Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751677AbdCSF0c (ORCPT <rfc822;w@1wt.eu>);
        Sun, 19 Mar 2017 01:26:32 -0400
Received: from mail.kernel.org ([198.145.29.136]:54636 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751634AbdCSF01 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 19 Mar 2017 01:26:27 -0400
From: Andy Lutomirski <luto@kernel.org>
To: x86@kernel.org
Cc: linux-kernel@vger.kernel.org, Borislav Petkov <bp@alien8.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Thomas Garnier <thgarnie@google.com>,
        Andy Lutomirski <luto@kernel.org>
Subject: [PATCH tip:x86/mm] x86/tls: Forcibly set the accessed bit in TLS segments
Date: Sat, 18 Mar 2017 22:17:24 -0700
Message-Id: <62b7748542df0164af7e0a5231283b9b13858c45.1489900519.git.luto@kernel.org>
X-Mailer: git-send-email 2.9.3
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1773
Lines: 53

For mysterious historical reasons, struct user_desc doesn't indicate
whether segments are accessed.  set_thread_area() has always
programmed segments as non-accessed, so the first write will set the
accessed bit.  This will fault if the GDT is read-only.

Fix it by making TLS segments start out accessed.

If this ends up breaking something, we could, in principle, leave
TLS segments non-accessed and fix them up when we get the page
fault.  I'd be surprised, though -- AFAIK all the nasty legacy
segmented programs (DOSEMU, Wine, things that run on DOSEMU and
Wine, etc.) do their nasty segmented things using the LDT and not
the GDT.  I assume this is mainly because old OSes (Linux and
otherwise) didn't historically provide APIs to do nasty things in
the GDT.

Fixes: 45fc8757d1d2 ("x86: Make the GDT remapping read-only on 64-bit")
Signed-off-by: Andy Lutomirski <luto@kernel.org>
---

Normally this would come with a test case update, but the relevant
testcase (ldt_gdt_32) currently has some issues.  I'm working on it,
but I don't want to delay this bugfix.

 arch/x86/kernel/tls.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
index 6c8934406dc9..dcd699baea1b 100644
--- a/arch/x86/kernel/tls.c
+++ b/arch/x86/kernel/tls.c
@@ -92,10 +92,17 @@ static void set_tls_desc(struct task_struct *p, int idx,
 	cpu = get_cpu();
 
 	while (n-- > 0) {
-		if (LDT_empty(info) || LDT_zero(info))
+		if (LDT_empty(info) || LDT_zero(info)) {
 			desc->a = desc->b = 0;
-		else
+		} else {
 			fill_ldt(desc, info);
+
+			/*
+			 * Always set the accessed bit so that the CPU
+			 * doesn't try to write to the (read-only) GDT.
+			 */
+			desc->type |= 1;
+		}
 		++info;
 		++desc;
 	}
-- 
2.9.3