Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751872AbbFNG4u (ORCPT ); Sun, 14 Jun 2015 02:56:50 -0400 Received: from mail-wi0-f169.google.com ([209.85.212.169]:38050 "EHLO mail-wi0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751352AbbFNG4m (ORCPT ); Sun, 14 Jun 2015 02:56:42 -0400 Date: Sun, 14 Jun 2015 08:56:35 +0200 From: Ingo Molnar To: Brian Gerst Cc: Andy Lutomirski , "H. Peter Anvin" , Srinivas Pandruvada , Ingo Molnar , Thomas Gleixner , Pavel Machek , "Rafael J. Wysocki" , X86 ML , "linux-pm@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Denys Vlasenko , Borislav Petkov , Linus Torvalds Subject: [PATCH] x86: Load __USER_DS into DS/ES after resume Message-ID: <20150614065635.GA5294@gmail.com> References: <1434066338-6619-1-git-send-email-srinivas.pandruvada@linux.intel.com> <20150612060747.GA25024@gmail.com> <20150612075013.GA8759@gmail.com> <20150612083625.GA22760@gmail.com> <20150613070359.GB26502@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1936 Lines: 55 * Brian Gerst wrote: > >> So if wakeup_pmode_return is really the first thing called then the whole > >> premise of shadow descriptor corruption goes out the window: we reload all > >> relevant segment registers. > > > > True, but it still leaves the fact that we're loading __KERNEL_DS instead of > > __USER_DS, right? So we end up in the kernel in some context (I have no clue > > what context) with __KERNEL_DS loaded. It's very easy for us to inadvertently > > fix it: we could return to userspace by any means whatsoever except SYSEXIT, > > or we could even return back to some preempted kernel context. > > > > I still think we should replace __KERNEL_DS with __USER_DS in > > wakeup_pmode_return and see if the problem goes away. > > I'm pretty sure that's what the problem is. If you look at the sysexit path, it > never reloads ds/es. It assumes they are still __USER_DS set at sysenter. The > iret path does restore all the user segments. Ok, so something like the patch below, right? Thanks, Ingo =====================> arch/x86/kernel/acpi/wakeup_32.S | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S index 665c6b7d2ea9..7302bbaea184 100644 --- a/arch/x86/kernel/acpi/wakeup_32.S +++ b/arch/x86/kernel/acpi/wakeup_32.S @@ -12,11 +12,13 @@ ENTRY(wakeup_pmode_return) wakeup_pmode_return: movw $__KERNEL_DS, %ax movw %ax, %ss - movw %ax, %ds - movw %ax, %es movw %ax, %fs movw %ax, %gs + movw $__KERNEL_DS, %ax + movw %ax, %ds + movw %ax, %es + # reload the gdt, as we need the full 32 bit address lidt saved_idt lldt saved_ldt -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/