000000000000002
[   36.123322] R10: ffff9f1803350a70 R11: 0000000000000000 R12: ffff9f1803350a70
[   36.123323] R13: ffffffffc077fee0 R14: 0000000000000000 R15: 0000000000000000
[   36.123323] FS:  00007efdfce8d640(0000) GS:ffff9f187dd80000(0000) knlGS:0000000000000000
[   36.123324] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   36.123325] CR2: 0000000000000000 CR3: 0000000009b62002 CR4: 0000000000772ee0
[   36.123327] PKRU: 55555554
[   36.123328] Kernel panic - not syncing: Fatal exception in interrupt
[   36.123410] Kernel Offset: 0x1400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[   36.135305] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

Fixes: aa3d480315ba ("x86: Use return-thunk in asm code")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
Co-developed-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxx>
Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Reported-by: Linux Kernel Functional Testing <lkft@xxxxxxxxxx>
Message-Id: <20220713171241.184026-1-cascardo@xxxxxxxxxxxxx>
Tested-by: Jack Wang <jinpu.wang@xxxxxxxxx>
Signed-off-by: Paolo Bonzini <pbonzini@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 arch/x86/kvm/emulate.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -189,8 +189,12 @@
 #define X8(x...) X4(x), X4(x)
 #define X16(x...) X8(x), X8(x)
 
-#define NR_FASTOP (ilog2(sizeof(ulong)) + 1)
-#define FASTOP_SIZE (8 * (1 + HAS_KERNEL_IBT))
+#define NR_FASTOP	(ilog2(sizeof(ulong)) + 1)
+#define RET_LENGTH	(1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \
+			 IS_ENABLED(CONFIG_SLS))
+#define FASTOP_LENGTH	(ENDBR_INSN_SIZE + 7 + RET_LENGTH)
+#define FASTOP_SIZE	(8 << ((FASTOP_LENGTH > 8) & 1) << ((FASTOP_LENGTH > 16) & 1))
+static_assert(FASTOP_LENGTH <= FASTOP_SIZE);
 
 struct opcode {
 	u64 flags;
@@ -442,8 +446,6 @@ static int fastop(struct x86_emulate_ctx
  * RET | JMP __x86_return_thunk	[1,5 bytes; CONFIG_RETHUNK]
  * INT3				[1 byte; CONFIG_SLS]
  */
-#define RET_LENGTH	(1 + (4 * IS_ENABLED(CONFIG_RETHUNK)) + \
-			 IS_ENABLED(CONFIG_SLS))
 #define SETCC_LENGTH	(ENDBR_INSN_SIZE + 3 + RET_LENGTH)
 #define SETCC_ALIGN	(4 << ((SETCC_LENGTH > 4) & 1) << ((SETCC_LENGTH > 8) & 1))
 static_assert(SETCC_LENGTH <= SETCC_ALIGN);


