[PATCH v2 11/14] x86/alternative: Try inline spectre_v2=retpoline,amd

From: Peter Zijlstra
Date: Wed Oct 20 2021 - 07:04:16 EST


Try and replace retpoline thunk calls with:

lfence
call *%\reg

for spectre_v2=retpoline,amd.

Specifically, the sequence above is 5 bytes for the low 8 registers,
but 6 bytes for the high 8 registers. This means that unless the
compilers prefix stuff the call with higher registers this replacement
will fail.

Luckily GCC strongly favours RAX for the indirect calls and most (95%+
for defconfig-x86_64) will be converted. OTOH clang strongly favours
R11 and almost nothing gets converted.

Signed-off-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>
---
arch/x86/kernel/alternative.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)

--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -389,12 +389,13 @@ static int emit_indirect(int op, int reg
*
* CALL *%\reg
*
+ * It also tries to inline spectre_v2=retpoline,amd when size permits.
*/
static int patch_retpoline(void *addr, struct insn *insn, u8 *bytes)
{
+ u8 cc, op = insn->opcode.bytes[0];
void (*target)(void);
int reg, ret, i = 0;
- u8 op, cc;

target = addr + insn->length + insn->immediate.value;
reg = (target - &__x86_indirect_thunk_rax) /
@@ -406,11 +407,23 @@ static int patch_retpoline(void *addr, s
/* If anyone ever does: CALL/JMP *%rsp, we're in deep trouble. */
BUG_ON(reg == 4);

+ if (cpu_feature_enabled(X86_FEATURE_RETPOLINE_AMD)) {
+ /*
+ * Can't do nothing about the Jcc case here.
+ */
+ if (op != JMP32_INSN_OPCODE && op != CALL_INSN_OPCODE)
+ return -1;
+
+ bytes[i++] = 0x0f;
+ bytes[i++] = 0xae;
+ bytes[i++] = 0xe8; /* lfence */
+
+ goto indirect;
+ }
+
if (cpu_feature_enabled(X86_FEATURE_RETPOLINE))
return -1;

- op = insn->opcode.bytes[0];
-
/*
* Convert:
*
@@ -433,6 +446,7 @@ static int patch_retpoline(void *addr, s
op = JMP32_INSN_OPCODE;
}

+indirect:
ret = emit_indirect(op, reg, bytes + i);
if (ret < 0)
return ret;