Received: by 2002:a25:ef43:0:0:0:0:0 with SMTP id w3csp1240288ybm;
        Sat, 30 May 2020 03:01:51 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzUKOLiIRzx+MgTcDS+gdO1NiYr7PNaS4cgpReSJzgI3mKNY6F+yLOPA9snvvdY7OCCZ0PI
X-Received: by 2002:a50:e08c:: with SMTP id f12mr12414583edl.233.1590832911206;
        Sat, 30 May 2020 03:01:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1590832911; cv=none;
        d=google.com; s=arc-20160816;
        b=QXoLfrL/Kob9f4a1Tlvh0ADXl4WNKbr/0xRYQ3GoobS7uh/hyu3cO5gkZrcc9e/wLb
         Lz/5PeXpj8ebEZRAObDTjJUtAzAPSPhIVeHLI377z1iRoyP4GauNucyzlH+WhH8yJSov
         +95F8HB3WabgyGuMRUio7VGyH/kgo3pUzL6re4jN7R7az0Q631UV+kAQ4PesmzRjqdUa
         B98uRx0nFVh/4bhqasPgjPuHh4qOQsjzf6qzaB0ec3GPVQg3bqT5q05mY4aJt5eQWC9w
         gNxmwclMFIqR+1fFAPPt6Jm8zlp+ggzSPf8oLiXP7ZIw/6Jd3Ix7Z9ST5AUzvcn7jiB+
         6sAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :robot-unsubscribe:robot-id:message-id:mime-version:references
         :in-reply-to:cc:subject:to:reply-to:from:date;
        bh=bDp+MFinCBwaSgltCcCNN16tySOxVRtNjNLmqvRQ/dE=;
        b=JR9o6VrjBbWtkMUxrFV69neMcx1Ao3ePAzbn6p0rJsxlJOZg20dES3+7SDBYlxEI1q
         So6fdeqUpslmQ7PvyMUpJ76b1NYv5QCZq0NElIVQFl5gubBGFrh4Bfd5GBto0mtesDJJ
         8UWOXEEh49nmOhoGjbKTEeZWWyf2KiffVAXoB9quiZMT3Og+xbuBEONdOqxDTVtoV1hO
         cB7345Y7yj2zjZWZCtmKruLNns5BYx4EKzuNOjQv5FI5nsEuxHqdpj7hIWrOp/hT2Xpp
         rpgf1I6qP2ee2KAkR/6zAaoX7FxEJwvSq/WB76/V1gg1jY9ULSQwFcsLRev6gOZOt9Ws
         7AoA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id r12si5118305eju.597.2020.05.30.03.01.28;
        Sat, 30 May 2020 03:01:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729028AbgE3J5l (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Sat, 30 May 2020 05:57:41 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52956 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728985AbgE3J5d (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 30 May 2020 05:57:33 -0400
Received: from Galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F0BFEC03E969;
        Sat, 30 May 2020 02:57:32 -0700 (PDT)
Received: from [5.158.153.53] (helo=tip-bot2.lab.linutronix.de)
        by Galois.linutronix.de with esmtpsa (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256)
        (Exim 4.80)
        (envelope-from <tip-bot2@linutronix.de>)
        id 1jeyF1-0002sM-IJ; Sat, 30 May 2020 11:57:23 +0200
Received: from [127.0.1.1] (localhost [IPv6:::1])
        by tip-bot2.lab.linutronix.de (Postfix) with ESMTP id 1A9A01C032F;
        Sat, 30 May 2020 11:57:23 +0200 (CEST)
Date:   Sat, 30 May 2020 09:57:22 -0000
From:   "tip-bot2 for Lai Jiangshan" <tip-bot2@linutronix.de>
Reply-to: linux-kernel@vger.kernel.org
To:     linux-tip-commits@vger.kernel.org
Subject: [tip: x86/entry] x86/hw_breakpoint: Prevent data breakpoints on direct GDT
Cc:     Lai Jiangshan <laijs@linux.alibaba.com>,
        "Peter Zijlstra (Intel)" <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>, x86 <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
In-Reply-To: <20200526014221.2119-3-laijs@linux.alibaba.com>
References: <20200526014221.2119-3-laijs@linux.alibaba.com>
MIME-Version: 1.0
Message-ID: <159083264294.17951.4573330706886496463.tip-bot2@tip-bot2>
X-Mailer: tip-git-log-daemon
Robot-ID: <tip-bot2.linutronix.de>
Robot-Unsubscribe: Contact <mailto:tglx@linutronix.de> to get blacklisted from these emails
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Linutronix-Spam-Score: -1.0
X-Linutronix-Spam-Level: -
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,  ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The following commit has been merged into the x86/entry branch of tip:

