Hi,
I was reviewing xen/common/wait.c:__prepare_to_wait() and I think I've
identified an incompatibility with shadow stacks like Intel CET-SS.
The inline asm does:
"call 1f;"
"1: addq $2f-1b,(%%rsp);"
"sub %%esp,%%ecx;"
"cmp %3,%%ecx;"
"ja 3f;"
"mov %%rsp,%%rsi;"
/* check_wakeup_from_wait() longjmp()'s to this point. */
"2: rep movsb;"
"mov %%rsp,%%rsi;"
"3: pop %%rax;"
`call 1f` gets the address of the code, but the address is popped off
without ret. This will leave the shadow stack out-of-sync which will
trigger the protection. Is my analysis correct?
Regards,
Jason
