From: Suresh Siddha <suresh.b.siddha@intel.com>
To: "H. Peter Anvin" <hpa@zytor.com>
Cc: Wolfgang Walter <wolfgang.walter@stwm.de>,
Herbert Xu <herbert@gondor.apana.org.au>,
"Siddha, Suresh B" <suresh.b.siddha@intel.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@elte.hu>,
"viro@ZenIV.linux.org.uk" <viro@zeniv.linux.org.uk>,
"vegard.nossum@gmail.com" <vegard.nossum@gmail.com>
Subject: Re: Kernel oops with 2.6.26, padlock and ipsec: probably problem with fpu state changes
Date: Sat, 9 Aug 2008 11:52:24 -0700 [thread overview]
Message-ID: <20080809185224.GH13158@linux-os.sc.intel.com> (raw)
In-Reply-To: <489DC15D.9070308@zytor.com>
On Sat, Aug 09, 2008 at 09:10:05AM -0700, H. Peter Anvin wrote:
> Wolfgang Walter wrote:
> > How could any kernel code use MMX/SSE/FPU when the interrupt case isn't
> > handled?
>
> I don't think we have ever allowed MMX/SSE/FPU code in interrupt
> handlers. kernel_fpu_begin()..end() lock out preemption, and so could
> only be interrupted, not preempted.
Yes, fast handlers fall back to slow handlers in the interrupt context
and don't touch FP/SSE and thus avoid the kernel nesting.
hmm, in the padlock interrupt usage scenario(even though it doesn't touch FP/SSE
registers), kernel_fpu_begin/end() will not solve the problem,
as nesting of kernel_fpu_begin() is not ok, as we unconditionally
do stts() in kernel_fpu_end(). So the proposed patch is not ok,
as we end up corrupting first kernel FP usage.
> > Or is your argument that its lazy allocation itself is the problem: this
> > nesting could always happen and was a bug but only with lazy allocation it is
> > dangerous (as it may cause a spurious math fault in the race window).
> >
> > If this were right than any kernel code executing SSE may trigger now a oops
> > in __switch_to() under some special circumstances.
>
> If lazy allocation can cause the RAID code, for example (which executes
> SSE instructions in the kernel, but not at interrupt time) to start
> randomly oopsing, then lazy allocations have to be pulled.
While the lazy allocation is not a big thing and can be pulled(with a
very small patch), this has brought two existing security issues to light
so far. one in lguest code(fixed now) and now in padlock usage. I think even
in 2.6.25, padlock usage can easily can cause the FPU leakage as I mentioned
in another response.
Backing out lazy allocation is not just enough here. Let me think a little
more on this.
thanks,
suresh
next prev parent reply other threads:[~2008-08-09 18:52 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-17 14:53 Kernel oops with 2.6.26 and ipsec (Was: Re: IPSEC in 2.6.25 causes stalled connections) Wolfgang Walter
2008-07-17 20:42 ` Kernel oops with 2.6.26 and ipsec Wolfgang Walter
[not found] ` <200807301411.01622.wolfgang.walter@stwm.de>
[not found] ` <20080806103354.GA31623@gondor.apana.org.au>
2008-08-06 17:33 ` Kernel oops with 2.6.26, padlock and ipsec: probably problem with fpu state changes Wolfgang Walter
2008-08-06 20:14 ` Suresh Siddha
2008-08-06 21:21 ` Suresh Siddha
2008-08-07 0:38 ` Wolfgang Walter
2008-08-08 8:44 ` Wolfgang Walter
2008-08-08 18:31 ` Vegard Nossum
2008-08-07 16:23 ` Wolfgang Walter
2008-08-08 10:36 ` Wolfgang Walter
2008-08-08 18:53 ` Suresh Siddha
2008-08-08 19:01 ` H. Peter Anvin
2008-08-08 19:19 ` Wolfgang Walter
2008-08-08 23:11 ` Suresh Siddha
2008-08-09 0:38 ` Herbert Xu
2008-08-09 1:23 ` Herbert Xu
2008-08-09 1:54 ` Wolfgang Walter
2008-08-09 2:16 ` Herbert Xu
2008-08-09 3:09 ` Wolfgang Walter
2008-08-09 3:20 ` Herbert Xu
2008-08-09 14:29 ` Herbert Xu
2008-08-09 14:32 ` Herbert Xu
2008-08-09 17:52 ` Suresh Siddha
2008-08-10 5:30 ` Herbert Xu
2008-08-10 5:41 ` H. Peter Anvin
2008-08-11 22:57 ` Suresh Siddha
2008-08-09 17:48 ` Suresh Siddha
2008-08-09 1:28 ` Wolfgang Walter
2008-08-09 13:31 ` Herbert Xu
2008-08-09 14:37 ` Herbert Xu
2008-08-09 15:14 ` Wolfgang Walter
2008-08-09 15:57 ` Wolfgang Walter
2008-08-09 16:10 ` H. Peter Anvin
2008-08-09 17:02 ` Wolfgang Walter
2008-08-09 18:52 ` Suresh Siddha [this message]
2008-08-09 19:37 ` Suresh Siddha
2008-08-09 22:59 ` Wolfgang Walter
2008-08-10 3:05 ` Herbert Xu
2008-08-11 19:01 ` Suresh Siddha
2008-08-11 19:22 ` Ingo Molnar
2008-08-11 19:24 ` H. Peter Anvin
2008-08-11 20:19 ` Suresh Siddha
2008-08-12 0:39 ` Herbert Xu
2008-08-12 0:42 ` H. Peter Anvin
2008-08-12 0:46 ` Herbert Xu
2008-08-12 0:48 ` H. Peter Anvin
2008-08-12 0:52 ` Herbert Xu
2008-08-12 0:38 ` Wolfgang Walter
2008-08-12 11:43 ` Wolfgang Walter
2008-08-12 12:02 ` Herbert Xu
2008-08-12 18:28 ` Suresh Siddha
2008-08-12 23:40 ` Herbert Xu
2008-08-09 18:12 ` Suresh Siddha
2008-08-09 18:54 ` Suresh Siddha
2008-08-09 16:05 ` H. Peter Anvin
2008-08-09 18:14 ` Suresh Siddha
2008-08-10 0:29 ` Herbert Xu
2008-08-10 1:56 ` Wolfgang Walter
2008-08-10 1:59 ` Herbert Xu
2008-08-09 17:59 ` Suresh Siddha
2008-08-10 1:40 ` Herbert Xu
2008-08-09 1:49 ` Herbert Xu
2008-08-09 1:59 ` H. Peter Anvin
2008-08-09 2:43 ` Wolfgang Walter
2008-08-09 3:30 ` H. Peter Anvin
2008-08-09 10:50 ` Wolfgang Walter
2008-08-08 19:09 ` Wolfgang Walter
2008-08-08 19:32 ` Suresh Siddha
2008-08-08 23:10 ` Wolfgang Walter
2008-08-08 23:15 ` Suresh Siddha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080809185224.GH13158@linux-os.sc.intel.com \
--to=suresh.b.siddha@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=netdev@vger.kernel.org \
--cc=vegard.nossum@gmail.com \
--cc=viro@zeniv.linux.org.uk \
--cc=wolfgang.walter@stwm.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).