Message-ID: <551C6098.9030705@redhat.com>
Date: Wed, 01 Apr 2015 23:18:16 +0200
From: Denys Vlasenko <dvlasenk@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@kernel.org>,
        x86@kernel.org, linux-kernel@vger.kernel.org
CC: Borislav Petkov <bp@suse.de>
Subject: Re: [PATCH urgent] x86, asm: Disable opportunistic SYSRET if regs->flags
 has TF set
References: <2805a341e0dddb37b018486b0ab4162e2f2fb118.1427916036.git.luto@kernel.org>
In-Reply-To: <2805a341e0dddb37b018486b0ab4162e2f2fb118.1427916036.git.luto@kernel.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1206
Lines: 37

On 04/01/2015 09:25 PM, Andy Lutomirski wrote:
> Fix it by using IRET to restore TF.  Since it's late, I'm keeping
> this minimal and keeping "testq" instead of switching to "testl".

Changing to "testl" here wins nothing. Since r11 is used,
REX prefix will be encoded anyway.

>  
> -	testq $X86_EFLAGS_RF,%r11	/* sysret can't restore RF */
> +	/*
> +	 * SYSRET can't restore RF.  SYSRET can restore TF, but unlike IRET,
> +	 * restoring TF results in a trap from userspace immediately after
> +	 * SYSRET.

>                  This would cause an infinite loop whenever #DB happens
> +	 * with register state that satisfies the opportunistic SYSRET
> +	 * conditions.
> +	 */

I propose to just show an example of the affected code:

>                  This can cause an infinite loop. Example:
>	 * asm volatile("movq $1f,%rcx\n\t"
>	 *		"pushfq\n\t"
>	 *		"popq %r11\n\t"
>	 *		"nop\n\t"
>	 *		"1:");
>	 * The above example would get stuck at "1:".
>	 */


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/