Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp5047779ybi; Sat, 20 Jul 2019 11:42:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqz03UC8T1Qa9R6hCKGgkcYe3BcduDsXrPJzH17AoCs+ZSSuaYL/ggjZc2d4EQxgeYjoLVvp X-Received: by 2002:a17:902:b905:: with SMTP id bf5mr60182014plb.342.1563648164172; Sat, 20 Jul 2019 11:42:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563648164; cv=none; d=google.com; s=arc-20160816; b=Ysp5hncQiVVkJmQ9Ixk/RFXo26cgdWonupD4dlo3bVFI8JqNL6GLEWd6pcpa47dfqt KC/oWEecCsdc3iLnkXLqSL7tFplxTA/xDU48K1l6twEQ7I7tvTXP4Ja1xIoAeJQkVeqn pSEKeWI/NXQXWsmGlgZsL5utne0Nw5XCavIPJeXSLdLMvFSh/DT40cyu9urMp5GeLnxj a4c81oDE6I5zcRgpliMSh9wFrFB7GhcAflRCqrJkI0vcHD0EuSWqVuJDVliItg8qOFOp dRsfeZI+wMjL9keibVe0cWLI/U03dus0mc9qE2ZVYxFu8h+oVJy+KgH1twjOfPXSBzWb RmoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition :content-transfer-encoding:mime-version:robot-unsubscribe:robot-id :git-commit-id:subject:to:references:in-reply-to:reply-to:cc :message-id:from:date:dkim-signature:dkim-filter; bh=BIqdpQPSj7orFSVwnut3PFwO6r+kyJBmJ85gijMBGaY=; b=We2bipoMrMTrnm8mvYjKHGiR1TWsp/ZE08sH2w3Gi4m+5AFtcKeW2odzCW58Cw7bce XwUXJlBXtzze3WkeadV4zHqcHzdMLeh7lOqhfy1Srm28gkbnoat22T1Ts5mSuyUN5kS8 k105CYrAyTj9xU+MjkjuVjVGcAdj0DJQ64NgzhIbLIlfVrTaG7Jk4liFz8X0dKYox81q FKnfMTfYrRi+47xbSDoLyh2cimrRqomWzj8KVREAtW03yhb9KblGJTFOiCA2nNyJGRWG fONvjrNe5YZVF2USgREzPQwhkgNjdcg4fnyMd7o6UNdTnVzmP75PS1xuHTv8tVLlREmM iL3w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zytor.com header.s=2019061801 header.b="LyYB/1AE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 130si3907522pgg.18.2019.07.20.11.42.28; Sat, 20 Jul 2019 11:42:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@zytor.com header.s=2019061801 header.b="LyYB/1AE"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728281AbfGTMea (ORCPT + 99 others); Sat, 20 Jul 2019 08:34:30 -0400 Received: from terminus.zytor.com ([198.137.202.136]:55809 "EHLO terminus.zytor.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728202AbfGTMea (ORCPT ); Sat, 20 Jul 2019 08:34:30 -0400 Received: from terminus.zytor.com (localhost [127.0.0.1]) by terminus.zytor.com (8.15.2/8.15.2) with ESMTPS id x6KCYAMp2937336 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sat, 20 Jul 2019 05:34:10 -0700 DKIM-Filter: OpenDKIM Filter v2.11.0 terminus.zytor.com x6KCYAMp2937336 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2019061801; t=1563626051; bh=BIqdpQPSj7orFSVwnut3PFwO6r+kyJBmJ85gijMBGaY=; h=Date:From:Cc:Reply-To:In-Reply-To:References:To:Subject:From; b=LyYB/1AEhmzisT/QlBr0qKmOUjvwRSuy1iGbtvFjv/63gc8xuWLk9Z/tGP8GRRYJG MJG8+f1f7RLOGX8NY86WPdkldnEQCQuGyivhMTxBby6AoZYg8r/WRFF33AxvX4gdy6 Nf1Lc+39iVp1DR52+gyIRKcuQ+nKdtd0F6edSuxQcyu04M+5CmD3LsfIf9kDLSnWUZ mT4TznkffE4bYX9me6niYAmLAuOuSk+qynxwoIZ4mHMvbEB0+kNTe1P0X2mKgG14xM NZT13JWgfC/4TTpyM3Gf/W/6V0RKdHVL3fWhCFTN2aa1Wm9ZX0thDLYUy0RWkPMN5B NYuh/s1mFm7ug== Received: (from tipbot@localhost) by terminus.zytor.com (8.15.2/8.15.2/Submit) id x6KCY7oM2937332; Sat, 20 Jul 2019 05:34:07 -0700 