From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A1D06C433F2 for ; Fri, 24 Jul 2020 18:12:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 85A7B20759 for ; Fri, 24 Jul 2020 18:12:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595614326; bh=GyWp8VrTjZ0A08Fvlj0CfmjIs4WgMSh7t+oFkdXeAn0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=UEJQasCfvKL6pBR/zlctsS4pywdbM55ZYMabxmJgy1OlMoVpGcEZ/whAsQ0UIAvSo bs1B6oOSzBBJECOyrjPRgiUsyMA20hYxrV+vhtokx1ShSPXd/qcEdodJQdLYq6F5tF 2SyHCgHvNREcHaCXkpPofENhbP0F4iP/6CArOqIw= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727045AbgGXSMF (ORCPT ); Fri, 24 Jul 2020 14:12:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:58658 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726639AbgGXSME (ORCPT ); Fri, 24 Jul 2020 14:12:04 -0400 Received: from localhost (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC1BC20674; Fri, 24 Jul 2020 18:12:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595614324; bh=GyWp8VrTjZ0A08Fvlj0CfmjIs4WgMSh7t+oFkdXeAn0=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=I/SNsW+PQboUSevmXeGiN5O7Fh8HhWNrSVxrBxr7Cr2YDO+8yOemA5h5Bw0rDujYq wfxdPwxodeCw1hkqehMgYSxgm+DSXCWVHzs96TPgY8u/XTjlZJ/LYiWTnDlkhivB18 pbKn/Sqmxa+8qDRP0Vto3BuFF3ciBpFfX3u43/9A= Date: Fri, 24 Jul 2020 14:12:02 -0400 From: Sasha Levin To: Greg Kroah-Hartman Cc: Jan Kiszka , linux-kernel@vger.kernel.org, Sebastian Andrzej Siewior , stable@vger.kernel.org, Borislav Petkov , Ingo Molnar , Thomas Gleixner , Andy Lutomirski , Dave Hansen , "H. Peter Anvin" , "Jason A. Donenfeld" , kvm ML , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , Rik van Riel , x86-ml , cip-dev Subject: Re: [PATCH 4.9 18/22] x86/fpu: Disable bottom halves while loading FPU registers Message-ID: <20200724181202.GG406581@sasha-vm> References: <20181228113126.144310132@linuxfoundation.org> <20181228113127.414176417@linuxfoundation.org> <01857944-ce1a-c6cd-3666-1e9b6ca8cccc@siemens.com> <20200724174437.GB555114@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20200724174437.GB555114@kroah.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 24, 2020 at 07:44:37PM +0200, Greg Kroah-Hartman wrote: >On Fri, Jul 24, 2020 at 07:07:06PM +0200, Jan Kiszka wrote: >> On 28.12.18 12:52, Greg Kroah-Hartman wrote: >> > 4.9-stable review patch. If anyone has any objections, please let me know. >> > >> > ------------------ >> > >> > From: Sebastian Andrzej Siewior >> > >> > commit 68239654acafe6aad5a3c1dc7237e60accfebc03 upstream. >> > >> > The sequence >> > >> > fpu->initialized = 1; /* step A */ >> > preempt_disable(); /* step B */ >> > fpu__restore(fpu); >> > preempt_enable(); >> > >> > in __fpu__restore_sig() is racy in regard to a context switch. >> > >> > For 32bit frames, __fpu__restore_sig() prepares the FPU state within >> > fpu->state. To ensure that a context switch (switch_fpu_prepare() in >> > particular) does not modify fpu->state it uses fpu__drop() which sets >> > fpu->initialized to 0. >> > >> > After fpu->initialized is cleared, the CPU's FPU state is not saved >> > to fpu->state during a context switch. The new state is loaded via >> > fpu__restore(). It gets loaded into fpu->state from userland and >> > ensured it is sane. fpu->initialized is then set to 1 in order to avoid >> > fpu__initialize() doing anything (overwrite the new state) which is part >> > of fpu__restore(). >> > >> > A context switch between step A and B above would save CPU's current FPU >> > registers to fpu->state and overwrite the newly prepared state. This >> > looks like a tiny race window but the Kernel Test Robot reported this >> > back in 2016 while we had lazy FPU support. Borislav Petkov made the >> > link between that report and another patch that has been posted. Since >> > the removal of the lazy FPU support, this race goes unnoticed because >> > the warning has been removed. >> > >> > Disable bottom halves around the restore sequence to avoid the race. BH >> > need to be disabled because BH is allowed to run (even with preemption >> > disabled) and might invoke kernel_fpu_begin() by doing IPsec. >> > >> > [ bp: massage commit message a bit. ] >> > >> > Signed-off-by: Sebastian Andrzej Siewior >> > Signed-off-by: Borislav Petkov >> > Acked-by: Ingo Molnar >> > Acked-by: Thomas Gleixner >> > Cc: Andy Lutomirski >> > Cc: Dave Hansen >> > Cc: "H. Peter Anvin" >> > Cc: "Jason A. Donenfeld" >> > Cc: kvm ML >> > Cc: Paolo Bonzini >> > Cc: Radim Krčmář >> > Cc: Rik van Riel >> > Cc: stable@vger.kernel.org >> > Cc: x86-ml >> > Link: http://lkml.kernel.org/r/20181120102635.ddv3fvavxajjlfqk@linutronix.de >> > Link: https://lkml.kernel.org/r/20160226074940.GA28911@pd.tnic >> > Signed-off-by: Sebastian Andrzej Siewior >> > Signed-off-by: Greg Kroah-Hartman >> > --- >> > arch/x86/kernel/fpu/signal.c | 4 ++-- >> > 1 file changed, 2 insertions(+), 2 deletions(-) >> > >> > --- a/arch/x86/kernel/fpu/signal.c >> > +++ b/arch/x86/kernel/fpu/signal.c >> > @@ -342,10 +342,10 @@ static int __fpu__restore_sig(void __use >> > sanitize_restored_xstate(tsk, &env, xfeatures, fx_only); >> > } >> > + local_bh_disable(); >> > fpu->fpstate_active = 1; >> > - preempt_disable(); >> > fpu__restore(fpu); >> > - preempt_enable(); >> > + local_bh_enable(); >> > return err; >> > } else { >> > >> > >> >> Any reason why the backport stopped back than at 4.9? I just debugged this >> out of a 4.4 kernel, and it is needed there as well. I'm happy to propose a >> backport, would just appreciate a hint if the BH protection is needed also >> there (my case was without BH). > >You are asking about something we did back in 2018. I can't remember >what I did last week :) > >If you provide a backport that works, I'll be glad to take it. The >current patch does not apply cleanly there at all. The conflict was due to a missing rename back in 4.4: e4a81bfcaae1 ("x86/fpu: Rename fpu::fpstate_active to fpu::initialized"). I've fixed up the patch and queued it for 4.4, thanks for pointing it out Jan! -- Thanks, Sasha