If a trap is encountered upon executing iretq from within doreti() the

hardware will ensure the stack pointer is aligned to a 16-byte boundary before saving the fault state on the stack. In the PTI case, handle this potential alignment adjustment by copying both frames independently while unwinding the stack in between. Reviewed by: kib Sponsored by: Dell EMC Isilon Differential Revision: https://reviews.freebsd.org/D15183
2018-04-25 14:21:13 +00:00 · 2018-04-25 14:21:13 +00:00 · 19c5cea336
commit 19c5cea336
parent 612c330d85
1 changed files with 8 additions and 1 deletions
--- a/sys/amd64/amd64/exception.S
+++ b/sys/amd64/amd64/exception.S
@ -341,6 +341,9 @@ page_cr2:
 	 * On the stack, we have the hardware interrupt frame to return
 	 * to usermode (faulted) and another frame with error code, for
 	 * fault.  For PTI, copy both frames to the main thread stack.
+	 * Handle the potential 16-byte alignment adjustment incurred
+	 * during the second fault by copying both frames independently
+	 * while unwinding the stack in between.
 	 */
 	.macro PROTF_ENTRY name,trapno
 \name\()_pti_doreti:
@ -351,7 +354,11 @@ page_cr2:
 	movq	%rax,%cr3
 	movq	PCPU(RSP0),%rax
 	subq	$2*PTI_SIZE-3*8,%rax /* no err, %rax, %rdx in faulted frame */
-	MOVE_STACKS	(PTI_SIZE / 4 - 3)
+	MOVE_STACKS	(PTI_SIZE / 8)
+	addq	$PTI_SIZE,%rax
+	movq	PTI_RSP(%rsp),%rsp
+	MOVE_STACKS	(PTI_SIZE / 8 - 3)
+	subq	$PTI_SIZE,%rax
 	movq	%rax,%rsp
 	popq	%rdx
 	popq	%rax