Re: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk section"

From: Peter Zijlstra
Date: Wed Oct 11 2023 - 03:41:55 EST

Next message: Nadav Amit: "Re: [PATCH v2 -tip] x86/percpu: Use C for arch_raw_cpu_ptr()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] [RFC] wireless: move obsolete drivers to staging"
In reply to: Josh Poimboeuf: "Re: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk section""
Next in thread: Borislav Petkov: "Re: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk section""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 10, 2023 at 02:22:54PM -0700, Josh Poimboeuf wrote:

> From: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> Subject: [PATCH] objtool: Fix return thunk patching in retpolines
>
> With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail
> call to a return thunk ('JMP __x86_return_thunk'). Objtool annotates
> all such return sites so they can be patched during boot by
> apply_returns().
>
> The implementation of __x86_return_thunk() is just a bare RET. It's
> only meant to be used temporarily until apply_returns() patches all
> return sites with either a JMP to another return thunk or an actual RET.
>
> The following commit
>
> e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines
>
> broke objtool's detection of return sites in retpolines. Since
> retpolines and return thunks are now in the same section, the compiler
> no longer uses relocations for the intra-section jumps between the
> retpolines and the return thunk, causing objtool to overlook them.
>
> As a result, none of the retpolines' return sites get patched. Each one
> stays at 'JMP __x86_return_thunk', effectively a bare RET.
>
> Fix it by teaching objtool to detect when a non-relocated jump target is
> a return thunk.
>
> Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section")
> Reported-by: David Kaplan <david.kaplan@xxxxxxx>
> Signed-off-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
> ---
> tools/objtool/check.c | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index e308d1ba664e..556469db4239 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -1610,6 +1610,15 @@ static int add_jump_destinations(struct objtool_file *file)
> return -1;
> }
>
> + /*
> + * Since retpolines are in the same section as the return
> + * thunk, they might not use a relocation when branching to it.
> + */
> + if (jump_dest->sym && jump_dest->sym->return_thunk) {
> + add_return_call(file, insn, true);
> + continue;
> + }

*urgh*... I mean, yes, that obviously works, but should we not also have
the retpoline thingy for consistency? That case makes less sense though
:/

Perhaps warn about this instead of fixing it? Forcing people to play the
section game?

I dunno.. no real strong opinions.

Next message: Nadav Amit: "Re: [PATCH v2 -tip] x86/percpu: Use C for arch_raw_cpu_ptr()"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] [RFC] wireless: move obsolete drivers to staging"
In reply to: Josh Poimboeuf: "Re: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk section""
Next in thread: Borislav Petkov: "Re: [PATCH 1/3] Revert "x86/retpoline: Remove .text..__x86.return_thunk section""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]