Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

x86/asm/entry/64: Disable opportunistic SYSRET if regs->flags has TF set

When I wrote the opportunistic SYSRET code, I missed an important difference
between SYSRET and IRET.

Both instructions are capable of setting EFLAGS.TF, but they behave differently
when doing so:

 - IRET will not issue a #DB trap after execution when it sets TF.
   This is critical -- otherwise you'd never be able to make forward progress when
   returning to userspace.

 - SYSRET, on the other hand, will trap with #DB immediately after
   returning to CPL3, and the next instruction will never execute.

This breaks anything that opportunistically SYSRETs to a user
context with TF set.  For example, running this code with TF set
and a SIGTRAP handler loaded never gets past 'post_nop':

	extern unsigned char post_nop[];
	asm volatile ("pushfq\n\t"
		      "popq %%r11\n\t"
		      "nop\n\t"
		      "post_nop:"
		      : : "c" (post_nop) : "r11");

In my defense, I can't find this documented in the AMD or Intel manual.

Fix it by using IRET to restore TF.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Borislav Petkov <bp@suse.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 2a23c6b8a9c4 ("x86_64, entry: Use sysret to return to userspace when possible")
Link: http://lkml.kernel.org/r/9472f1ca4c19a38ecda45bba9c91b7168135fcfa.1427923514.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Andy Lutomirski 10 years ago
parent
80313b3078
commit
7ea2416909
1 changed files with 15 additions and 1 deletions
Unified View Show Diff Stats
  1. 15 1
      arch/x86/kernel/entry_64.S

+ 15 - 1
arch/x86/kernel/entry_64.S
View File 

@@ -799,7 +799,21 @@ retint_swapgs:		/* return to user-space */
 
 	cmpq %r11,(EFLAGS-ARGOFFSET)(%rsp)	/* R11 == RFLAGS */
 
 	cmpq %r11,(EFLAGS-ARGOFFSET)(%rsp)	/* R11 == RFLAGS */
 
 	jne opportunistic_sysret_failed
 
 	jne opportunistic_sysret_failed
 
 
 
-	testq $X86_EFLAGS_RF,%r11		/* sysret can't restore RF */
 
+	/*
 
+	 * SYSRET can't restore RF.  SYSRET can restore TF, but unlike IRET,
 
+	 * restoring TF results in a trap from userspace immediately after
 
+	 * SYSRET.  This would cause an infinite loop whenever #DB happens
 
+	 * with register state that satisfies the opportunistic SYSRET
 
+	 * conditions.  For example, single-stepping this user code:
 
+	 *
 
+	 *           movq $stuck_here,%rcx
 
+	 *           pushfq
 
+	 *           popq %r11
 
+	 *   stuck_here:
 
+	 *
 
+	 * would never get past 'stuck_here'.
 
+	 */
 
+	testq $(X86_EFLAGS_RF|X86_EFLAGS_TF), %r11
 
 	jnz opportunistic_sysret_failed
 
 	jnz opportunistic_sysret_failed
 
 
 
 	/* nothing to check for RSP */
 
 	/* nothing to check for RSP */