[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Issue with waitqueues and Intel CET-SS

To: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Jason Andryuk <jandryuk@xxxxxxxxx>
Date: Thu, 12 Aug 2021 14:20:27 -0400
Delivery-date: Thu, 12 Aug 2021 18:20:47 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

I was reviewing xen/common/wait.c:__prepare_to_wait() and I think I've
identified an incompatibility with shadow stacks like Intel CET-SS.

The inline asm does:

        "call 1f;"
        "1: addq $2f-1b,(%%rsp);"
        "sub %%esp,%%ecx;"
        "cmp %3,%%ecx;"
        "ja 3f;"
        "mov %%rsp,%%rsi;"

        /* check_wakeup_from_wait() longjmp()'s to this point. */
        "2: rep movsb;"
        "mov %%rsp,%%rsi;"
        "3: pop %%rax;"

`call 1f` gets the address of the code, but the address is popped off
without ret.  This will leave the shadow stack out-of-sync which will
trigger the protection.  Is my analysis correct?

Regards,
Jason

Follow-Ups:
- Re: Issue with waitqueues and Intel CET-SS
  - From: Andrew Cooper

Prev by Date: Re: [PATCH] x86/cet: Fix shskt manipulation error with BUGFRAME_{warn,run_fn}
Next by Date: RE: [PATCH V3 01/13] x86/HV: Initialize GHCB page in Isolation VM
Previous by thread: [linux-5.4 test] 164167: trouble: broken/fail/pass
Next by thread: Re: Issue with waitqueues and Intel CET-SS
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.