x86/entry/64: Fix and clean up paranoid_exit

paranoid_exit needs to restore CR3 before GSBASE. Doing it in the opposite order crashes if the exception came from a context with user GSBASE and user CR3 -- RESTORE_CR3 cannot resture user CR3 if run with user GSBASE. This results in infinitely recursing exceptions if user code does SYSENTER with TF set if both FSGSBASE and PTI are enabled. The old code worked if user code just set TF without SYSENTER because #DB from user mode is special cased in idtentry and paranoid_exit doesn't run. Fix it by cleaning up the spaghetti code. All that paranoid_exit needs to do is to disable IRQs, handle IRQ tracing, then restore CR3, and restore GSBASE. Simply do those actions in that order. Fixes: 708078f65721 ("x86/entry/64: Handle FSGSBASE enabled paranoid entry/exit") Reported-by: Vegard Nossum <vegard.nossum@oracle.com> Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com> Signed-off-by: Andy Lutomirski <luto@kernel.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: "H . Peter Anvin" <hpa@zytor.com> Cc: Andi Kleen <ak@linux.intel.com> Cc: Ravi Shankar <ravi.v.shankar@intel.com> Cc: H. Peter Anvin <hpa@zytor.com> Link: https://lkml.kernel.org/r/59725ceb08977359489fbed979716949ad45f616.1562035429.git.luto@kernel.org
author: Andy Lutomirski <luto@kernel.org> 2019-07-01 23:43:21 -0400
committer: Thomas Gleixner <tglx@linutronix.de> 2019-07-02 02:45:20 -0400
commit: 539bca535decb11a0861b6205c6684b8e908589b (patch)
tree: 9059dc59b231d9a4152b67638f67751bc1c92a60
parent: dffb3f9db6b593f3ed6ab4c8d8f10e0aa6aa7a88 (diff)
1 files changed, 17 insertions, 16 deletions
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index 54b1b0468b2b..670306f588bf 100644
--- a/arch/x86/entry/entry_64.S
+++ b/arch/x86/entry/entry_64.S
@@ -1256,31 +1256,32 @@ END(paranoid_entry)
 ENTRY(paranoid_exit)
        UNWIND_HINT_REGS
        DISABLE_INTERRUPTS(CLBR_ANY)
-        TRACE_IRQS_OFF_DEBUG
-        /* Handle GS depending on FSGSBASE availability */
+        /*
-        ALTERNATIVE "jmp .Lparanoid_exit_checkgs", "nop",X86_FEATURE_FSGSBASE
+         * The order of operations is important.  IRQ tracing requires
+         * kernel GSBASE and CR3.  RESTORE_CR3 requires kernel GS base.
+         *
+         * NB to anyone to tries to optimize this code: this code does
+         * not execute at all for exceptions coming from user mode.  Those
+         * exceptions go through error_exit instead.
+         */
+        TRACE_IRQS_IRETQ_DEBUG
+        RESTORE_CR3     scratch_reg=%rax save_reg=%r14
+        /* Handle the three GSBASE cases. */
+        ALTERNATIVE "jmp .Lparanoid_exit_checkgs", "", X86_FEATURE_FSGSBASE
        /* With FSGSBASE enabled, unconditionally restore GSBASE */
        wrgsbase        %rbx
-        jmp     .Lparanoid_exit_no_swapgs;
+        jmp     restore_regs_and_return_to_kernel
 .Lparanoid_exit_checkgs:
        /* On non-FSGSBASE systems, conditionally do SWAPGS */
        testl   %ebx, %ebx
-        jnz     .Lparanoid_exit_no_swapgs
+        jnz     restore_regs_and_return_to_kernel
-        TRACE_IRQS_IRETQ
-        /* Always restore stashed CR3 value (see paranoid_entry) */
-        RESTORE_CR3     scratch_reg=%rbx save_reg=%r14
-        SWAPGS_UNSAFE_STACK
-        jmp     .Lparanoid_exit_restore
-.Lparanoid_exit_no_swapgs:
-        TRACE_IRQS_IRETQ_DEBUG
-        /* Always restore stashed CR3 value (see paranoid_entry) */
-        RESTORE_CR3     scratch_reg=%rbx save_reg=%r14
-.Lparanoid_exit_restore:
+        /* We are returning to a context with user GSBASE. */
+        SWAPGS_UNSAFE_STACK
        jmp     restore_regs_and_return_to_kernel
 END(paranoid_exit)
author	Andy Lutomirski <luto@kernel.org>	2019-07-01 23:43:21 -0400
committer	Thomas Gleixner <tglx@linutronix.de>	2019-07-02 02:45:20 -0400
commit	539bca535decb11a0861b6205c6684b8e908589b (patch)
tree	9059dc59b231d9a4152b67638f67751bc1c92a60
parent	dffb3f9db6b593f3ed6ab4c8d8f10e0aa6aa7a88 (diff)