Linus Torvalds writes: (Summary) wrote:
Thank you.
Yes, interesting, it's the stack canary load access there: Yes, interesting, it's the stack canary load access there: mov %gs:0x14,%edx
mov %gs:0x14,%edx
that traps.
that traps.
And that actually makes a lot of sense: the load_segments() call just above has rloaded all segments with __KERNEL_DS.
above has rloaded all segments with __KERNEL_DS.
So while the stack canary access *intends* to load it from the magic stack canary segment (offset 0x14), we've just reset all segments to the standard zero-based full-sized ones, and obviously that will take a page fault at 0x14.
a page fault at 0x14.
And the reason you now actually *see* the page fault is that we haven't completely buggered the CPU state now, so the trap handler actually works.
[...]
I went back to the initial problematic commit e802a51 and modified it as you suggest: Thank you.Thank you.
[...]
EIP: idt_invalidate+0x6/0x40 SS:ESP: 0068:f6c47cd0Yes, interesting, it's the stack canary load access there: Yes, interesting, it's the stack canary load access there: mov %gs:0x14,%edx
mov %gs:0x14,%edx
that traps.
that traps.
And that actually makes a lot of sense: the load_segments() call just above has rloaded all segments with __KERNEL_DS.
above has rloaded all segments with __KERNEL_DS.
So while the stack canary access *intends* to load it from the magic stack canary segment (offset 0x14), we've just reset all segments to the standard zero-based full-sized ones, and obviously that will take a page fault at 0x14.
a page fault at 0x14.
And the reason you now actually *see* the page fault is that we haven't completely buggered the CPU state now, so the trap handler actually works.