Project

General

Profile

Bug #12718

Updated by Patrick Mooney about 2 years ago

Andy F spotted an issue with the #12608 wad: It adjusts the layout of the TSS and LDT on cpu0 back to its previously (before KPTI) broken state. 

 Old (fixed by KPTI): 
 <pre> 
 -#define          DEBUG_INFO_VA     (KERNEL_TEXT - MMU_PAGESIZE) 
 -#define          GDT_VA            (DEBUG_INFO_VA - MMU_PAGESIZE) 
 -#define          IDT_VA            (GDT_VA - MMU_PAGESIZE) 
 -#define          LDT_VA            (IDT_VA - (16 * MMU_PAGESIZE)) 
 -#define          KTSS_VA           (LDT_VA - MMU_PAGESIZE) 
 -#define          DFTSS_VA          (KTSS_VA - MMU_PAGESIZE) 
 -#define          MISC_VA_BASE      (DFTSS_VA) 
 -#define          MISC_VA_SIZE      (KERNEL_TEXT - MISC_VA_BASE) 
 </pre> 

 New (broken by #12608, and previously busted before KPTI testing): 
 <pre> 
 +#define          DEBUG_INFO_VA     (KERNEL_TEXT - MMU_PAGESIZE) 
 +#define          GDT_VA            (DEBUG_INFO_VA - MMU_PAGESIZE) 
 +#define          IDT_VA            (GDT_VA - MMU_PAGESIZE) 
 +#define          LDT_VA            (IDT_VA - (16 * MMU_PAGESIZE)) 
 +#define          KTSS_VA           (IDT_VA - MMU_PAGESIZE) 
 +#define          DFTSS_VA          (KTSS_VA - MMU_PAGESIZE) 
 +#define          MISC_VA_BASE      (DFTSS_VA) 
 +#define          MISC_VA_SIZE      (KERNEL_TEXT - MISC_VA_BASE) 
 </pre> 

 Critically: 
 <pre> 
 -#define          KTSS_VA           (LDT_VA - MMU_PAGESIZE) 

 +#define          KTSS_VA           (IDT_VA - MMU_PAGESIZE) 
 </pre> 

 Given how long this problem had existed prior to the KPTI-related testing which uncovered it, it's clear that normal workloads do not run afoul of it.    Only workloads which manipulate the LDT all the way out to that final 16th page, where it now erroneously overlaps with the KTSS, will have problems.    Using the @i386/ldt@ from os-tests is an easy way of exercising the problem.    On a kernel with the bug, the machine reboots _immediately_ upon executing it. (Presumably due to a triple-fault in the KTSS) 

 The fix is simple: Restore proper positioning of KTSS_VA so it does not overlap with the end of the LDT.    Re-running @i386/ldt@ on a BE with the fix results in no such reboot. 

Back