From nobody Mon Feb 9 16:02:39 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) client-ip=192.237.175.120; envelope-from=xen-devel-bounces@lists.xenproject.org; helo=lists.xenproject.org; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail(p=none dis=none) header.from=citrix.com ARC-Seal: i=1; a=rsa-sha256; t=1590607185; cv=none; d=zohomail.com; s=zohoarc; b=itqBq/FYvwtgjpCDzZ7iT0WsKrUGiceabjWgNp5o/ibi/LOtBG6jyhqrVvFi2EZ5//j4tXKNgiHod1JvschOL8nO71BvcXfoDnManE2j1QiWuhITTol7bXKA4bE4/Ir7uN3VwnDncaKKtlez20qbhQHEHSd17cuiTWC/CcF/1fM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1590607185; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=n18H3sHcC1XTGNqqpHW7c3CAyjhppYjODLy1wG+VPMg=; b=ajXmoW68hq7v4ge9+taFoEyeZPXFkrgI58iGPbV4ioJ05htxJBTY93bFjw5AwJ3prAV+wKSvBiAKhZiKJo2hMgKoJ2ekEb7b+CUbjyYKfV84GmUcL1LdL0Y01TS4Oy7LHw4JwFhkpVfHNU0CiRq3u0vCc/Xg+gMk5Y7ml2xyM5s= ARC-Authentication-Results: i=1; mx.zohomail.com; spf=pass (zohomail.com: domain of lists.xenproject.org designates 192.237.175.120 as permitted sender) smtp.mailfrom=xen-devel-bounces@lists.xenproject.org; dmarc=fail header.from= (p=none dis=none) header.from= Return-Path: Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) by mx.zohomail.com with SMTPS id 1590607185474788.870875204149; Wed, 27 May 2020 12:19:45 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1je1a7-0003zk-7p; Wed, 27 May 2020 19:19:15 +0000 Received: from us1-rack-iad1.inumbo.com ([172.99.69.81]) by lists.xenproject.org with esmtp (Exim 4.92) (envelope-from ) id 1je1a5-0003za-UD for xen-devel@lists.xenproject.org; Wed, 27 May 2020 19:19:13 +0000 Received: from esa5.hc3370-68.iphmx.com (unknown [216.71.155.168]) by us1-rack-iad1.inumbo.com (Halon) with ESMTPS id f25930ee-a04e-11ea-81bc-bc764e2007e4; Wed, 27 May 2020 19:19:12 +0000 (UTC) X-Inumbo-ID: f25930ee-a04e-11ea-81bc-bc764e2007e4 Authentication-Results: esa5.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none IronPort-SDR: mbKeQ7QpZv3IAsquSsZ+NyeeuXXDsp5Ov4NaEfAcMJJ0LNNrOgQw0Ti7QwRh7vNC2an6Gox6Hs eZCEKK9hD4wSVxN90TtlQHL7WVq9ol/YPFFm6tWBpni7cPHg/oUYxNKCPBKRGjUCh2Ly6s3kvd JkNKKmQy5NMUDurQa7eM8aLs9WzGh9bZpl2MGsu0TCHcHBgh0ZFO9TZbxqmbVvDvPmMO3IqMK3 TmThn2U46kTojFfzBjApdDj6z4gcqzab3mVmIyHk0Nr5PHI8VhwC6cUGNhMq9Yk3lWBhiiMqqq RkQ= X-SBRS: 2.7 X-MesageID: 18850555 X-Ironport-Server: esa5.hc3370-68.iphmx.com X-Remote-IP: 162.221.158.21 X-Policy: $RELAYED X-IronPort-AV: E=Sophos;i="5.73,442,1583211600"; d="scan'208";a="18850555" From: Andrew Cooper To: Xen-devel Subject: [PATCH v2 08/14] x86/cpu: Adjust reset_stack_and_jump() to be shadow stack compatible Date: Wed, 27 May 2020 20:18:41 +0100 Message-ID: <20200527191847.17207-9-andrew.cooper3@citrix.com> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20200527191847.17207-1-andrew.cooper3@citrix.com> References: <20200527191847.17207-1-andrew.cooper3@citrix.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-BeenThere: xen-devel@lists.xenproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Cc: Andrew Cooper , Wei Liu , Jan Beulich , =?UTF-8?q?Roger=20Pau=20Monn=C3=A9?