Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp880463ybm;
        Fri, 29 May 2020 14:40:44 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxBZWOf0nh8Bl6a/iDTK0oszZG8Jl/xKxl6TDWI9fH1VH11+Y47nsuuoctF5W4Em/OrWwq/
X-Received: by 2002:a17:906:e08a:: with SMTP id gh10mr10026380ejb.512.1590788444506;
        Fri, 29 May 2020 14:40:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590788444; cv=none;
        d=google.com; s=arc-20160816;
        b=mmz20VNK/2mfO4o2TjcrxLeqACeO7kz4lYO/om8L2Re2CywAFP3RjYHhy0zHdzabVf
         Axhc7FaLqZQd/DI+ZtfRfjmUKyCBRdqILUZ9EIrYPmksAAhFOXizDRsfGVaWGl7SDY4L
         aqhXm5aFVXxGGbdR3BRzV9vKlyoCeEYCjqCFW9BjeO9SqDDksdvyTMzUjuZQSq6H6V96
         O/O/DVAIo2YgrJIKZOHDY1t+M5eZYdFFBMwBQYQB2oUD+AKkRP/bByNWYy5xmYyTh+Ln
         JAGilKenMxoSnd1GlubAAZA1bIJlY0D1+NvgWUznJN8faH4bwUFf0hsJb2fiK8WEGF6k
         qmTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:references:subject:cc:to
         :from:date:user-agent:message-id:dkim-signature;
        bh=OvDinGx9xN3fLgAycdPBiwTRn9dQTI7aXBBvjsisKp4=;
        b=coeBlut3qBUGNctrKSSEoNZhxfgMxPFlM7t8fcJ//q1UdEX/2gJp6lHghxrjxBNBRq
         hAH/iK3YTLELqmBv4R9Xr5q3VuSWi4ZYA6ckV9F7KbTn4d01b3ZBCz5KP4WTgbLOwm6U
         ZFoa9RdcfkriTAqXB7L60Y0NirTJxBTEFlu9zPpAIro7iRaKvKtRWKhHWqyWs6OzAtLe
         h1d3zFUINzfYihuOcLV3xL1BPcBrXuF+9lmLjz9CSNLiJeL2cZ+1KYHvMLtATnGeh1c0
         dIkor/nGWgRpos4bnHfDm9gUXN9nHtlNseRSWXpFtdyWz1kFxyb+xFrADo8nk1e5L+AQ
         kC1g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=dBUhoDsx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id va29si6523045ejb.235.2020.05.29.14.40.20;
        Fri, 29 May 2020 14:40:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=dBUhoDsx;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728430AbgE2Vh3 (ORCPT <rfc822;0330sisy@gmail.com> + 99 others);
        Fri, 29 May 2020 17:37:29 -0400
Received: from merlin.infradead.org ([205.233.59.134]:54866 "EHLO
        merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728376AbgE2VhO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 29 May 2020 17:37:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=Content-Type:MIME-Version:References:
        Subject:Cc:To:From:Date:Message-ID:Sender:Reply-To:Content-Transfer-Encoding:
        Content-ID:Content-Description:In-Reply-To;
        bh=OvDinGx9xN3fLgAycdPBiwTRn9dQTI7aXBBvjsisKp4=; b=dBUhoDsxi+W4sURek7NpACxd8t
        J8hsioSpypVZsltyDtIARtivBeyoNfSx+SzCz7BKd3YfsbvJGtIyLx5E168BerPPmwfsV+M6nFTTq
        lbCBF1qqlS1t9/ypnPVXrxk/yIWm7989WIrnIM3ZZKxrsp7BtFslGrov0HO4vjuIIMrVHJ5jiGeH6
        VC6WkDaoP0vqJjt3Q1dTIiIpPINQOiW3e1HCOvVVZ5+QqCeI3dvV1S5RmUtjf+vRyjhjKuwXsCnWi
        ymjutDWf/4Eo8HnbNas9K3vWZKxCgmYmoOY3hgvHJCRheTAkoRGcQdbOM2/LXMoHRUIWfe2bkGTrb
        e5+u+Uag==;
Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net)
        by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux))
        id 1jemeP-0007Iw-UA; Fri, 29 May 2020 21:34:50 +0000
Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (Client did not present a certificate)
        by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 31366301205;
        Fri, 29 May 2020 23:34:41 +0200 (CEST)
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 0)
        id 1C5D020FF0A05; Fri, 29 May 2020 23:34:41 +0200 (CEST)
Message-ID: <20200529213320.840953950@infradead.org>
User-Agent: quilt/0.66
Date:   Fri, 29 May 2020 23:27:30 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     tglx@linutronix.de, luto@amacapital.net, peterz@infradead.org
Cc:     linux-kernel@vger.kernel.org, x86@kernel.org,
        Lai Jiangshan <laijs@linux.alibaba.com>,
        sean.j.christopherson@intel.com, andrew.cooper3@citrix.com,
        daniel.thompson@linaro.org, a.darwish@linutronix.de,
        rostedt@goodmis.org, bigeasy@linutronix.de
Subject: [PATCH 02/14] x86/hw_breakpoint: Prevent data breakpoints on direct GDT
References: <20200529212728.795169701@infradead.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Lai Jiangshan <laijs@linux.alibaba.com>

