[ On mobile, sorry for html ]

On Mar 5, 2018 02:26, "Joerg Roedel" <joro@8bytes.org> wrote:

From: Joerg Roedel <jroedel@suse.de>

Restoring the segments can cause exceptions that need to be
handled. With PTI enabled, we still need to be on kernel cr3
when the exception happens. For the cr3-switch we need
at least one integer scratch register, so we can't switch
with the user integer registers already loaded.


This fundamentally seems wrong.

The things is, we *know* that we will restore two segment registers with
the user cr3 already loaded: CS and SS get restored with the final iret.

And yes, the final iret can fault due to CS/SS no longer being valid,
either because of ptrace or because the ldt was changed.

So making it be a "rule" that segment registers be restored with the kernel
cr3 active seems bogus. It just means that you're making a rule that cannot
possibly be generic.

So has this been tested with

 - single-stepping through sysenter

   This takes a DB fault in the first kernel instruction. We're in kernel
mode, but with user cr3.

 - ptracing and setting CS/SS to something bad

   That should test the "exception on iret" case - again in kernel mode,
but with user cr3 restored for the return.

I didn't look closely at the whole series, so maybe this is all fine. I
mainly reacted to the "With PTI enabled, we still need to be on kernel cr3
when the exception happens" part of the explanation..

      Linus