[PATCH 03/14] x86/hw_breakpoint: Prevent data breakpoints on per_cpu cpu_tss_rw

From: Peter Zijlstra <peterz@infradead.org>
To: tglx@linutronix.de, luto@amacapital.net, peterz@infradead.org
Cc: linux-kernel@vger.kernel.org, x86@kernel.org,
	Lai Jiangshan <laijs@linux.alibaba.com>,
	sean.j.christopherson@intel.com, andrew.cooper3@citrix.com,
	daniel.thompson@linaro.org, a.darwish@linutronix.de,
	rostedt@goodmis.org, bigeasy@linutronix.de
Subject: [PATCH 03/14] x86/hw_breakpoint: Prevent data breakpoints on per_cpu cpu_tss_rw
Date: Fri, 29 May 2020 23:27:31 +0200	[thread overview]
Message-ID: <20200529213320.897976479@infradead.org> (raw)
In-Reply-To: 20200529212728.795169701@infradead.org

From: Lai Jiangshan <laijs@linux.alibaba.com>

cpu_tss_rw is not directly referenced by hardware, but
cpu_tss_rw is also used in CPU entry code, especially
when #DB shifts its stacks. If a data breakpoint is on
the cpu_tss_rw.x86_tss.ist[IST_INDEX_DB], it will cause
recursive #DB (and then #DF soon for #DB is generated
after the access, IST-shifting, is done).

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20200526014221.2119-4-laijs@linux.alibaba.com
---
 arch/x86/kernel/hw_breakpoint.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/x86/kernel/hw_breakpoint.c
+++ b/arch/x86/kernel/hw_breakpoint.c
@@ -255,6 +255,15 @@ static inline bool within_cpu_entry(unsi
 		if (within_area(addr, end, (unsigned long)get_cpu_gdt_rw(cpu),
 				GDT_SIZE))
 			return true;
+
+		/*
+		 * cpu_tss_rw is not directly referenced by hardware, but
+		 * cpu_tss_rw is also used in CPU entry code,
+		 */
+		if (within_area(addr, end,
+				(unsigned long)&per_cpu(cpu_tss_rw, cpu),
+				sizeof(struct tss_struct)))
+			return true;
 	}
 
 	return false;


