The paranoid exit code only restores the saved CR3 when it switches back
to the user GS. However, even in the kernel GS case, it's possible that
it needs to restore a user CR3, if for example, the paranoid exception
occurred in the syscall exit path between SWITCH_TO_USER_CR3_STACK and
Fix that issue by making the CR3 restore unconditional. This is
symmetrical with the unconditional CR3 save in paranoid_entry().
Also, since RESTORE_CR3 is now done before the EBX compare, it needs to
use a different scratch register (R15 instead of RBX).
I haven't actually seen any real-world bugs caused by this, so I'm not
sure how theoretical it is. I just stumbled upon it in code review when
looking for another bug.
Signed-off-by: Josh Poimboeuf <jpoim...@redhat.com>
arch/x86/entry/entry_64.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
index cd216c9431e1..68c95a09b48d 100644
@@ -1167,10 +1167,10 @@ ENTRY(paranoid_exit)
+ RESTORE_CR3 scratch_reg=%r15 save_reg=%r14
testl %ebx, %ebx /* swapgs needed? */
- RESTORE_CR3 scratch_reg=%rbx save_reg=%r14