[ On mobile, sorry for html ]

On Mar 5, 2018 02:26, "Joerg Roedel" <joro@8bytes.org> wrote:

From: Joerg Roedel <jroedel@suse.de>

Restoring the segments can cause exceptions that need to be
handled. With PTI enabled, we still need to be on kernel cr3
when the exception happens. For the cr3-switch we need
at least one integer scratch register, so we can't switch
with the user integer registers already loaded.

This fundamentally seems wrong.

The things is, we *know* that we will restore two segment registers with the user cr3 already loaded: CS and SS get restored with the final iret.

And yes, the final iret can fault due to CS/SS no longer being valid, either because of ptrace or because the ldt was changed.

So making it be a "rule" that segment registers be restored with the kernel cr3 active seems bogus. It just means that you're making a rule that cannot possibly be generic.

So has this been tested with

- single-stepping through sysenter

This takes a DB fault in the first kernel instruction. We're in kernel mode, but with user cr3.

- ptracing and setting CS/SS to something bad

That should test the "exception on iret" case - again in kernel mode, but with user cr3 restored for the return.

I didn't look closely at the whole series, so maybe this is all fine. I mainly reacted to the "With PTI enabled, we still need to be on kernel cr3

when the exception happens" part of the explanation..

Linus