= Errors-To: xen-devel-bounces@lists.xenproject.org Sender: "Xen-devel" We need to unwind up to the supervisor token. See the comment for details. The use of UNLIKELY_END_SECTION in this case highlights that it isn't safe when it isn't the final statement of an asm(). Adjust all declarations wit= h a newline. Signed-off-by: Andrew Cooper Reviewed-by: Jan Beulich --- CC: Jan Beulich CC: Wei Liu CC: Roger Pau Monn=C3=A9 v2: * Drop 'cmc' which was stray debugging. * Replace raw numbers with defines. * Use a real BUG frame in .fixup, to get static branch preduction working = the right way around. --- xen/include/asm-x86/asm_defns.h | 8 +++---- xen/include/asm-x86/current.h | 48 +++++++++++++++++++++++++++++++++++++= +--- 2 files changed, 49 insertions(+), 7 deletions(-) diff --git a/xen/include/asm-x86/asm_defns.h b/xen/include/asm-x86/asm_defn= s.h index b42a19b654..035708adac 100644 --- a/xen/include/asm-x86/asm_defns.h +++ b/xen/include/asm-x86/asm_defns.h @@ -177,13 +177,13 @@ register unsigned long current_stack_pointer asm("rsp= "); =20 #ifdef __clang__ /* clang's builtin assember can't do .subsection */ =20 -#define UNLIKELY_START_SECTION ".pushsection .text.unlikely,\"ax\"" -#define UNLIKELY_END_SECTION ".popsection" +#define UNLIKELY_START_SECTION ".pushsection .text.unlikely,\"ax\"\n\t" +#define UNLIKELY_END_SECTION ".popsection\n\t" =20 #else =20 -#define UNLIKELY_START_SECTION ".subsection 1" -#define UNLIKELY_END_SECTION ".subsection 0" +#define UNLIKELY_START_SECTION ".subsection 1\n\t" +#define UNLIKELY_END_SECTION ".subsection 0\n\t" =20 #endif =20 diff --git a/xen/include/asm-x86/current.h b/xen/include/asm-x86/current.h index 99b66a0087..086326b81a 100644 --- a/xen/include/asm-x86/current.h +++ b/xen/include/asm-x86/current.h @@ -124,13 +124,55 @@ unsigned long get_stack_dump_bottom (unsigned long sp= ); # define CHECK_FOR_LIVEPATCH_WORK "" #endif =20 +#ifdef CONFIG_XEN_SHSTK +/* + * We need to unwind the primary shadow stack to its supervisor token, loc= ated + * at 0x5ff8 from the base of the stack blocks. + * + * Read the shadow stack pointer, subtract it from 0x5ff8, divide by 8 to = get + * the number of slots needing popping. + * + * INCSSPQ can't pop more than 255 entries. We shouldn't ever need to pop + * that many entries, and getting this wrong will cause us to #DF later. = Turn + * it into a BUG() now for fractionally easier debugging. + */ +# define SHADOW_STACK_WORK \ + "mov $1, %[ssp];" \ + "rdsspd %[ssp];" \ + "cmp $1, %[ssp];" \ + "je .L_shstk_done.%=3D;" /* CET not active? Skip. */ \ + "mov $%c[skstk_base], %[val];" \ + "and $%c[stack_mask], %[ssp];" \ + "sub %[ssp], %[val];" \ + "shr $3, %[val];" \ + "cmp $255, %[val];" /* More than 255 entries? Crash. */ \ + UNLIKELY_START(a, shstk_adjust) \ + _ASM_BUGFRAME_TEXT(0) \ + UNLIKELY_END_SECTION \ + "incsspq %q[val];" \ + ".L_shstk_done.%=3D:" +#else +# define SHADOW_STACK_WORK "" +#endif + #define switch_stack_and_jump(fn, instr) \ ({ \ + unsigned int tmp; \ __asm__ __volatile__ ( \ - "mov %0,%%"__OP"sp;" \ + SHADOW_STACK_WORK \ + "mov %[stk], %%rsp;" \ instr \ - "jmp %c1" \ - : : "r" (guest_cpu_user_regs()), "i" (fn) : "memory" ); \ + "jmp %c[fun];" \ + : [val] "=3D&r" (tmp), \ + [ssp] "=3D&r" (tmp) \ + : [stk] "r" (guest_cpu_user_regs()), \ + [fun] "i" (fn), \ + [skstk_base] "i" \ + ((PRIMARY_SHSTK_SLOT + 1) * PAGE_SIZE - 8), \ + [stack_mask] "i" (STACK_SIZE - 1), \ + _ASM_BUGFRAME_INFO(BUGFRAME_bug, __LINE__, \ + __FILE__, NULL) \ + : "memory" ); \ unreachable(); \ }) =20 --=20 2.11.0