Re: [PATCH] x86/entry/64: Fix native_load_gs_index() SWAPGS handling with IRQ state tracing enabled

[Andy Lutomirski <luto@kernel.org>]

On Wed, Nov 29, 2017 at 6:56 AM, David Laight <David.Laight@aculab.com> wrote:
> From: Andy Lutomirski
>> Sent: 29 November 2017 14:34
>> > On Nov 29, 2017, at 4:47 AM, Peter Zijlstra <peterz@infradead.org> wrote:
>> >
>> >> On Wed, Nov 29, 2017 at 08:09:51AM +0100, Ingo Molnar wrote:
>> >> diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
>> >> index f81d50d7ceac..c0b52df8ee4f 100644
>> >> --- a/arch/x86/entry/entry_64.S
>> >> +++ b/arch/x86/entry/entry_64.S
>> >> @@ -945,16 +945,16 @@ idtentry simd_coprocessor_error        do_simd_coprocessor_error
>> has_error_code=0
>> >>     */
>> >> ENTRY(native_load_gs_index)
>> >>    FRAME_BEGIN
>> >> +    SWAPGS                    /* switch from user GS to kernel GS */
>> >>    pushfq
>> >>    DISABLE_INTERRUPTS(CLBR_ANY & ~CLBR_RDI)
>> >>    TRACE_IRQS_OFF
>> >> -    SWAPGS
>> >
>> > I'm thinking those moves it too far back; we should at least have
>> > interrupts disabled when we do SWAPGS, no? Also, curse paravirt.
>> >
>>
>> I'll look in a few hours.
>>
>> But we definitely can't have irqs on when running with user gs.
>
> I can't remember what happens when swapgs itself faults.
> I'm pretty sure it can, restoring %ds %es and %fs can definitely fault
> (especially for 32 bit apps) if the restored values are invalid.
> With user LDT I think it is possible for a valid segment register
> to become invalid while a process is sleeping.
> The debugger (and possible a signal handler) can set the segment
> registers to arbitrary values - so loading them faults.
>
> I fixed NetBSD a few years ago so that all these faults were handled
> correctly.

SWAPGS never faults.

I did test my patch, and I'm wondering how I missed the problem.  Looking now...