linux/arch
Ingo Molnar e486575734 x86/entry/64: Fix CR3 restore in paranoid_exit()
Josh Poimboeuf noticed the following bug:

 "The paranoid exit code only restores the saved CR3 when it switches back
  to the user GS.  However, even in the kernel GS case, it's possible that
  it needs to restore a user CR3, if for example, the paranoid exception
  occurred in the syscall exit path between SWITCH_TO_USER_CR3_STACK and
  SWAPGS."

Josh also confirmed via targeted testing that it's possible to hit this bug.

Fix the bug by also restoring CR3 in the paranoid_exit_no_swapgs branch.

The reason we haven't seen this bug reported by users yet is probably because
"paranoid" entry points are limited to the following cases:

 idtentry double_fault       do_double_fault  has_error_code=1  paranoid=2
 idtentry debug              do_debug         has_error_code=0  paranoid=1 shift_ist=DEBUG_STACK
 idtentry int3               do_int3          has_error_code=0  paranoid=1 shift_ist=DEBUG_STACK
 idtentry machine_check      do_mce           has_error_code=0  paranoid=1

Amongst those entry points only machine_check is one that will interrupt an
IRQS-off critical section asynchronously - and machine check events are rare.

The other main asynchronous entries are NMI entries, which can be very high-freq
with perf profiling, but they are special: they don't use the 'idtentry' macro but
are open coded and restore user CR3 unconditionally so don't have this bug.

Reported-and-tested-by: Josh Poimboeuf <jpoimboe@redhat.com>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/20180214073910.boevmg65upbk3vqb@gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2018-02-15 01:15:54 +01:00
..
alpha alpha/PCI: Fix noname IRQ level detection 2018-01-20 16:22:36 -08:00
arc ARC fixes for 4.15-rc7 2018-01-05 16:06:35 -08:00
arm ARM: SoC fixes for 4.15 2018-01-19 11:21:31 -08:00
arm64 KVM fixes for v4.15-rc9 2018-01-20 11:41:09 -08:00
blackfin bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
c6x bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
cris bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
frv bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
h8300 bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
hexagon bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
ia64 ia64: Rewrite atomic_add and atomic_sub 2018-01-19 10:47:51 -08:00
m32r kernel/exit.c: export abort() to modules 2018-01-04 16:45:09 -08:00
m68k Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-12-08 13:32:44 -08:00
metag bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
microblaze bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
mips MIPS: Fix undefined reference to physical_memsize 2018-01-18 20:44:29 +00:00
mn10300 bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
nios2 bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
openrisc bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
parisc parisc: qemu idle sleep support 2018-01-06 12:28:04 +01:00
powerpc KVM fixes for v4.15-rc9 2018-01-20 11:41:09 -08:00
riscv riscv: rename SR_* constants to match the spec 2018-01-07 15:14:39 -08:00
s390 KVM: s390: another fix for cmma migration 2018-01-24 16:25:53 +01:00
score bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
sh SolutionEngine771x: add Ether TSU resource 2018-01-09 12:21:14 -05:00
sparc sparc64: fix typo in CONFIG_CRYPTO_DES_SPARC64 => CONFIG_CRYPTO_CAMELLIA_SPARC64 2018-01-24 16:47:55 -05:00
tile bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
um Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2017-12-23 11:53:04 -08:00
unicore32 kernel/exit.c: export abort() to modules 2018-01-04 16:45:09 -08:00
x86 x86/entry/64: Fix CR3 restore in paranoid_exit() 2018-02-15 01:15:54 +01:00
xtensa bpf: correct broken uapi for BPF_PROG_TYPE_PERF_EVENT program type 2017-12-05 15:02:40 +01:00
.gitignore
Kconfig bpf: Revert bpf_overrid_function() helper changes. 2017-11-11 18:24:55 +09:00