x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST

DO_OVERWRITE_RSB clobbers %rax, meaning in practice that the bti_ist_info
field gets zeroed.  Older versions of this code had the DO_OVERWRITE_RSB
register selectable, so reintroduce this ability and use it to cause the
INTR_IST path to use %rdx instead.

The use of %dl for the %cs.rpl check means that when an IST interrupt hits
Xen, we try to load 1 into the high 32 bits of MSR_SPEC_CTRL, suffering a #GP
fault instead.

Also, drop an unused label which was a copy/paste mistake.

Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reported-by: Zhenzhong Duan <zhenzhong.duan@oracle.com>
Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>

diff --git a/xen/include/asm-x86/spec_ctrl_asm.h b/xen/include/asm-x86/spec_ctrl_asm.h
index 814f53dffc2807fdc86c6e05b8427be3b9a232f9..1f2b6f35526f08cad635462e9a7550d8f5bff830 100644 (file)
--- a/xen/include/asm-x86/spec_ctrl_asm.h
+++ b/xen/include/asm-x86/spec_ctrl_asm.h
@@ -79,10 +79,10 @@
  *  - SPEC_CTRL_EXIT_TO_GUEST
  */
 
-.macro DO_OVERWRITE_RSB
+.macro DO_OVERWRITE_RSB tmp=rax
 /*
  * Requires nothing
- * Clobbers %rax, %rcx
+ * Clobbers \tmp (%rax by default), %rcx
  *
  * Requires 256 bytes of stack space, but %rsp has no net change. Based on
  * Google's performance numbers, the loop is unrolled to 16 iterations and two
@@ -97,7 +97,7 @@
  * optimised with mov-elimination in modern cores.
  */
     mov $16, %ecx                   /* 16 iterations, two calls per loop */
-    mov %rsp, %rax                  /* Store the current %rsp */
+    mov %rsp, %\tmp                 /* Store the current %rsp */
 
 .L\@_fill_rsb_loop:
 
@@ -114,7 +114,7 @@
 
     sub $1, %ecx
     jnz .L\@_fill_rsb_loop
-    mov %rax, %rsp                  /* Restore old %rsp */
+    mov %\tmp, %rsp                 /* Restore old %rsp */
 .endm
 
 .macro DO_SPEC_CTRL_ENTRY_FROM_VMEXIT ibrs_val:req
@@ -274,7 +274,7 @@
     testb $BTI_IST_RSB, %al
     jz .L\@_skip_rsb
 
-    DO_OVERWRITE_RSB
+    DO_OVERWRITE_RSB tmp=rdx /* Clobbers %rcx/%rdx */
 
 .L\@_skip_rsb:
 
@@ -286,13 +286,13 @@
     setz %dl
     and %dl, STACK_CPUINFO_FIELD(use_shadow_spec_ctrl)(%r14)
 
-.L\@_entry_from_xen:
     /*
      * Load Xen's intended value.  SPEC_CTRL_IBRS vs 0 is encoded in the
      * bottom bit of bti_ist_info, via a deliberate alias with BTI_IST_IBRS.
      */
     mov $MSR_SPEC_CTRL, %ecx
     and $BTI_IST_IBRS, %eax
+    xor %edx, %edx
     wrmsr
 
     /* Opencoded UNLIKELY_START() with no condition. */