Re: [PATCH] x86/entry/64: Fix CR3 restore order in paranoid_exit()

Wed, 14 Feb 2018 08:12:06 -0800 

On Wed, Feb 14, 2018 at 08:39:11AM +0100, Ingo Molnar wrote:
> 
> * Dave Hansen <dave.han...@intel.com> wrote:
> 
> > On 02/13/2018 06:27 PM, Josh Poimboeuf wrote:
> > > --- a/arch/x86/entry/entry_64.S
> > > +++ b/arch/x86/entry/entry_64.S
> > > @@ -1167,10 +1167,10 @@ ENTRY(paranoid_exit)
> > >   UNWIND_HINT_REGS
> > >   DISABLE_INTERRUPTS(CLBR_ANY)
> > >   TRACE_IRQS_OFF_DEBUG
> > > + RESTORE_CR3     scratch_reg=%r15 save_reg=%r14
> > >   testl   %ebx, %ebx                      /* swapgs needed? */
> > >   jnz     .Lparanoid_exit_no_swapgs
> > >   TRACE_IRQS_IRETQ
> > > - RESTORE_CR3     scratch_reg=%rbx save_reg=%r14
> > >   SWAPGS_UNSAFE_STACK
> > >   jmp     .Lparanoid_exit_restore
> > >  .Lparanoid_exit_no_swapgs:
> > 
> > TRACE_IRQS_* call non-entry functions that are not mapped by the user
> > CR3.  How can this possibly work?  What am I missing?
> 
> How about something like the patch below? (Totally untested)
> 
> Thanks,
> 
>       Ingo
> ---
>  arch/x86/entry/entry_64.S | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
> index cd216c9431e1..8971bd64d515 100644
> --- a/arch/x86/entry/entry_64.S
> +++ b/arch/x86/entry/entry_64.S
> @@ -1175,6 +1175,7 @@ ENTRY(paranoid_exit)
>       jmp     .Lparanoid_exit_restore
>  .Lparanoid_exit_no_swapgs:
>       TRACE_IRQS_IRETQ_DEBUG
> +     RESTORE_CR3     scratch_reg=%rbx save_reg=%r14
>  .Lparanoid_exit_restore:
>       jmp restore_regs_and_return_to_kernel
>  END(paranoid_exit)

Dave was right, my patch was obviously bogus.  I couldn't figure out a
real reproducer, so I made an artificial one (see below) and can confirm
that your patch fixes it.

I would resubmit the patch, but now you're the author, so I'm not sure
how that works with the SOB.

Feel free to add my

  Reported-and-tested-by: Josh Poimboeuf <jpoim...@redhat.com>

Thanks!

-------------

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 68c95a09b48d..c181eb23109b 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -325,6 +325,8 @@ syscall_return_via_sysret:
         */
        SWITCH_TO_USER_CR3_STACK scratch_reg=%rdi
 
+       int3
+
        popq    %rdi
        popq    %rsp
        USERGS_SYSRET64
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 3d9b2308e7fa..74fabcdf6c36 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -605,6 +605,8 @@ dotraplinkage void notrace do_int3(struct pt_regs *regs, 
long error_code)
                goto exit;
 #endif
 
+       goto exit;
+
        if (notify_die(DIE_INT3, "int3", regs, error_code, X86_TRAP_BP,
                        SIGTRAP) == NOTIFY_STOP)
                goto exit;

Reply via email to