From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751389AbbCGPkw (ORCPT <rfc822;w@1wt.eu>);
	Sat, 7 Mar 2015 10:40:52 -0500
Received: from mx1.redhat.com ([209.132.183.28]:34802 "EHLO mx1.redhat.com"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1751252AbbCGPku (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sat, 7 Mar 2015 10:40:50 -0500
Date: Sat, 7 Mar 2015 16:38:44 +0100
From: Oleg Nesterov <oleg@redhat.com>
To: Dave Hansen <dave.hansen@intel.com>, Borislav Petkov <bp@suse.de>,
        Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@amacapital.net>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Pekka Riikonen <priikone@iki.fi>, Rik van Riel <riel@redhat.com>,
        Suresh Siddha <sbsiddha@gmail.com>,
        LKML <linux-kernel@vger.kernel.org>,
        "Yu, Fenghua" <fenghua.yu@intel.com>,
        Quentin Casasnovas <quentin.casasnovas@oracle.com>
Subject: [PATCH 1/1] x86/fpu: x86/fpu: avoid math_state_restore() without
	used_math() in __restore_xstate_sig()
Message-ID: <20150307153844.GB25954@redhat.com>
References: <54F74F59.5070107@intel.com> <20150305195127.GA12657@redhat.com> <20150307153824.GA25954@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20150307153824.GA25954@redhat.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

math_state_restore() assumes it is called with irqs disabled, but
this is not true if the caller is __restore_xstate_sig().

This means that if ia32_fxstate == T and __copy_from_user() fails
__restore_xstate_sig() returns with irqs disabled too. This trgiggers

	BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41
	[<ffffffff81381499>] dump_stack+0x59/0xa0
	[<ffffffff8106bd05>] ___might_sleep+0x105/0x110
	[<ffffffff8138786d>] ? _raw_spin_unlock_irqrestore+0x3d/0x70
	[<ffffffff8106bd8d>] __might_sleep+0x7d/0xb0
	[<ffffffff81385426>] down_read+0x26/0xa0
	[<ffffffff8138788a>] ? _raw_spin_unlock_irqrestore+0x5a/0x70
	[<ffffffff81136038>] print_vma_addr+0x58/0x130
	[<ffffffff8100239e>] signal_fault+0xbe/0xf0
	[<ffffffff810419aa>] sys32_rt_sigreturn+0xba/0xd0

Change __restore_xstate_sig() to call set_used_math() unconditionally,
this avoids sti/cli in math_state_restore(). If copy_from_user() fails
we can simply do fpu_finit() by hand.

Note: this is only the first step. math_state_restore() should not check
used_math(), it should set this flag. While init_fpu() should simply die.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: <stable@vger.kernel.org>
---
 arch/x86/kernel/xsave.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c
index de9dcf8..dff0ec2 100644
--- a/arch/x86/kernel/xsave.c
+++ b/arch/x86/kernel/xsave.c
@@ -378,7 +378,7 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size)
 		 * thread's fpu state, reconstruct fxstate from the fsave
 		 * header. Sanitize the copied state etc.
 		 */
-		struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave;
+		struct fpu *fpu = &tsk->thread.fpu;
 		struct user_i387_ia32_struct env;
 		int err = 0;
 
@@ -392,14 +392,15 @@ int __restore_xstate_sig(void __user *buf, void __user *buf_fx, int size)
 		 */
 		drop_fpu(tsk);
 
-		if (__copy_from_user(xsave, buf_fx, state_size) ||
+		if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
 		    __copy_from_user(&env, buf, sizeof(env))) {
+			fpu_finit(fpu);
 			err = -1;
 		} else {
 			sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only);
-			set_used_math();
 		}
 
+		set_used_math();
 		if (use_eager_fpu()) {
 			preempt_disable();
 			math_state_restore();
-- 
1.5.5.1