From: Borislav Petkov <bp@suse.de>
To: gregkh@linuxfoundation.org, luto@kernel.org
Cc: dave.hansen@linux.intel.com, riel@surriel.com,
tglx@linutronix.de, stable@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: FAILED: patch "[PATCH] x86/fpu: Invalidate FPU state after a failed XRSTOR from a" failed to apply to 5.4-stable tree
Date: Mon, 21 Jun 2021 16:29:21 +0200 [thread overview]
Message-ID: <YNCiQRPD9iox9g/v@zn.tnic> (raw)
In-Reply-To: <162427270623162@kroah.com>
On Mon, Jun 21, 2021 at 12:51:46PM +0200, gregkh@linuxfoundation.org wrote:
>
> The patch below does not apply to the 5.4-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.
>
> thanks,
>
> greg k-h
>
> ------------------ original commit in Linus's tree ------------------
>
> From d8778e393afa421f1f117471144f8ce6deb6953a Mon Sep 17 00:00:00 2001
> From: Andy Lutomirski <luto@kernel.org>
> Date: Tue, 8 Jun 2021 16:36:19 +0200
> Subject: [PATCH] x86/fpu: Invalidate FPU state after a failed XRSTOR from a
> user buffer
>
> Both Intel and AMD consider it to be architecturally valid for XRSTOR to
> fail with #PF but nonetheless change the register state. The actual
> conditions under which this might occur are unclear [1], but it seems
> plausible that this might be triggered if one sibling thread unmaps a page
> and invalidates the shared TLB while another sibling thread is executing
> XRSTOR on the page in question.
>
> __fpu__restore_sig() can execute XRSTOR while the hardware registers
> are preserved on behalf of a different victim task (using the
> fpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but
> modify the registers.
>
> If this happens, then there is a window in which __fpu__restore_sig()
> could schedule out and the victim task could schedule back in without
> reloading its own FPU registers. This would result in part of the FPU
> state that __fpu__restore_sig() was attempting to load leaking into the
> victim task's user-visible state.
>
> Invalidate preserved FPU registers on XRSTOR failure to prevent this
> situation from corrupting any state.
>
> [1] Frequent readers of the errata lists might imagine "complex
> microarchitectural conditions".
>
> Fixes: 1d731e731c4c ("x86/fpu: Add a fastpath to __fpu__restore_sig()")
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: Borislav Petkov <bp@suse.de>
> Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
> Acked-by: Rik van Riel <riel@surriel.com>
> Cc: stable@vger.kernel.org
> Link: https://lkml.kernel.org/r/20210608144345.758116583@linutronix.de
>
> diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
> index d5bc96a536c2..4ab9aeb9a963 100644
> --- a/arch/x86/kernel/fpu/signal.c
> +++ b/arch/x86/kernel/fpu/signal.c
> @@ -369,6 +369,25 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
> fpregs_unlock();
> return 0;
> }
> +
> + /*
> + * The above did an FPU restore operation, restricted to
> + * the user portion of the registers, and failed, but the
> + * microcode might have modified the FPU registers
> + * nevertheless.
> + *
> + * If the FPU registers do not belong to current, then
> + * invalidate the FPU register state otherwise the task might
> + * preempt current and return to user space with corrupted
> + * FPU registers.
> + *
> + * In case current owns the FPU registers then no further
> + * action is required. The fixup below will handle it
> + * correctly.
> + */
> + if (test_thread_flag(TIF_NEED_FPU_LOAD))
> + __cpu_invalidate_fpregs_state();
> +
> fpregs_unlock();
> } else {
So I'm looking at this and 5.4.127 has:
if (!ret) {
fpregs_mark_activate();
fpregs_unlock();
return 0;
}
fpregs_deactivate(fpu); <---
fpregs_unlock();
i.e., an unconditional fpu invalidation there. Which got removed by:
98265c17efa9 ("x86/fpu/xstate: Preserve supervisor states for the slow path in __fpu__restore_sig()")
in 5.7.
so that Fixes: commit above which points to a 5.1 kernel is probably wrong-ish.
amluto?
--
Regards/Gruss,
Boris.
SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer, HRB 36809, AG Nürnberg
next prev parent reply other threads:[~2021-06-21 14:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 10:51 FAILED: patch "[PATCH] x86/fpu: Invalidate FPU state after a failed XRSTOR from a" failed to apply to 5.4-stable tree gregkh
2021-06-21 14:29 ` Borislav Petkov [this message]
2021-06-21 18:42 ` Andy Lutomirski
2021-06-21 19:34 ` Borislav Petkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YNCiQRPD9iox9g/v@zn.tnic \
--to=bp@suse.de \
--cc=dave.hansen@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=riel@surriel.com \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.