Commit-ID:     92a6521bf846dd08768bc4de447b79e8bd2cdb2f
Gitweb:        https://git.kernel.org/tip/92a6521bf846dd08768bc4de447b79e8bd2cdb2f
Author:        Lai Jiangshan <laijs@linux.alibaba.com>
AuthorDate:    Fri, 29 May 2020 23:27:30 +02:00
Committer:     Thomas Gleixner <tglx@linutronix.de>
CommitterDate: Sat, 30 May 2020 10:00:06 +02:00

x86/hw_breakpoint: Prevent data breakpoints on direct GDT

A data breakpoint on the GDT can be fatal and must be avoided.  The GDT in
the CPU entry area is already protected, but not the direct GDT.

Add the necessary protection.

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20200526014221.2119-3-laijs@linux.alibaba.com
Link: https://lkml.kernel.org/r/20200529213320.840953950@infradead.org

---
 arch/x86/kernel/hw_breakpoint.c | 30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

diff --git a/arch/x86/kernel/hw_breakpoint.c b/arch/x86/kernel/hw_breakpoint.c
index c149c7b..f859095 100644
--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -32,6 +32,7 @@
 #include <asm/processor.h>
 #include <asm/debugreg.h>
 #include <asm/user.h>
+#include <asm/desc.h>
 
 /* Per cpu debug control register value */
 DEFINE_PER_CPU(unsigned long, cpu_dr7);
@@ -237,13 +238,26 @@ static inline bool within_area(unsigned long addr, unsigned long end,
 }
 
 /*
- * Checks whether the range from addr to end, inclusive, overlaps the CPU
- * entry area range.
+ * Checks whether the range from addr to end, inclusive, overlaps the fixed
+ * mapped CPU entry area range or other ranges used for CPU entry.
  */
-static inline bool within_cpu_entry_area(unsigned long addr, unsigned long end)
+static inline bool within_cpu_entry(unsigned long addr, unsigned long end)
 {
-	return within_area(addr, end, CPU_ENTRY_AREA_BASE,
-			   CPU_ENTRY_AREA_TOTAL_SIZE);
+	int cpu;
+
+	/* CPU entry erea is always used for CPU entry */
+	if (within_area(addr, end, CPU_ENTRY_AREA_BASE,
+			CPU_ENTRY_AREA_TOTAL_SIZE))
+		return true;
+
+	for_each_possible_cpu(cpu) {
+		/* The original rw GDT is being used after load_direct_gdt() */
+		if (within_area(addr, end, (unsigned long)get_cpu_gdt_rw(cpu),
+				GDT_SIZE))
+			return true;
+	}
+
+	return false;
 }
 
 static int arch_build_bp_info(struct perf_event *bp,
@@ -257,12 +271,12 @@ static int arch_build_bp_info(struct perf_event *bp,
 		return -EINVAL;
 
 	/*
-	 * Prevent any breakpoint of any type that overlaps the
-	 * cpu_entry_area.  This protects the IST stacks and also
+	 * Prevent any breakpoint of any type that overlaps the CPU
+	 * entry area and data.  This protects the IST stacks and also
 	 * reduces the chance that we ever find out what happens if
 	 * there's a data breakpoint on the GDT, IDT, or TSS.
 	 */
-	if (within_cpu_entry_area(attr->bp_addr, bp_end))
+	if (within_cpu_entry(attr->bp_addr, bp_end))
 		return -EINVAL;
 
 	hw->address = attr->bp_addr;