Re: crash in entry.S restore_all, 2.6.12-rc2, x86, PAGEALLOC

[Linus Torvalds]

On Thu, 7 Apr 2005, Stas Sergeev wrote:
> 
> > because it adds the 2 words space that is needed - but the information 
> > relied on by your irq-return test is still bogus.
>
> But as an example for demonstrating the problem,
> I thought, it could do:)

Ingo: the information is bogus, but you're wrong: the code doesn't "rely"  
on it.

The fact is, bogus information is _fine_. That's what speculative work is 
all about: working with bogus information, with the assumption that some 
later test will ignore it if it's not relevant.

And the later test _will_ ignore it if it isn't relevant. Look for 
yourself:

        cmpl $((4 << 8) | 3), %eax
        je ldt_ss                       # returning to user-space with LDT SS

notice how the "cmpl" _only_ triggers if the old CS had the low three bits 
set and if EFLAGS_VM is clear. So if we return to kernel mode (or vm86) 
mode, we _know_ that the SS is bogus, but we don't care. We've tested for 
the proper thing, and we only do the special user-space LDT SS case if
 - the LDT bit was set in SS (possibly bogus)
AND
 - old CS was user space
AND
 - old eflags wasn't vm86 mode.

Ie the two second checks are what validates the first (possibly bogus) 
one.

So I really think that the _correct_ fix is literally to move the "cli" 
in the sysenter path down two lines. It doesn't just "hide" the bug, it 
literally fixes is.

		Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/