|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [PATCH v2 08/14] x86/cpu: Adjust reset_stack_and_jump() to be shadow stack compatible
We need to unwind up to the supervisor token. See the comment for details.
The use of UNLIKELY_END_SECTION in this case highlights that it isn't safe
when it isn't the final statement of an asm(). Adjust all declarations with a
newline.
Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
CC: Jan Beulich <JBeulich@xxxxxxxx>
CC: Wei Liu <wl@xxxxxxx>
CC: Roger Pau Monné <roger.pau@xxxxxxxxxx>
v2:
* Drop 'cmc' which was stray debugging.
* Replace raw numbers with defines.
* Use a real BUG frame in .fixup, to get static branch preduction working the
right way around.
---
xen/include/asm-x86/asm_defns.h | 8 +++----
xen/include/asm-x86/current.h | 48 ++++++++++++++++++++++++++++++++++++++---
2 files changed, 49 insertions(+), 7 deletions(-)
diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defns.h
index b42a19b654..035708adac 100644
--- a/xen/include/asm-x86/asm_defns.h
+++ b/xen/include/asm-x86/asm_defns.h
@@ -177,13 +177,13 @@ register unsigned long current_stack_pointer asm("rsp");
#ifdef __clang__ /* clang's builtin assember can't do .subsection */
-#define UNLIKELY_START_SECTION ".pushsection .text.unlikely,\"ax\""
-#define UNLIKELY_END_SECTION ".popsection"
+#define UNLIKELY_START_SECTION ".pushsection .text.unlikely,\"ax\"\n\t"
+#define UNLIKELY_END_SECTION ".popsection\n\t"
#else
-#define UNLIKELY_START_SECTION ".subsection 1"
-#define UNLIKELY_END_SECTION ".subsection 0"
+#define UNLIKELY_START_SECTION ".subsection 1\n\t"
+#define UNLIKELY_END_SECTION ".subsection 0\n\t"
#endif
diff --git a/xen/include/asm-x86/current.h b/xen/include/asm-x86/current.h
index 99b66a0087..086326b81a 100644
--- a/xen/include/asm-x86/current.h
+++ b/xen/include/asm-x86/current.h
@@ -124,13 +124,55 @@ unsigned long get_stack_dump_bottom (unsigned long sp);
# define CHECK_FOR_LIVEPATCH_WORK ""
#endif
+#ifdef CONFIG_XEN_SHSTK
+/*
+ * We need to unwind the primary shadow stack to its supervisor token, located
+ * at 0x5ff8 from the base of the stack blocks.
+ *
+ * Read the shadow stack pointer, subtract it from 0x5ff8, divide by 8 to get
+ * the number of slots needing popping.
+ *
+ * INCSSPQ can't pop more than 255 entries. We shouldn't ever need to pop
+ * that many entries, and getting this wrong will cause us to #DF later. Turn
+ * it into a BUG() now for fractionally easier debugging.
+ */
+# define SHADOW_STACK_WORK \
+ "mov $1, %[ssp];" \
+ "rdsspd %[ssp];" \
+ "cmp $1, %[ssp];" \
+ "je .L_shstk_done.%=;" /* CET not active? Skip. */ \
+ "mov $%c[skstk_base], %[val];" \
+ "and $%c[stack_mask], %[ssp];" \
+ "sub %[ssp], %[val];" \
+ "shr $3, %[val];" \
+ "cmp $255, %[val];" /* More than 255 entries? Crash. */ \
+ UNLIKELY_START(a, shstk_adjust) \
+ _ASM_BUGFRAME_TEXT(0) \
+ UNLIKELY_END_SECTION \
+ "incsspq %q[val];" \
+ ".L_shstk_done.%=:"
+#else
+# define SHADOW_STACK_WORK ""
+#endif
+
#define switch_stack_and_jump(fn, instr) \
({ \
+ unsigned int tmp; \
__asm__ __volatile__ ( \
- "mov %0,%%"__OP"sp;" \
+ SHADOW_STACK_WORK \
+ "mov %[stk], %%rsp;" \
instr \
- "jmp %c1" \
- : : "r" (guest_cpu_user_regs()), "i" (fn) : "memory" ); \
+ "jmp %c[fun];" \
+ : [val] "=&r" (tmp), \
+ [ssp] "=&r" (tmp) \
+ : [stk] "r" (guest_cpu_user_regs()), \
+ [fun] "i" (fn), \
+ [skstk_base] "i" \
+ ((PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8), \
+ [stack_mask] "i" (STACK_SIZE - 1), \
+ _ASM_BUGFRAME_INFO(BUGFRAME_bug, __LINE__, \
+ __FILE__, NULL) \
+ : "memory" ); \
unreachable(); \
})
--
2.11.0
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |