On 25.09.2024 18:51, Andrew Cooper wrote: > On 25/09/2024 5:45 pm, Ard Biesheuvel wrote: >> On Wed, 25 Sept 2024 at 18:39, Linus Torvalds >> <torva...@linux-foundation.org> wrote: >>> And we do have special calling conventions that aren't the regular >>> ones, so %rdi might actually be used elsewhere. For example, >>> __get_user_X and __put_user_X all have magical calling conventions: >>> they don't actually use %rdi, but part of the calling convention is >>> that the unused registers aren't modified. >>> >>> Of course, I'm not actually sure you can probe those and trigger this >>> issue, but it all makes me think it's broken. >>> >>> And it's entirely possible that I'm wrong for some reason, but this >>> just _looks_ very very wrong to me. >>> >>> I think you can do this with a "pushq mem" instead, and put the >>> relocation into the memory location. >>> >> I'll change this into >> >> pushq arch_rethook_trampoline@GOTPCREL(%rip) >> >> which I had originally. I was trying to avoid the load from memory, >> but that obviously only works if the register is not live. > > But does that work? Won't that will push the 8 bytes from the start of > arch_rethook_trampoline, when what's wanted is simply the address of > arch_rethook_trampoline itself.
What you describe is pushq arch_rethook_trampoline(%rip) The @GOTPCREL makes the PUSH access an item from the GOT, and that item is arch_rethook_trampoline's address. Jan
