Re: Save a WRMSR GS.base?

Next message: Ron Economos: "Re: [PATCH 6.18 000/315] 6.18.35-rc1 review"
Previous message: Dmitry Baryshkov: "Re: [PATCH 3/3] clk: qcom: gdsc: tear down per-domain genpds in gdsc_unregister()"
Next in thread: Borislav Petkov: "Re: Save a WRMSR GS.base?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: H. Peter Anvin

Date: Mon Jun 08 2026 - 02:51:34 EST

On June 5, 2026 10:17:11 AM PDT, Borislav Petkov <bp@xxxxxxxxx> wrote:
>On Fri, Jun 05, 2026 at 08:51:04AM -0700, H. Peter Anvin wrote:
>> No, GS.base might have been loaded (with wrgsbase) after GS was loaded, so
>> it could be *completely different*.
>
>So you're basically saying, LKGS would load the IA32_KERNEL_GS_BASE which
>belongs to the segment selector. This is what the pseudo code in the SDM says:
>
> GS.selector := SRC;
> GS.attributes := descriptor.attributes;
> IA32_KERNEL_GS_BASE := descriptor.base; // bits 63:32 cleared
>
>Now, luserspace might've put something else in GS.base with WRGSBASE:
>
> GS.base := SRC;
>
>So now, on context switch, we need to load IA32_KERNEL_GS_BASE with
>next->gsbase which is the GS.base of the next task we're switching to.
>
>And yes, GS.base is mapped to IA32_KERNEL_GS_BASE so yes, we must do that
>update.
>
>And yes, as Andrew points out, both LKGS and WRMGSBASE do 32-bit writes only
>so we need to do the full MSR write.
>
>Ok, thanks guys, that makes sense.
>

WRxSBASE does a 64-bit write, but for GS it would incorrectly address the kernel GS.base. For legacy it can be used under swapgs, but with FRED that is disallowed.