Patches currently in stable-queue which might be from cascardo@xxxxxxxxxxxxx are

queue-5.18/x86-bugs-add-amd-retbleed-boot-parameter.patch
queue-5.18/x86-bpf-use-alternative-ret-encoding.patch
queue-5.18/x86-retpoline-cleanup-some-ifdefery.patch
queue-5.18/x86-bugs-enable-stibp-for-jmp2ret.patch
queue-5.18/x86-speculation-fill-rsb-on-vmexit-for-ibrs.patch
queue-5.18/x86-speculation-fix-firmware-entry-spec_ctrl-handling.patch
queue-5.18/x86-ftrace-use-alternative-ret-encoding.patch
queue-5.18/x86-retpoline-swizzle-retpoline-thunk.patch
queue-5.18/kvm-vmx-flatten-__vmx_vcpu_run.patch
queue-5.18/x86-speculation-add-spectre_v2-ibrs-option-to-support-kernel-ibrs.patch
queue-5.18/x86-entry-move-push_and_clear_regs-back-into-error_entry.patch
queue-5.18/objtool-re-add-unwind_hint_-save_restore.patch
queue-5.18/x86-speculation-remove-x86_spec_ctrl_mask.patch
queue-5.18/x86-bugs-add-retbleed-ibpb.patch
queue-5.18/x86-cpu-amd-enumerate-btc_no.patch
queue-5.18/objtool-skip-non-text-sections-when-adding-return-thunk-sites.patch
queue-5.18/x86-speculation-disable-rrsba-behavior.patch
queue-5.18/intel_idle-disable-ibrs-during-long-idle.patch
queue-5.18/objtool-update-retpoline-validation.patch
queue-5.18/kvm-vmx-fix-ibrs-handling-after-vmexit.patch
queue-5.18/kvm-vmx-prevent-rsb-underflow-before-vmenter.patch
queue-5.18/x86-bugs-optimize-spec_ctrl-msr-writes.patch
queue-5.18/x86-objtool-create-.return_sites.patch
queue-5.18/x86-kvm-fix-fastop_size-when-return-thunks-are-enabled.patch
queue-5.18/x86-xen-add-untrain_ret.patch
queue-5.18/x86-retpoline-use-mfunction-return.patch
queue-5.18/x86-bugs-keep-a-per-cpu-ia32_spec_ctrl-value.patch
queue-5.18/objtool-treat-.text.__x86.-as-noinstr.patch
queue-5.18/x86-kexec-disable-ret-on-kexec.patch
queue-5.18/x86-add-magic-amd-return-thunk.patch
queue-5.18/x86-xen-rename-sys-entry-points.patch
queue-5.18/kvm-vmx-prevent-guest-rsb-poisoning-attacks-with-eibrs.patch
queue-5.18/x86-kvm-fix-setcc-emulation-for-return-thunks.patch
queue-5.18/x86-speculation-fix-spec_ctrl-write-on-smt-state-change.patch
queue-5.18/x86-use-return-thunk-in-asm-code.patch
queue-5.18/x86-bugs-do-ibpb-fallback-check-only-once.patch
queue-5.18/x86-bugs-do-not-enable-ibpb-on-entry-when-ibpb-is-not-supported.patch
queue-5.18/x86-bugs-split-spectre_v2_select_mitigation-and-spectre_v2_user_select_mitigation.patch
queue-5.18/x86-static_call-use-alternative-ret-encoding.patch
queue-5.18/x86-cpu-amd-add-spectral-chicken.patch
queue-5.18/x86-cpufeatures-move-retpoline-flags-to-word-11.patch
queue-5.18/x86-entry-avoid-very-early-ret.patch
queue-5.18/x86-vsyscall_emu-64-don-t-use-ret-in-vsyscall-emulation.patch
queue-5.18/x86-entry-move-push_and_clear_regs-out-of-error_entry.patch
queue-5.18/x86-speculation-use-cached-host-spec_ctrl-value-for-guest-entry-exit.patch
queue-5.18/x86-bugs-report-amd-retbleed-vulnerability.patch
queue-5.18/efi-x86-use-naked-ret-on-mixed-mode-call-wrapper.patch
queue-5.18/x86-entry-switch-the-stack-after-error_entry-returns.patch
queue-5.18/x86-sev-avoid-using-__x86_return_thunk.patch
queue-5.18/x86-speculation-fix-rsb-filling-with-config_retpoline-n.patch
queue-5.18/x86-entry-remove-skip_r11rcx.patch
queue-5.18/x86-undo-return-thunk-damage.patch
queue-5.18/x86-common-stamp-out-the-stepping-madness.patch
queue-5.18/x86-bugs-report-intel-retbleed-vulnerability.patch
queue-5.18/x86-entry-don-t-call-error_entry-for-xenpv.patch
queue-5.18/x86-traps-use-pt_regs-directly-in-fixup_bad_iret.patch
queue-5.18/x86-bugs-add-cannon-lake-to-retbleed-affected-cpu-list.patch
queue-5.18/x86-kvm-vmx-make-noinstr-clean.patch
queue-5.18/x86-retbleed-add-fine-grained-kconfig-knobs.patch
queue-5.18/kvm-vmx-convert-launched-argument-to-flags.patch
queue-5.18/x86-entry-add-kernel-ibrs-implementation.patch
queue-5.18/objtool-add-entry-unret-validation.patch
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux