From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4FFB9C433DF for ; Fri, 24 Jul 2020 17:44:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2DC492070B for ; Fri, 24 Jul 2020 17:44:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595612677; bh=bAQpgRroLYP5aRy6ABfGc3GgdNAR1aE+sPxU5qd9MzQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=kahZNmHUcC6QbKknrY9rZOnI7aTt8zE+GRWOx7jemgGaW1pyH/Fc1RsWZLoHLllI2 YTyIAAGCOwCAStj4DDysifb0TDPap3xZQoiOH3OG4A4nkSrodAqjlBv1C58Km3R4FZ wAFfQeUdIlHHrWcYfORM4tawbe9wEZqgxTUJOfMg= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726593AbgGXRog (ORCPT ); Fri, 24 Jul 2020 13:44:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:51564 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726381AbgGXRog (ORCPT ); Fri, 24 Jul 2020 13:44:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3402A2067D; Fri, 24 Jul 2020 17:44:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595612675; bh=bAQpgRroLYP5aRy6ABfGc3GgdNAR1aE+sPxU5qd9MzQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=eduqc2DjA8GQbBNmmXwHci4z566RPcuNqvvblv4OJPEP+cg1NMrBHRTOPKmptXOiL fbD3r87NblRq9eY8+ROnWRqvfuRP/YiU60A6eLZmoeEwfuQ2N356OsEYUTRGwTlv8W jDTvet9vZgTOohuYEsGJt9hDSwUV2MgGyrPXPSXo= Date: Fri, 24 Jul 2020 19:44:37 +0200 From: Greg Kroah-Hartman To: Jan Kiszka Cc: linux-kernel@vger.kernel.org, Sebastian Andrzej Siewior , stable@vger.kernel.org, Borislav Petkov , Ingo Molnar , Thomas Gleixner , Andy Lutomirski , Dave Hansen , "H. Peter Anvin" , "Jason A. Donenfeld" , kvm ML , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , Rik van Riel , x86-ml , cip-dev Subject: Re: [PATCH 4.9 18/22] x86/fpu: Disable bottom halves while loading FPU registers Message-ID: <20200724174437.GB555114@kroah.com> References: <20181228113126.144310132@linuxfoundation.org> <20181228113127.414176417@linuxfoundation.org> <01857944-ce1a-c6cd-3666-1e9b6ca8cccc@siemens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <01857944-ce1a-c6cd-3666-1e9b6ca8cccc@siemens.com> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org On Fri, Jul 24, 2020 at 07:07:06PM +0200, Jan Kiszka wrote: > On 28.12.18 12:52, Greg Kroah-Hartman wrote: > > 4.9-stable review patch. If anyone has any objections, please let me know. > > > > ------------------ > > > > From: Sebastian Andrzej Siewior > > > > commit 68239654acafe6aad5a3c1dc7237e60accfebc03 upstream. > > > > The sequence > > > > fpu->initialized = 1; /* step A */ > > preempt_disable(); /* step B */ > > fpu__restore(fpu); > > preempt_enable(); > > > > in __fpu__restore_sig() is racy in regard to a context switch. > > > > For 32bit frames, __fpu__restore_sig() prepares the FPU state within > > fpu->state. To ensure that a context switch (switch_fpu_prepare() in > > particular) does not modify fpu->state it uses fpu__drop() which sets > > fpu->initialized to 0. > > > > After fpu->initialized is cleared, the CPU's FPU state is not saved > > to fpu->state during a context switch. The new state is loaded via > > fpu__restore(). It gets loaded into fpu->state from userland and > > ensured it is sane. fpu->initialized is then set to 1 in order to avoid > > fpu__initialize() doing anything (overwrite the new state) which is part > > of fpu__restore(). > > > > A context switch between step A and B above would save CPU's current FPU > > registers to fpu->state and overwrite the newly prepared state. This > > looks like a tiny race window but the Kernel Test Robot reported this > > back in 2016 while we had lazy FPU support. Borislav Petkov made the > > link between that report and another patch that has been posted. Since > > the removal of the lazy FPU support, this race goes unnoticed because > > the warning has been removed. > > > > Disable bottom halves around the restore sequence to avoid the race. BH > > need to be disabled because BH is allowed to run (even with preemption > > disabled) and might invoke kernel_fpu_begin() by doing IPsec. > > > > [ bp: massage commit message a bit. ] > > > > Signed-off-by: Sebastian Andrzej Siewior > > Signed-off-by: Borislav Petkov > > Acked-by: Ingo Molnar > > Acked-by: Thomas Gleixner > > Cc: Andy Lutomirski > > Cc: Dave Hansen > > Cc: "H. Peter Anvin" > > Cc: "Jason A. Donenfeld" > > Cc: kvm ML > > Cc: Paolo Bonzini > > Cc: Radim Krčmář > > Cc: Rik van Riel > > Cc: stable@vger.kernel.org > > Cc: x86-ml > > Link: http://lkml.kernel.org/r/20181120102635.ddv3fvavxajjlfqk@linutronix.de > > Link: https://lkml.kernel.org/r/20160226074940.GA28911@pd.tnic > > Signed-off-by: Sebastian Andrzej Siewior > > Signed-off-by: Greg Kroah-Hartman > > --- > > arch/x86/kernel/fpu/signal.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > --- a/arch/x86/kernel/fpu/signal.c > > +++ b/arch/x86/kernel/fpu/signal.c > > @@ -342,10 +342,10 @@ static int __fpu__restore_sig(void __use > > sanitize_restored_xstate(tsk, &env, xfeatures, fx_only); > > } > > + local_bh_disable(); > > fpu->fpstate_active = 1; > > - preempt_disable(); > > fpu__restore(fpu); > > - preempt_enable(); > > + local_bh_enable(); > > return err; > > } else { > > > > > > Any reason why the backport stopped back than at 4.9? I just debugged this > out of a 4.4 kernel, and it is needed there as well. I'm happy to propose a > backport, would just appreciate a hint if the BH protection is needed also > there (my case was without BH). You are asking about something we did back in 2018. I can't remember what I did last week :) If you provide a backport that works, I'll be glad to take it. The current patch does not apply cleanly there at all. thanks, greg k-h