On Tue, May 26, 2020 at 08:48:35AM -0700, Andi Kleen wrote:
On Tue, May 26, 2020 at 08:56:18AM +0200, Greg KH wrote:
On Mon, May 25, 2020 at 10:28:48PM -0700, Andi Kleen wrote:
From: Andi Kleen ak@linux.intel.com
Since there seem to be kernel modules floating around that set FSGSBASE incorrectly, prevent this in the CR4 pinning. Currently CR4 pinning just checks that bits are set, this also checks that the FSGSBASE bit is not set, and if it is clears it again.
So we are trying to "protect" ourselves from broken out-of-tree kernel modules now?
Well it's a specific case where we know they're opening a root hole unintentionally. This is just an pragmatic attempt to protect the users in the short term.
Can't you just go and fix those out-of-tree kernel modules instead? What's keeping you all from just doing that instead of trying to force the kernel to play traffic cop?
thanks,
greg k-h