Re: [PATCH urgent] x86, asm: Disable opportunistic SYSRET if regs->flags has TF set
From: Denys Vlasenko
Date: Wed Apr 01 2015 - 17:18:31 EST
On 04/01/2015 09:25 PM, Andy Lutomirski wrote:
> Fix it by using IRET to restore TF. Since it's late, I'm keeping
> this minimal and keeping "testq" instead of switching to "testl".
Changing to "testl" here wins nothing. Since r11 is used,
REX prefix will be encoded anyway.
> - testq $X86_EFLAGS_RF,%r11 /* sysret can't restore RF */
> + /*
> + * SYSRET can't restore RF. SYSRET can restore TF, but unlike IRET,
> + * restoring TF results in a trap from userspace immediately after
> + * SYSRET.
> This would cause an infinite loop whenever #DB happens
> + * with register state that satisfies the opportunistic SYSRET
> + * conditions.
> + */
I propose to just show an example of the affected code:
> This can cause an infinite loop. Example:
> * asm volatile("movq $1f,%rcx\n\t"
> * "pushfq\n\t"
> * "popq %r11\n\t"
> * "nop\n\t"
> * "1:");
> * The above example would get stuck at "1:".
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/