On Mon, Apr 29, 2019 at 11:57 AM Andy Lutomirski luto@kernel.org wrote:
Otherwise you could never trust the whole sti shadow thing - and it very much is part of the architecture.
Is this documented somewhere?
Btw, if you really don't trust the sti shadow despite it going all the way back to the 8086, then you could instead make the irqoff code do
push %gs:bp_call_return push %gs:bp_call_target sti ret
which just keeps interrupts explicitly disabled over the whole use of the percpu data.
The actual "ret" instruction doesn't matter, it's not going to change in this model (where the code isn't dynamically generated or changed). So I claim that it will still be protected by the sti shadow, but when written that way it doesn't actually matter, and you could reschedule immediately after the sti (getting an interrupt there might make the stack frame look odd, but it doesn't really affect anything else)
Linus