| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Jul 2010 16:48:01 -0600 From: Jeffrey Merkey <jeffmerkey@...il.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: linux-kernel@...r.kernel.org Subject: Re: [patch 2/2] x86 NMI-safe INT3 and Page Fault On Fri, Jul 16, 2010 at 4:22 PM, Linus Torvalds <torvalds@...ux-foundation.org> wrote: > On Fri, Jul 16, 2010 at 3:02 PM, Jeffrey Merkey <jeffmerkey@...il.com> wrote: >> >> So Linus, my understanding of Intel's processor design is that the >> processor will NEVER singal a nested NMI until it sees an iret from >> the first NMI exception. > > Wrong. > > I like x86, but it has warts. The NMI blocking is one of them. > > The NMI's will be nested until the _next_ "iret", but it has no > nesting. So if you take a fault during the NMI (debug, page table > fixup, whatever), the iret in the faulthandler will re-enable NMI's > even though we're still busy with the original NMI. There is no > nesting, or any way to say that "this is a NMI-releasing iret". They > could even do it still - make a new "iret that doesn't clear NMI" by > adding a segment override prefix to iret or whatever. But it's not > going to happen, and it's just one of those ugly special cases that > has various historical reasons (recursive faults during NMI sure as > hell didn't make sense back in the real-mode 8086 days). > > So we have to handle it in software. Or not ever trap at all inside > the NMI handler. > > The original patch - and the patch I detest - is to make the normal > fault paths use a "popf + ret" to emulate iret, but without the NMI > release. > > Now, I could live with that if it's the only solution, but it _is_ > pretty damn ugly. > > If somebody shows that it's actually faster to do "popf + ret" when > retuning to kernel space (a poor mans special-case iret), maybe it > would be worth it, but the really critical code sequence is actually > not "return to kernel space", but the "return to user space" case that > really wants the iret. And I just think it's disgusting to add extra > tests to that path. > > The other alternative would be to just make the rule be "NMI can never > take traps". It's possible to do that, but quite frankly, it's a pain. > It's a pain for page faults due to the whole vmalloc thing, and it's a > pain if you ever want to debug an NMI in any way (or put a breakpoint > on anything that is accessed from an NMI, which could potentially be > quite a lot of things). > > If it was just the debug issue, I'd say "neener neener, debuggers are > for wimps", but it's clearly not just about debug. It's a whole lot of > other thigs. Random percpu datastructures used for tracing, kernel > pointer verification code, yadda yadda. > > Linus > Well, the way I handled this problem on NetWare SMP and that other kernel was to create a pool of TSS descriptors and reload each during the exception to swap stacks before any handlers were called. Allowed it to nest until I ran out of TSS descriptors (64 levels). Not sure that's the way to go here though but it worked on that case. Jeff -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists