Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp600671ybm;
        Wed, 27 May 2020 03:28:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwgGwWCUXr8FpSy87+VDJBz4DW+1foyeFsbPfvfCG65At4WYENq3PzBB7UbZ9pQJsFWjjhq
X-Received: by 2002:a05:6402:1cb6:: with SMTP id cz22mr22343582edb.86.1590575328119;
        Wed, 27 May 2020 03:28:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590575328; cv=none;
        d=google.com; s=arc-20160816;
        b=jiK2ZekdjhV3g2XOUWtr8TgbI4W13c4+y4X5YQsH6Pw5XAK29mNruNvy7NWR8pHxUv
         KOpRNRrYQXv0mK1GM0QaPzlduz/jnNPbMDvngTVqgtcFG9lohfn3OkCVCf3JTDU8WpHY
         ko+tzqBULGvS+h2mbPva+xPjgZHmDABIuKQ13QqZwcLZf+3PK0OwcZn4l1H4em8uzdKR
         +qqZERqLGQUspMgABKfNRE1+k4E15FzP09D5YEJK17ZIZcUeWMDZNhkZmgp0NPlXir0m
         i1GO545IUVRyc7MpAH/jY+Vc8GDincocOAOHZj91GdIEDLKkJv0oKzu5lxYgRoeyx7z0
         tPVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from;
        bh=5boRc8MXwAmEFJYWIbW/7CKW08z1iC8oLqC3Ytbr9vw=;
        b=gKJBG57afO084kiA2EAj+HF/oO0UomWtVijAmOmjjksKjazvtU4ZuGX2Ldu3mUNNTB
         NlWMnDRESHDdA4jkHQmXlPGOMQbzDGJht6iYHmdLRw04cQKuuCWH5okoV+207m7PJ5SW
         yLRcfj4BUKTSfbxfwS2mMDwqJixQLPfghZUKiKidM5dG82/bvFSTbq5Fdn+OMScnHLnF
         9XssFSsYDk+VkobuqEX1ask9CMeUFByln5ElQeFOxrP5LQmVLrL0GS4UU/iGNmfJe6+a
         liLUpUYYla6B4nX637zt8y/IN6+Y5NgxUvoFscc1fY03h7kmdIrTrA+Ov2FVColO3DJx
         43qw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id lc14si1623960ejb.555.2020.05.27.03.28.25;
        Wed, 27 May 2020 03:28:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729321AbgE0HbU (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Wed, 27 May 2020 03:31:20 -0400
Received: from out4436.biz.mail.alibaba.com ([47.88.44.36]:43157 "EHLO
        out4436.biz.mail.alibaba.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1728888AbgE0HbS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 May 2020 03:31:18 -0400
X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R201e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04407;MF=laijs@linux.alibaba.com;NM=1;PH=DS;RN=13;SR=0;TI=SMTPD_---0TznDKwe_1590564675;
Received: from localhost(mailfrom:laijs@linux.alibaba.com fp:SMTPD_---0TznDKwe_1590564675)
          by smtp.aliyun-inc.com(127.0.0.1);
          Wed, 27 May 2020 15:31:16 +0800
From:   Lai Jiangshan <laijs@linux.alibaba.com>
To:     linux-kernel@vger.kernel.org
Cc:     Lai Jiangshan <laijs@linux.alibaba.com>,
        Andy Lutomirski <luto@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
        x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Alexandre Chartre <alexandre.chartre@oracle.com>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Jann Horn <jannh@google.com>,
        Dave Hansen <dave.hansen@linux.intel.com>
Subject: [PATCH 3/5] x86/entry: directly switch to kernel stack when .Lerror_bad_iret
Date:   Wed, 27 May 2020 07:31:05 +0000
Message-Id: <20200527073107.2127-4-laijs@linux.alibaba.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20200527073107.2127-1-laijs@linux.alibaba.com>
References: <20200527073107.2127-1-laijs@linux.alibaba.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Directly copy pt_regs to kernel stack when .Lerror_bad_iret.
Directly switch to kernel stack when .Lerror_bad_iret.

We can see that entry_64.S do the following things back to back
when .Lerror_bad_iret:
	call fixup_bad_iret(), switch to sp0 stack with pt_regs copied
	call sync_regs(), switch to kernel stack with pt_regs copied

So we can do the all things together in fixup_bad_iret().

After this patch, fixup_bad_iret() is restored to the behavior before
7f2590a110b8("x86/entry/64: Use a per-CPU trampoline stack for IDT entries")

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
---
 arch/x86/entry/entry_64.S | 13 ++-----------
 arch/x86/kernel/traps.c   |  9 ++++-----
 2 files changed, 6 insertions(+), 16 deletions(-)

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index e8817ae31390..c5db048e5bed 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1329,16 +1329,6 @@ SYM_CODE_START_LOCAL(error_entry)
 	ENCODE_FRAME_POINTER 8
 	ret
 
-.Lerror_entry_from_usermode_after_swapgs:
-	/* Put us onto the real thread stack. */
-	popq	%r12				/* save return addr in %12 */
-	movq	%rsp, %rdi			/* arg0 = pt_regs pointer */
-	call	sync_regs
-	movq	%rax, %rsp			/* switch stack */
-	ENCODE_FRAME_POINTER
-	pushq	%r12
-	ret
-
 .Lerror_entry_done_lfence:
 	FENCE_SWAPGS_KERNEL_ENTRY
 .Lerror_entry_done:
@@ -1392,7 +1382,8 @@ SYM_CODE_START_LOCAL(error_entry)
 	mov	%rsp, %rdi
 	call	fixup_bad_iret
 	mov	%rax, %rsp
-	jmp	.Lerror_entry_from_usermode_after_swapgs
+	ENCODE_FRAME_POINTER 8
+	ret
 SYM_CODE_END(error_entry)
 
 SYM_CODE_START_LOCAL(error_exit)
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
index 9e5d81cb94ba..3bef95934644 100644
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -666,13 +666,12 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
 	/*
 	 * This is called from entry_64.S early in handling a fault
 	 * caused by a bad iret to user mode.  To handle the fault
-	 * correctly, we want to move our stack frame to where it would
-	 * be had we entered directly on the entry stack (rather than
-	 * just below the IRET frame) and we want to pretend that the
-	 * exception came from the IRET target.
+	 * correctly, we want to move our stack frame to kernel stack
+	 * (rather than just below the IRET frame) and we want to
+	 * pretend that the exception came from the IRET target.
 	 */
 	struct bad_iret_stack tmp, *new_stack =
-		(struct bad_iret_stack *)__this_cpu_read(cpu_tss_rw.x86_tss.sp0) - 1;
+		(struct bad_iret_stack *)__this_cpu_read(cpu_current_top_of_stack) - 1;
 
 	/* Copy the IRET target to the temporary storage. */
 	memcpy(&tmp.regs.ip, (void *)s->regs.sp, 5*8);
-- 
2.20.1