[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFxxJ3aGmu+ELGZf_+OpDM1vcu4d9=nEaodrKPGPtNV-5w@mail.gmail.com>
Date: Thu, 14 Dec 2017 13:39:05 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Andy Lutomirski <luto@...nel.org>
Cc: Thomas Gleixner <tglx@...utronix.de>,
syzbot
<bot+1f445b1009b8eeededa30fe62ccf685f2ec9d155@...kaller.appspotmail.com>,
Borislav Petkov <bp@...e.de>,
Dmitry Safonov <dsafonov@...tuozzo.com>,
Peter Anvin <hpa@...or.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Kyle Huey <me@...ehuey.com>, Ingo Molnar <mingo@...hat.com>,
syzkaller-bugs@...glegroups.com,
"the arch/x86 maintainers" <x86@...nel.org>
Subject: Re: BUG: unable to handle kernel paging request in __switch_to
On Thu, Dec 14, 2017 at 1:27 PM, Andy Lutomirski <luto@...nel.org> wrote:
> On Thu, Dec 14, 2017 at 11:28 AM, Linus Torvalds
> <torvalds@...ux-foundation.org> wrote:
>> I don't think that's the case. "int3" is entirely synchronous, and
>> doesn't have the same odd issues as a breakpoint trap (which honors RF
>> etc). It's literally just a one-byte shorthand for "int $3".
>
> The SDM says precisely the same thing about INT N, so, whichever way
> you dice it, int3 is a benign exception.
That just means that it doesn't double-fault when it takes the page fault.
Which we already know, because we see a page fault, not a double fault.
> 0xfffffffffffffff8 is *exactly* where the fault would be if the
> microcoded push of SS faulted if the IST contained zeros.
Yes, I suspect it's the stack that is buggered for some reason.
>> Plus I think the instruction that gets overwritten is just a 5-byte
>> nop isn't it? So it really shouldn't take a fault without the "int3"
>> overwriting.
>
> Unless it was being overwritten the other way and the oops hit while
> tracing was being turned *off*.
Doesn't really matter. The two forms of that instruction are "5-byte
nop" and "unconditional branch".
Neither of them will write to anything - the only page fault they
could take is for instruction fetch.
So it really must be the "int3" that fails. Unless we're looking at
some odd CPU errata, which sounds very very unlikely.
Linus
Powered by blists - more mailing lists