From: Andy Lutomirski <luto@kernel.org>
To: Borislav Petkov <bp@alien8.de>, Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
x86@kernel.org, Dave Hansen <dave.hansen@linux.intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
Tony Luck <tony.luck@intel.com>,
Yu-cheng Yu <yu-cheng.yu@intel.com>,
stable@vger.kernel.org
Subject: Re: [patch 3/8] x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer
Date: Thu, 3 Jun 2021 10:30:05 -0700 [thread overview]
Message-ID: <6220f2da-1d5b-843c-fa82-58a28fbcdd6b@kernel.org> (raw)
In-Reply-To: <YLeedfdsnsKqcbGx@zn.tnic>
On 6/2/21 8:06 AM, Borislav Petkov wrote:
> On Wed, Jun 02, 2021 at 11:55:46AM +0200, Thomas Gleixner wrote:
>> From: Andy Lutomirski <luto@kernel.org>
>>
>> If XRSTOR fails due to sufficiently complicated paging errors (e.g.
>> concurrent TLB invalidation),
>
> I can't connect "concurrent TLB invalidation" to "sufficiently
> complicated paging errors". Can you elaborate pls?
Think "complex microarchitectural conditions".
How about:
As far as I can tell, both Intel and AMD consider it to be
architecturally valid for XRSTOR to fail with #PF but nonetheless change
user state. The actual conditions under which this might occur are
unclear [1], but it seems plausible that this might be triggered if one
sibling thread unmaps a page and invalidates the shared TLB while
another sibling thread is executing XRSTOR on the page in question.
__fpu__restore_sig() can execute XRSTOR while the hardware registers are
preserved on behalf of a different victim task (using the
fpu_fpregs_owner_ctx mechanism), and, in theory, XRSTOR could fail but
modify the registers. If this happens, then there is a window in which
__fpu__restore_sig() could schedule out and the victim task could
schedule back in without reloading its own FPU registers. This would
result in part of the FPU state that __fpu__restore_sig() was attempting
to load leaking into the victim task's user-visible state.
Invalidate preserved FPU registers on XRSTOR failure to prevent this
situation from corrupting any state.
[1] Frequent readers of the errata lists might imagine "complex
microarchitectural conditions".
>> + * failed. In the event that the ucode was
>> + * unfriendly and modified the registers at all, we
>> + * need to make sure that we aren't corrupting an
>> + * innocent non-current task's registers.
>> + */
>> + __cpu_invalidate_fpregs_state();
>> + } else {
>> + /*
>> + * As above, we may have just clobbered current's
>> + * user FPU state. We will either successfully
>> + * load it or clear it below, so no action is
>> + * required here.
>> + */
>> + }
>
> I'm wondering if that comment can simply be above the TIF_NEED_FPU_LOAD
> testing, standalone, instead of having it in an empty else? And then get
> rid of that else.
I'm fine either way.
next prev parent reply other threads:[~2021-06-03 17:30 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-02 9:55 [patch 0/8] x86/fpu: Mop up XSAVES and related damage Thomas Gleixner
2021-06-02 9:55 ` [patch 1/8] selftests/x86: Test signal frame XSTATE header corruption handling Thomas Gleixner
2021-06-02 12:38 ` Borislav Petkov
2021-06-02 14:15 ` Thomas Gleixner
2021-06-03 13:16 ` Shuah Khan
2021-06-02 15:59 ` [patch V2 " Thomas Gleixner
2021-06-02 16:02 ` [patch V2a " Thomas Gleixner
2021-06-02 9:55 ` [patch 2/8] x86/fpu: Prevent state corruption in __fpu__restore_sig() Thomas Gleixner
2021-06-02 13:12 ` Borislav Petkov
2021-06-02 14:46 ` Thomas Gleixner
2021-06-02 15:58 ` [patch V2 " Thomas Gleixner
2021-06-02 9:55 ` [patch 3/8] x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer Thomas Gleixner
2021-06-02 15:06 ` Borislav Petkov
2021-06-03 17:30 ` Andy Lutomirski [this message]
2021-06-03 19:28 ` Borislav Petkov
2021-06-02 9:55 ` [patch 4/8] x86/fpu: Limit xstate copy size in xstateregs_set() Thomas Gleixner
2021-06-02 17:44 ` Borislav Petkov
2021-06-02 9:55 ` [patch 5/8] x86/fpu: Sanitize xstateregs_set() Thomas Gleixner
2021-06-02 16:01 ` [patch V2 " Thomas Gleixner
2021-06-03 11:32 ` Borislav Petkov
2021-06-03 17:24 ` [patch " Andy Lutomirski
2021-06-02 9:55 ` [patch 6/8] x86/fpu: Add address range checks to copy_user_to_xstate() Thomas Gleixner
2021-06-02 9:55 ` [patch 7/8] x86/fpu: Clean up the fpu__clear() variants Thomas Gleixner
2021-06-02 9:55 ` [patch 8/8] x86/fpu: Deduplicate copy_xxx_to_xstate() Thomas Gleixner
2021-06-03 16:56 ` Andy Lutomirski
2021-06-02 21:28 ` [patch 0/8] x86/fpu: Mop up XSAVES and related damage Yu, Yu-cheng
2021-06-04 14:05 ` Thomas Gleixner
2021-06-04 16:27 ` Yu, Yu-cheng
2021-06-04 17:46 ` Dave Hansen
2021-06-04 18:14 ` Thomas Gleixner
2021-06-04 22:04 ` Dave Hansen
2021-06-05 10:18 ` Thomas Gleixner
2021-06-05 11:56 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6220f2da-1d5b-843c-fa82-58a28fbcdd6b@kernel.org \
--to=luto@kernel.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=fenghua.yu@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
--cc=yu-cheng.yu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.