Linux-EFI Archive on
 help / color / Atom feed
From: "H. Peter Anvin" <>
To: Andy Lutomirski <>,
	Matt Fleming
Cc: Paolo Bonzini <>,
	X86 ML <>,
	stable <>,
	Laszlo Ersek <>,
	Matt Fleming
	Borislav Petkov <>,
Subject: Re: [PATCH] x86: setup: extend low identity map to cover whole kernel range
Date: Thu, 15 Oct 2015 05:18:56 -0700
Message-ID: <> (raw)
In-Reply-To: <>

On October 14, 2015 2:39:58 PM PDT, Andy Lutomirski <> wrote:
>On Wed, Oct 14, 2015 at 2:00 PM, Matt Fleming
><matt-mF/unelCI9GS6iBeEJttW/> wrote:
>> On Wed, 14 Oct, at 09:22:03AM, Andy Lutomirski wrote:
>>> On Wed, Oct 14, 2015 at 6:52 AM, Matt Fleming
><matt-mF/unelCI9GS6iBeEJttW/> wrote:
>>> > (Pulling in luto for low-level x86 fu)
>>> >
>>> > On Wed, 14 Oct, at 01:30:45PM, Paolo Bonzini wrote:
>>> >> On 32-bit systems, the initial_page_table is reused by
>>> >> efi_call_phys_prolog as an identity map to call
>>> >> SetVirtualAddressMap.  efi_call_phys_prolog takes care of
>>> >> converting the current CPU's GDT to a physical address too.
>>> >>
>>> >> For PAE kernels the identity mapping is achieved by aliasing the
>>> >> first PDPE for the kernel memory mapping into the first PDPE
>>> >> of initial_page_table.  This makes the EFI stub's trick "just
>>> >>
>>> >> However, for non-PAE kernels there is no guarantee that the
>>> >> mapping in the initial_page_table extends as far as the GDT; in
>>> >> case, accesses to the GDT will cause a page fault (which quickly
>>> >> a triple fault).  Fix this by copying the kernel mappings from
>>> >> swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET
>and at
>>> >> identity mapping.
>>> >
>>> > Oops, good catch guys. This is clearly a bug, but...
>>> >
>>> >> For some reason, this is only reproducible with QEMU's dynamic
>>> >> mode, and not for example with KVM.  However, even under KVM one
>can clearly
>>> >> see that the page table is bogus:
>>> I haven't looked at the code, but it wouldn't surprise me if this is
>>> some kind of TLB issue.  With the hardware TLB (which is in use on
>>> KVM), it seems quite likely that the GDT is pretty much always in
>>> TLB and, if nothing flushes global mappings, then it'll probably
>>> around.
>> From some quick experiments it appears that you can skate past this
>> issue if you don't receive any interrupts while the bogus GDT pointer
>> is loaded, or if you avoid reloading the segment registers in
>> Which is interesting because I assumed that writing to GDTR took
>> immediate effect.
>Trivia for your amusement:
>AFAICT it's entirely permissible for the GDTR and/or LDT descriptor to
>point to unmapped memory.  Any attempt to use them (segment loads,
>interrupts, IRET, etc) will try to access that memory as if the access
>came from CPL 0 and, if the access fails, will generate a valid page
>fault with CR2 pointing into the GDT or LDT.
>Xen is nuts^Wclever and actually uses this.
>Of course, if your #PF vector references a GDT or LDT descriptor and
>trying to load that descriptor results in a page fault, you get a
>double fault.
>I learned this while trying to puzzle out why v1 of my LDT
>synchronization patch caused random faults on Xen.

There is no "if"... you can't get to an interrupt vector without going through the GDT or LDT.  That being said, the GDT or LDT can be partially mapped.
Sent from my Android device with K-9 Mail. Please excuse my brevity.

      parent reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-14 11:30 Paolo Bonzini
2015-10-14 13:52 ` Matt Fleming
2015-10-14 14:29   ` Paolo Bonzini
2015-10-14 21:04     ` Matt Fleming
     [not found]   ` <20151014135211.GB2782-mF/unelCI9GS6iBeEJttW/>
2015-10-14 16:22     ` Andy Lutomirski
2015-10-14 21:00       ` Matt Fleming
     [not found]         ` <20151014210050.GE2782-mF/unelCI9GS6iBeEJttW/>
2015-10-14 21:39           ` Andy Lutomirski
2015-10-15  9:45             ` Matt Fleming
     [not found]             ` <>
2015-10-15 12:18               ` H. Peter Anvin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \ \
    --cc=matt-mF/unelCI9GS6iBeEJttW/ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-EFI Archive on

Archives are clonable:
	git clone --mirror linux-efi/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-efi linux-efi/ \
	public-inbox-index linux-efi

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone