Re: [PATCH v7 12/18] x86/fsgsbase/64: GSBASE handling with FSGSBASE in the paranoid path

From: Bae, Chang Seok
Date: Sat Jun 29 2019 - 03:21:16 EST



> On May 8, 2019, at 03:02, Chang S. Bae <chang.seok.bae@xxxxxxxxx> wrote:
>
> ENTRY(paranoid_exit)
> â
> +
> + /* On FSGSBASE systems, always restore the stashed GSBASE */
> + wrgsbase %rbx
> + jmp .Lparanoid_exit_no_swapgs;

It would crash any time getting a paranoid entry with user GS but kernel CR3.
The issue is thankfully uncovered by Vegard N. A relevant test case will be
published by Andy L. The patch fixes the issue. (Rebased on the tip master.)

diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index b5e782a..dfdadc1 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1288,9 +1288,12 @@ ENTRY(paranoid_exit)
/* Handle GS depending on FSGSBASE availability */
ALTERNATIVE "jmp .Lparanoid_exit_checkgs", "nop",X86_FEATURE_FSGSBASE

+ TRACE_IRQS_IRETQ
+ /* Always restore stashed CR3 value (see paranoid_entry) */
+ RESTORE_CR3 scratch_reg=%rax save_reg=%r14
/* With FSGSBASE enabled, unconditionally restore GSBASE */
wrgsbase %rbx
- jmp .Lparanoid_exit_no_swapgs;
+ jmp .Lparanoid_exit_restore;

.Lparanoid_exit_checkgs:
/* On non-FSGSBASE systems, conditionally do SWAPGS */

> ...
> .Lparanoid_exit_no_swapgs:
> TRACE_IRQS_IRETQ_DEBUG
> /* Always restore stashed CR3 value (see paranoid_entry) */
> RESTORE_CR3 scratch_reg=%rbx save_reg=%r14
> +
> .Lparanoid_exit_restore:
> - jmp restore_regs_and_return_to_kernel
> + jmp restore_regs_and_return_to_kernel
> END(paranoid_exit)
>