On 11/20/2017 12:12 PM, Thomas Gleixner wrote:
>> + */
>> + native_get_shadow_pgd(pgdp)->pgd = pgd.pgd;
>> + /*
>> + * For the copy of the pgd that the kernel
>> + * uses, make it unusable to userspace. This
>> + * ensures if we get out to userspace with the
>> + * wrong CR3 value, userspace will crash
>> + * instead of running.
>> + */
>> + pgd.pgd |= _PAGE_NX;
>> + }
>> + } else if (!pgd.pgd) {
>> + /*
>> + * We are clearing the PGD and can not check _PAGE_USER
>> + * in the zero'd PGD.
>
> Just the argument cannot be checked because it's clearing the entry. The
> pgd entry itself is not yet modified, so it could be checked.
So, I guess we could enforce that only PGDs with _PAGE_USER set can ever
be cleared. That has a nice symmetry to it because we set the shadow
when we see _PAGE_USER and we would then clear the shadow when we see
_PAGE_USER.
