Bug 821463 - SEP CPU flag is disabled on Intel 64 bit when exec_shield is on
SEP CPU flag is disabled on Intel 64 bit when exec_shield is on
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: kernel (Show other bugs)
6.3
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Larry Woodman
Petr Beňas
:
Depends On:
Blocks: 821741
  Show dependency treegraph
 
Reported: 2012-05-14 11:02 EDT by Orit Wasserman
Modified: 2015-01-04 18:02 EST (History)
10 users (show)

See Also:
Fixed In Version: kernel-2.6.32-315.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-21 01:12:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orit Wasserman 2012-05-14 11:02:21 EDT
Description of problem:
SEP cpu flag is disabled on Intel 64 bit when exec_shield is set (which is the default)

Version-Release number of selected component (if applicable):
2.6.32-251.el6.x86_64

How reproducible:
check cpuinfo after install of RHEL6 64 bit.

Steps to Reproduce:
1.check exec_shield is set. cat /proc/sys/kernel/exec-shield returns 1.
2.cat /proc/cpuinfo 
3.
  
Actual results:
sep is not set

Expected results:
sep should be set

Additional info:
this looks like a problem with the exec_shield code in arch/x86/kernel/cpu/common.c :

	if (exec_shield != 0) {
#ifdef CONFIG_X86_PAE
		if (!test_cpu_cap(c, X86_FEATURE_NX))
#endif
			clear_cpu_cap(c, X86_FEATURE_SEP);
	}

CONFIG_X86_PAE is not set for 64 bit so we clear SEP.
Comment 4 Paolo Bonzini 2012-09-04 04:23:13 EDT
What is really the effect of the bug?  The kernel only uses X86_FEATURE_SEP in 32-bit mode.

In 64-bit mode, sysenter/sysexit are assumed to be present on all Intel CPUs.

arch/x86/kernel/cpu/intel.c:

#ifdef CONFIG_X86_64
        set_cpu_cap(c, X86_FEATURE_SYSENTER32);
#endif

arch/x86/vdso/vdso32-setup.c

#ifdef CONFIG_X86_64
#define vdso32_sysenter()       (boot_cpu_has(X86_FEATURE_SYSENTER32))
#define vdso32_syscall()        (boot_cpu_has(X86_FEATURE_SYSCALL32))
...
#else  /* CONFIG_X86_32 */
#define vdso32_sysenter()       (boot_cpu_has(X86_FEATURE_SEP))
#define vdso32_syscall()        (0)
#endif

I suppose this only affects virtualization of 32-bit guests with -cpu host, where the guest would have to fallback to int $0x80?
Comment 5 Larry Woodman 2012-09-13 11:13:16 EDT
Sorry but I dont understand what the problem is here.  


In RHEL5 we have:
----------------------------------------------------------------
        if (exec_shield != 0) {
#ifdef CONFIG_HIGHMEM64G   /* NX implies PAE */
                if (!test_bit(X86_FEATURE_NX, c->x86_capability))
#endif
                clear_bit(X86_FEATURE_SEP, c->x86_capability);
        }
----------------------------------------------------------------

In RHEL6 we have:
----------------------------------------------------------------
        if (exec_shield != 0) {
#ifdef CONFIG_X86_PAE
                if (!test_cpu_cap(c, X86_FEATURE_NX))
#endif
                        clear_cpu_cap(c, X86_FEATURE_SEP);
        }
----------------------------------------------------------------

In RHEL5 CONFIG_HIGHMEM64G is set in x86 only and in RHEL6 CONFIG_X86_PAE is set in x86 only.  So the functionality should be the same for x86 & x86_64 in both cases, no?

Larry
Comment 6 Paolo Bonzini 2012-09-13 11:18:32 EDT
> In RHEL5 CONFIG_HIGHMEM64G is set in x86 only and in RHEL6 CONFIG_X86_PAE is 
> set in x86 only.  So the functionality should be the same for x86 & x86_64 in 
> both cases, no?

The snippet you quoted for RHEL5 is not compiled for x86_64, only i386.  See comment 2.
Comment 7 Larry Woodman 2012-09-13 11:24:46 EDT
So the whole RHEL6 snipit should be this so we only do this for x86?:

----------------------------------------------------------------
#ifdef CONFIG_X86_PAE
        if (exec_shield != 0) {
                if (!test_cpu_cap(c, X86_FEATURE_NX))
                        clear_cpu_cap(c, X86_FEATURE_SEP);
        }
#endif
----------------------------------------------------------------

Larry
Comment 8 Paolo Bonzini 2012-09-13 11:26:28 EDT
Yes, that should do it.
Comment 9 RHEL Product and Program Management 2012-09-21 13:11:07 EDT
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 12 Jarod Wilson 2012-10-01 13:14:57 EDT
Patch(es) available on kernel-2.6.32-315.el6
Comment 16 Petr Beňas 2012-10-04 05:21:10 EDT
Reproduced in 2.6.32-313.el6.x86_64 and verified in 2.6.32-314.el6.x86_64.
Comment 18 errata-xmlrpc 2013-02-21 01:12:47 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0496.html

Note You need to log in before you can comment on or make changes to this bug.