From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-io0-f199.google.com (mail-io0-f199.google.com [209.85.223.199]) by kanga.kvack.org (Postfix) with ESMTP id 782CC6B0023 for ; Mon, 5 Mar 2018 07:17:47 -0500 (EST) Received: by mail-io0-f199.google.com with SMTP id q195so15945293ioe.5 for ; Mon, 05 Mar 2018 04:17:47 -0800 (PST) Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id c5sor4606094iti.117.2018.03.05.04.17.46 for (Google Transport Security); Mon, 05 Mar 2018 04:17:46 -0800 (PST) MIME-Version: 1.0 In-Reply-To: <1520245563-8444-8-git-send-email-joro@8bytes.org> References: <1520245563-8444-1-git-send-email-joro@8bytes.org> <1520245563-8444-8-git-send-email-joro@8bytes.org> From: Linus Torvalds Date: Mon, 5 Mar 2018 04:17:45 -0800 Message-ID: Subject: Re: [PATCH 07/34] x86/entry/32: Restore segments before int registers Content-Type: multipart/alternative; boundary="001a113a427e4596020566a950bb" Sender: owner-linux-mm@kvack.org List-ID: To: Joerg Roedel Cc: Thomas Gleixner , Ingo Molnar , Peter Anvin , the arch/x86 maintainers , Linux Kernel Mailing List , linux-mm , Andrew Lutomirski , Dave Hansen , Josh Poimboeuf , =?UTF-8?B?SsO8cmdlbiBHcm/Dnw==?= , Peter Zijlstra , Borislav Petkov , Jiri Kosina , Boris Ostrovsky , Brian Gerst , David Laight , Denys Vlasenko , Eduardo Valentin , Greg Kroah-Hartman , Will Deacon , "Liguori, Anthony" , Daniel Gruss , Hugh Dickins , Kees Cook , Andrea Arcangeli , Waiman Long , Pavel Machek , Joerg Roedel --001a113a427e4596020566a950bb Content-Type: text/plain; charset="UTF-8" [ On mobile, sorry for html ] On Mar 5, 2018 02:26, "Joerg Roedel" wrote: From: Joerg Roedel Restoring the segments can cause exceptions that need to be handled. With PTI enabled, we still need to be on kernel cr3 when the exception happens. For the cr3-switch we need at least one integer scratch register, so we can't switch with the user integer registers already loaded. This fundamentally seems wrong. The things is, we *know* that we will restore two segment registers with the user cr3 already loaded: CS and SS get restored with the final iret. And yes, the final iret can fault due to CS/SS no longer being valid, either because of ptrace or because the ldt was changed. So making it be a "rule" that segment registers be restored with the kernel cr3 active seems bogus. It just means that you're making a rule that cannot possibly be generic. So has this been tested with - single-stepping through sysenter This takes a DB fault in the first kernel instruction. We're in kernel mode, but with user cr3. - ptracing and setting CS/SS to something bad That should test the "exception on iret" case - again in kernel mode, but with user cr3 restored for the return. I didn't look closely at the whole series, so maybe this is all fine. I mainly reacted to the "With PTI enabled, we still need to be on kernel cr3 when the exception happens" part of the explanation.. Linus --001a113a427e4596020566a950bb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
[ On mobile, sorry for html ]

On Mar 5, 2018 02:26, "= Joerg Roedel" <joro@8bytes.org> wrote:
From: Joerg = Roedel <jroedel@suse.de>

Restoring the segments can cause exceptions that need to be
handled. With PTI enabled, we still need to be on kernel cr3
when the exception happens. For the cr3-switch we need
at least one integer scratch register, so we can't switch
with the user integer registers already loaded.

This fundamentally seems wro= ng.

The things is, we *k= now* that we will restore two segment registers with the user cr3 already l= oaded: CS and SS get restored with the final iret.
<= br>
And yes, the final iret can fault due to CS/SS n= o longer being valid, either because of ptrace or because the ldt was chang= ed.

So making it be a &q= uot;rule" that segment registers be restored with the kernel cr3 activ= e seems bogus. It just means that you're making a rule that cannot poss= ibly be generic.

So has = this been tested with

= =C2=A0- single-stepping through sysenter

<= div dir=3D"auto">=C2=A0 =C2=A0This takes a DB fault in the first kernel ins= truction. We're in kernel mode, but with user cr3.

=C2=A0- ptracing and setting CS/SS to someth= ing bad

=C2=A0 =C2=A0Tha= t should test the "exception on iret" case - again in kernel mode= , but with user cr3 restored for the return.

I didn't look closely at the whole series, so mayb= e this is all fine. I mainly reacted to the "With PTI enabled, we still need to be on kernel cr3
when the except= ion happens" part of the explanation..

=C2=A0 =C2=A0 =C2=A0 Linus<= /div>

=
--001a113a427e4596020566a950bb-- -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org