Re: [PATCH urgent] x86, asm: Disable opportunistic SYSRET if regs->flags has TF set

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Denys Vlasenko <dvlasenk@redhat.com>
To: Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@kernel.org>,
	x86@kernel.org, linux-kernel@vger.kernel.org
Cc: Borislav Petkov <bp@suse.de>
Subject: Re: [PATCH urgent] x86, asm: Disable opportunistic SYSRET if regs->flags has TF set
Date: Wed, 01 Apr 2015 23:18:16 +0200	[thread overview]
Message-ID: <551C6098.9030705@redhat.com> (raw)
In-Reply-To: <2805a341e0dddb37b018486b0ab4162e2f2fb118.1427916036.git.luto@kernel.org>

On 04/01/2015 09:25 PM, Andy Lutomirski wrote:
> Fix it by using IRET to restore TF.  Since it's late, I'm keeping
> this minimal and keeping "testq" instead of switching to "testl".

Changing to "testl" here wins nothing. Since r11 is used,
REX prefix will be encoded anyway.

>  
> -	testq $X86_EFLAGS_RF,%r11	/* sysret can't restore RF */
> +	/*
> +	 * SYSRET can't restore RF.  SYSRET can restore TF, but unlike IRET,
> +	 * restoring TF results in a trap from userspace immediately after
> +	 * SYSRET.

>                  This would cause an infinite loop whenever #DB happens
> +	 * with register state that satisfies the opportunistic SYSRET
> +	 * conditions.
> +	 */

I propose to just show an example of the affected code:

>                  This can cause an infinite loop. Example:
>	 * asm volatile("movq $1f,%rcx\n\t"
>	 *		"pushfq\n\t"
>	 *		"popq %r11\n\t"
>	 *		"nop\n\t"
>	 *		"1:");
>	 * The above example would get stuck at "1:".
>	 */

next prev parent reply	other threads:[~2015-04-01 21:18 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-01 19:25 [PATCH urgent] x86, asm: Disable opportunistic SYSRET if regs->flags has TF set Andy Lutomirski
2015-04-01 21:18 ` Denys Vlasenko [this message]
2015-04-02  6:16   ` Borislav Petkov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=551C6098.9030705@redhat.com \
    --to=dvlasenk@redhat.com \
    --cc=bp@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=mingo@kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.