[llvm-dev] retpoline mitigation and 6.0

David Woodhouse via llvm-dev llvm-dev at lists.llvm.org
Fri Feb 9 00:26:46 PST 2018 


On Fri, 2018-02-09 at 02:21 +0000, David Woodhouse wrote:
> On Fri, 2018-02-09 at 01:18 +0000, David Woodhouse wrote:
> > 
> > 
> > For now I'm just going to attempt to work around it like this in the
> > kernel, so I can concentrate on the retpoline bits:
> >  http://david.woodhou.se/clang-percpu-hack.patch
>
> 32-bit doesn't boot. Built without CONFIG_RETPOLINE and with Clang 5.0
> (and the above patch) it does. I'm rebuilding a Release build of
> llvm/clang so that experimental kernel builds hopefully take less than
> an hour, and will prod further in the morning.

What is the intended ABI of __x86_indirect_thunk which I have been
calling the "ret-equivalent" retpoline? I see this happening
(I ♥ 'qemu -d in_asm')...

----------------
IN: 
0xc136feea:  89 d8                    movl     %ebx, %eax
0xc136feec:  89 f2                    movl     %esi, %edx
0xc136feee:  8b 75 f0                 movl     -0x10(%ebp), %esi
0xc136fef1:  89 f1                    movl     %esi, %ecx
0xc136fef3:  ff 75 e0                 pushl    -0x20(%ebp)
0xc136fef6:  e8 c5 f3 58 00           calll    0xc18ff2c0 # __x86_indirect_thunk

----------------
IN: 
0xc18ff2c0:  c3                       retl     # Early boot, so it hasn't been turned into a proper retpoline yet

----------------
IN: 
0xc136fefb:  8d 34 7e                 leal     (%esi, %edi, 2), %esi


(gdb) list *0xc136fef6
0xc136fef6 is in sort (lib/sort.c:87).
82				if (c < n - size &&
83						cmp_func(base + c, base + c + size) < 0)
84					c += size;
85				if (cmp_func(base + r, base + c) >= 0)
86					break;
87				swap_func(base + r, base + c, size);
88			}
89		}
90	
91		/* sort */

You're pushing the target (-0x20(%ebp)) onto the stack and then
*calling* __x86_indirect_thunk. So it looks like you're expecting
__x86_indirect_thunk to do something like

  call *4(%esp)
  ret

... except that final 'ret' still leaves the target address on the
stack, so there would also need to be a complicated dance, without
using any registers, to pop that too.

I expected the emitted code for a *call* using the thunk to look more
like

   jmp 2f 
1: pushl -0x20(%ebp)        # cmp_func
   jmp __x86_thunk_indirect # jmp, not call
2: call 1b                  # set up address for cmp_func to return to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5213 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20180209/084f16c2/attachment.bin>

More information about the llvm-dev mailing list