On 04/23/2015 12:44 PM, Borislav Petkov wrote: > On Thu, Apr 23, 2015 at 12:26:43PM +0200, Denys Vlasenko wrote: >> Yes. It loads *selector*. AMD docs say that selector is loaded as you say, >> but *cached descriptor* of SS (which is a different entity) is not modified. >> >> If *cached descriptor* is invalid, in 32-bit mode stack ops >> will fail. (In 64-bit mode, CPU doesn't do those checks). > > So how can that happen with wine? Something's changing the cached > descriptor ... ?
Yes. We know of at least one case where documentation (both Intel and AMD) specifically states that %ss is set to NULL: this happens on every interrupt and exception. If interrupt/exception returns to the same task with IRET, all is well: %ss is reloaded from iret frame (both selector and cached descriptor). However, if interrupt results in a preemption, we end up in a different task (say, Wine), and we can return to its userspace code with SYSRETL. *This* type of return does not reload cached descriptor. I don't know why it happens only with Wine. Maybe it just happens with Wine much more easily than with other 32-bit tasks? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
