Re: [PATCH v10 08/15] x86/vsyscall: Reorganize the page fault emulation code

Next message: Russell King (Oracle): "Re: [PATCH v3 3/3] arm64: dts: rockchip: add LinkEase EasePi R1"
Previous message: Nicolas Dufresne: "Re: [PATCH 12/16] media: rockchip: rga: handle error interrupt"
In reply to: Edgecombe, Rick P: "Re: [PATCH v10 08/15] x86/vsyscall: Reorganize the page fault emulation code"
Next in thread: Edgecombe, Rick P: "Re: [PATCH v10 08/15] x86/vsyscall: Reorganize the page fault emulation code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Hansen

Date: Tue Oct 07 2025 - 14:48:07 EST

On 10/7/25 11:37, Edgecombe, Rick P wrote:
>> /*
>> * No point in checking CS -- the only way to get here is a user mode
>> * trap to a high address, which means that we're in 64-bit user code.
> I don't know. Is this as true any more? We are now sometimes guessing based on
> regs->ip of a #GP. What if the kernel accidentally tries to jump to the vsyscall
> address? Then we are reading the kernel stack and strange things. Maybe it's
> worth replacing the comment with a check? Feel free to call this paranoid.

The first check in emulate_vsyscall() is:

/* Write faults or kernel-privilege faults never get fixed up. */
if ((error_code & (X86_PF_WRITE | X86_PF_USER)) != X86_PF_USER)
return false;

If the kernel jumped to the vsyscall page, it would end up there, return
false, and never reach the code near the "No point in checking CS" comment.

Right? Or am I misunderstanding the scenario you're calling out?

If I'm understanding it right, I'd be a bit reluctant to add a CS check
as well.