Date: Sat, 20 Jul 2019 05:34:07 -0700 X-Authentication-Warning: terminus.zytor.com: tipbot set sender to tipbot@zytor.com using -f From: tip-bot for Thomas Gleixner Message-ID: Cc: peterz@infradead.org, tglx@linutronix.de, sean.j.christopherson@intel.com, linux-kernel@vger.kernel.org, hpa@zytor.com, mingo@kernel.org Reply-To: peterz@infradead.org, mingo@kernel.org, sean.j.christopherson@intel.com, linux-kernel@vger.kernel.org, tglx@linutronix.de, hpa@zytor.com In-Reply-To: References: To: linux-tip-commits@vger.kernel.org Subject: [tip:x86/urgent] x86/entry/64: Prevent clobbering of saved CR2 value Git-Commit-ID: 6879298bd0673840cadd1fb36d7225485504ceb4 X-Mailer: tip-git-log-daemon Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Content-Disposition: inline X-Spam-Status: No, score=-0.4 required=5.0 tests=ALL_TRUSTED,BAYES_00, DATE_IN_FUTURE_96_Q,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on terminus.zytor.com Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit-ID: 6879298bd0673840cadd1fb36d7225485504ceb4 Gitweb: https://git.kernel.org/tip/6879298bd0673840cadd1fb36d7225485504ceb4 Author: Thomas Gleixner AuthorDate: Sat, 20 Jul 2019 10:56:41 +0200 Committer: Thomas Gleixner CommitDate: Sat, 20 Jul 2019 14:28:41 +0200 x86/entry/64: Prevent clobbering of saved CR2 value The recent fix for CR2 corruption introduced a new way to reliably corrupt the saved CR2 value. CR2 is saved early in the entry code in RDX, which is the third argument to the fault handling functions. But it missed that between saving and invoking the fault handler enter_from_user_mode() can be called. RDX is a caller saved register so the invoked function can freely clobber it with the obvious consequences. The TRACE_IRQS_OFF call is safe as it calls through the thunk which preserves RDX, but TRACE_IRQS_OFF_DEBUG is not because it also calls into C-code outside of the thunk. Store CR2 in R12 instead which is a callee saved register and move R12 to RDX just before calling the fault handler. Fixes: a0d14b8909de ("x86/mm, tracing: Fix CR2 corruption") Reported-by: Sean Christopherson Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1907201020540.1782@nanos.tec.linutronix.de --- arch/x86/entry/entry_64.S | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S index 7cb2e1f1ec09..f7c70c1bee8b 100644 --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -875,7 +875,12 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt UNWIND_HINT_REGS .if \read_cr2 - GET_CR2_INTO(%rdx); /* can clobber %rax */ + /* + * Store CR2 early so subsequent faults cannot clobber it. Use R12 as + * intermediate storage as RDX can be clobbered in enter_from_user_mode(). + * GET_CR2_INTO can clobber RAX. + */ + GET_CR2_INTO(%r12); .endif .if \shift_ist != -1 @@ -904,6 +909,10 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt subq $\ist_offset, CPU_TSS_IST(\shift_ist) .endif + .if \read_cr2 + movq %r12, %rdx /* Move CR2 into 3rd argument */ + .endif + call \do_sym .if \shift_ist != -1