A data breakpoint on the GDT is terrifying and should be avoided.
The GDT on CPU entry area is already protected. The direct GDT
should be also protected, although it is seldom used and only
used for short time.

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20200526014221.2119-3-laijs@linux.alibaba.com
---
 arch/x86/kernel/hw_breakpoint.c |   30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -32,6 +32,7 @@
 #include <asm/processor.h>
 #include <asm/debugreg.h>
 #include <asm/user.h>
+#include <asm/desc.h>
 
 /* Per cpu debug control register value */
 DEFINE_PER_CPU(unsigned long, cpu_dr7);
@@ -237,13 +238,26 @@ static inline bool within_area(unsigned
 }
 
 /*
- * Checks whether the range from addr to end, inclusive, overlaps the CPU
- * entry area range.
+ * Checks whether the range from addr to end, inclusive, overlaps the fixed
+ * mapped CPU entry area range or other ranges used for CPU entry.
  */
-static inline bool within_cpu_entry_area(unsigned long addr, unsigned long end)
+static inline bool within_cpu_entry(unsigned long addr, unsigned long end)
 {
-	return within_area(addr, end, CPU_ENTRY_AREA_BASE,
-			   CPU_ENTRY_AREA_TOTAL_SIZE);
+	int cpu;
+
+	/* CPU entry erea is always used for CPU entry */
+	if (within_area(addr, end, CPU_ENTRY_AREA_BASE,
+			CPU_ENTRY_AREA_TOTAL_SIZE))
+		return true;
+
+	for_each_possible_cpu(cpu) {
+		/* The original rw GDT is being used after load_direct_gdt() */
+		if (within_area(addr, end, (unsigned long)get_cpu_gdt_rw(cpu),
+				GDT_SIZE))
+			return true;
+	}
+
+	return false;
 }
 
 static int arch_build_bp_info(struct perf_event *bp,
@@ -257,12 +271,12 @@ static int arch_build_bp_info(struct per
 		return -EINVAL;
 
 	/*
-	 * Prevent any breakpoint of any type that overlaps the
-	 * cpu_entry_area.  This protects the IST stacks and also
+	 * Prevent any breakpoint of any type that overlaps the CPU
+	 * entry area and data.  This protects the IST stacks and also
 	 * reduces the chance that we ever find out what happens if
 	 * there's a data breakpoint on the GDT, IDT, or TSS.
 	 */
-	if (within_cpu_entry_area(attr->bp_addr, bp_end))
+	if (within_cpu_entry(attr->bp_addr, bp_end))
 		return -EINVAL;
 
 	hw->address = attr->bp_addr;