Re: [PATCH v2] objtool: Fix return thunk patching in retpolines

From: Peter Zijlstra
Date: Thu Oct 12 2023 - 04:17:16 EST

Next message: Muhammad Usama Anjum: "Re: [PATCH 1/1] selftests/mm: include mman header to access MREMAP_DONTUNMAP identifier"
Previous message: Shuai Xue: "Re: [PATCH] HWPOISON: add a pr_err message when forcibly send a sigbus"
In reply to: tip-bot2 for Josh Poimboeuf: "[tip: x86/bugs] objtool: Fix return thunk patching in retpolines"
Next in thread: tip-bot2 for Josh Poimboeuf: "[tip: x86/bugs] objtool: Fix return thunk patching in retpolines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 11, 2023 at 07:47:37PM -0700, Josh Poimboeuf wrote:
> With CONFIG_RETHUNK enabled, the compiler replaces every RET with a tail
> call to a return thunk ('JMP __x86_return_thunk'). Objtool annotates
> all such return sites so they can be patched during boot by
> apply_returns().
>
> The implementation of __x86_return_thunk() is just a bare RET. It's
> only meant to be used temporarily until apply_returns() patches all
> return sites with either a JMP to another return thunk or an actual RET.
>
> The following commit
>
> e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section") retpolines
>
> broke objtool's detection of return sites in retpolines. Since
> retpolines and return thunks are now in the same section, the compiler
> no longer uses relocations for the intra-section jumps between the
> retpolines and the return thunk, causing objtool to overlook them.
>
> As a result, none of the retpolines' return sites get patched. Each one
> stays at 'JMP __x86_return_thunk', effectively a bare RET.
>
> Fix it by teaching objtool to detect when a non-relocated jump target is
> a return thunk (or retpoline).
>
> Fixes: e92626af3234 ("x86/retpoline: Remove .text..__x86.return_thunk section")
> Reported-by: David Kaplan <david.kaplan@xxxxxxx>
> Signed-off-by: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>

Acked-by: Peter Zijlstra (Intel) <peterz@xxxxxxxxxxxxx>

> ---
> tools/objtool/check.c | 16 ++++++++++++++++
> 1 file changed, 16 insertions(+)
>
> diff --git a/tools/objtool/check.c b/tools/objtool/check.c
> index e308d1ba664e..e94756e09ca9 100644
> --- a/tools/objtool/check.c
> +++ b/tools/objtool/check.c
> @@ -1610,6 +1610,22 @@ static int add_jump_destinations(struct objtool_file *file)
> return -1;
> }
>
> + /*
> + * An intra-TU jump in retpoline.o might not have a relocation
> + * for its jump dest, in which case the above
> + * add_{retpoline,return}_call() didn't happen.
> + */
> + if (jump_dest->sym && jump_dest->offset == jump_dest->sym->offset) {
> + if (jump_dest->sym->retpoline_thunk) {
> + add_retpoline_call(file, insn);
> + continue;
> + }
> + if (jump_dest->sym->return_thunk) {
> + add_return_call(file, insn, true);
> + continue;
> + }
> + }
> +
> /*
> * Cross-function jump.
> */
> --
> 2.41.0
>

Next message: Muhammad Usama Anjum: "Re: [PATCH 1/1] selftests/mm: include mman header to access MREMAP_DONTUNMAP identifier"
Previous message: Shuai Xue: "Re: [PATCH] HWPOISON: add a pr_err message when forcibly send a sigbus"
In reply to: tip-bot2 for Josh Poimboeuf: "[tip: x86/bugs] objtool: Fix return thunk patching in retpolines"
Next in thread: tip-bot2 for Josh Poimboeuf: "[tip: x86/bugs] objtool: Fix return thunk patching in retpolines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]