Re: Save a WRMSR GS.base?

Next message: Waiman Long: "Re: [PATCH v4] debugobjects: Don't call fill_pool() in early boot hardirq context"
Previous message: Chaitanya Kulkarni: "Re: [PATCH] block: Add WQ_PERCPU to alloc_workqueue users"
In reply to: H. Peter Anvin: "Re: Save a WRMSR GS.base?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Borislav Petkov

Date: Fri Jun 05 2026 - 13:24:22 EST

On Fri, Jun 05, 2026 at 08:51:04AM -0700, H. Peter Anvin wrote:
> No, GS.base might have been loaded (with wrgsbase) after GS was loaded, so
> it could be *completely different*.

So you're basically saying, LKGS would load the IA32_KERNEL_GS_BASE which
belongs to the segment selector. This is what the pseudo code in the SDM says:

GS.selector := SRC;
GS.attributes := descriptor.attributes;
IA32_KERNEL_GS_BASE := descriptor.base; // bits 63:32 cleared

Now, luserspace might've put something else in GS.base with WRGSBASE:

GS.base := SRC;

So now, on context switch, we need to load IA32_KERNEL_GS_BASE with
next->gsbase which is the GS.base of the next task we're switching to.

And yes, GS.base is mapped to IA32_KERNEL_GS_BASE so yes, we must do that
update.

And yes, as Andrew points out, both LKGS and WRMGSBASE do 32-bit writes only
so we need to do the full MSR write.

Ok, thanks guys, that makes sense.

--
Regards/Gruss,
Boris.

https://people.kernel.org/tglx/notes-about-netiquette