From owner-svn-src-all@freebsd.org Wed Nov 13 22:39:47 2019 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1884B1BE312; Wed, 13 Nov 2019 22:39:47 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47D00y70Vjz4f42; Wed, 13 Nov 2019 22:39:46 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D3EA01EE68; Wed, 13 Nov 2019 22:39:46 +0000 (UTC) (envelope-from kib@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id xADMdk6Q001867; Wed, 13 Nov 2019 22:39:46 GMT (envelope-from kib@FreeBSD.org) Received: (from kib@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id xADMdkXu001866; Wed, 13 Nov 2019 22:39:46 GMT (envelope-from kib@FreeBSD.org) Message-Id: <201911132239.xADMdkXu001866@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kib set sender to kib@FreeBSD.org using -f From: Konstantin Belousov Date: Wed, 13 Nov 2019 22:39:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r354696 - head/sys/amd64/amd64 X-SVN-Group: head X-SVN-Commit-Author: kib X-SVN-Commit-Paths: head/sys/amd64/amd64 X-SVN-Commit-Revision: 354696 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 22:39:47 -0000 Author: kib Date: Wed Nov 13 22:39:46 2019 New Revision: 354696 URL: https://svnweb.freebsd.org/changeset/base/354696 Log: amd64: only set PCB_FULL_IRET pcb flag when #gp or similar exception comes from usermode. If CPU supports RDFSBASE, the flag also means that userspace fsbase and gsbase are already written into pcb, which might be not true when we handle #gp from kernel. The offender is rdmsr_safe(), and the visible result is corrupted userspace TLS base. Reported by: pstef Sponsored by: The FreeBSD Foundation MFC after: 3 days Modified: head/sys/amd64/amd64/exception.S Modified: head/sys/amd64/amd64/exception.S ============================================================================== --- head/sys/amd64/amd64/exception.S Wed Nov 13 22:25:53 2019 (r354695) +++ head/sys/amd64/amd64/exception.S Wed Nov 13 22:39:46 2019 (r354696) @@ -497,8 +497,8 @@ prot_addrf: 3: cmpw $KUG32SEL,TF_GS(%rsp) jne 4f movq %rdx,PCB_GSBASE(%rdi) + orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* full iret from user #gp */ 4: call handle_ibrs_entry - orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* always full iret from GPF */ movw %es,TF_ES(%rsp) movw %ds,TF_DS(%rsp) testl $PSL_I,TF_RFLAGS(%rsp)