[PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Yu-cheng Yu]

XSAVES uses compacted format and is a kernel instruction. The kernel
should use standard-format, non-supervisor state data for PTRACE.

Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com>
---
 arch/x86/include/asm/fpu/xstate.h |   4 +
 arch/x86/kernel/fpu/regset.c      |  56 +++++++++----
 arch/x86/kernel/fpu/xstate.c      | 167 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 211 insertions(+), 16 deletions(-)

diff --git a/arch/x86/include/asm/fpu/xstate.h b/arch/x86/include/asm/fpu/xstate.h
index b4f5d94..a5cd808 100644
--- a/arch/x86/include/asm/fpu/xstate.h
+++ b/arch/x86/include/asm/fpu/xstate.h
@@ -50,5 +50,9 @@ extern void update_regset_xstate_info(unsigned int size, u64 xstate_mask);
 void fpu__xstate_clear_all_cpu_caps(void);
 void *get_xsave_addr(struct xregs_state *xsave, int xstate);
 const void *get_xsave_field_ptr(int xstate_field);
+int copyout_from_xsaves(unsigned int pos, unsigned int count, void *kbuf,
+			void __user *ubuf, const struct xregs_state *xsave);
+int copyin_to_xsaves(const void *kbuf, const void __user *ubuf,
+		     struct xregs_state *xsave);
 
 #endif
diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
index 0bc3490..61fe8e9 100644
--- a/arch/x86/kernel/fpu/regset.c
+++ b/arch/x86/kernel/fpu/regset.c
@@ -4,6 +4,7 @@
 #include <asm/fpu/internal.h>
 #include <asm/fpu/signal.h>
 #include <asm/fpu/regset.h>
+#include <asm/fpu/xstate.h>
 
 /*
  * The xstateregs_active() routine is the same as the regset_fpregs_active() routine,
@@ -82,21 +83,30 @@ int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
 	if (!cpu_has_xsave)
 		return -ENODEV;
 
+	xsave = &fpu->state.xsave;
+
 	fpu__activate_fpstate_read(fpu);
 
-	xsave = &fpu->state.xsave;
+	if (boot_cpu_has(X86_FEATURE_XSAVES)) {
+		ret = copyout_from_xsaves(pos, count, kbuf, ubuf, xsave);
+	} else {
+		fpstate_sanitize_xstate(fpu);
+
+		/*
+		 * Copy the 48 bytes defined by the software into the xsave
+		 * area in the thread struct, so that we can copy the whole
+		 * area to user using one user_regset_copyout().
+		 */
+		memcpy(&xsave->i387.sw_reserved,
+			xstate_fx_sw_bytes, sizeof(xstate_fx_sw_bytes));
+
+		/*
+		 * Copy the xstate memory layout.
+		 */
+		ret = user_regset_copyout(&pos,
+					  &count, &kbuf, &ubuf, xsave, 0, -1);
+	}
 
-	/*
-	 * Copy the 48bytes defined by the software first into the xstate
-	 * memory layout in the thread struct, so that we can copy the entire
-	 * xstateregs to the user using one user_regset_copyout().
-	 */
-	memcpy(&xsave->i387.sw_reserved,
-		xstate_fx_sw_bytes, sizeof(xstate_fx_sw_bytes));
-	/*
-	 * Copy the xstate memory layout.
-	 */
-	ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
 	return ret;
 }
 
@@ -111,11 +121,29 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
 	if (!cpu_has_xsave)
 		return -ENODEV;
 
-	fpu__activate_fpstate_write(fpu);
+	/*
+	 * A whole standard-format XSAVE buffer is needed.
+	 */
+	if ((pos != 0) || (count < user_xstate_size))
+		return -EFAULT;
 
 	xsave = &fpu->state.xsave;
 
-	ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
+	fpu__activate_fpstate_write(fpu);
+
+	if (boot_cpu_has(X86_FEATURE_XSAVES))
+		ret = copyin_to_xsaves(kbuf, ubuf, xsave);
+	else
+		ret = user_regset_copyin(&pos,
+					 &count, &kbuf, &ubuf, xsave, 0, -1);
+
+	/*
+	 * In case of failure, mark all states as init.
+	 */
+
+	if (ret)
+		fpstate_init(&fpu->state);
+
 	/*
 	 * mxcsr reserved bits must be masked to zero for security reasons.
 	 */
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 4087261..512e71f 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -677,7 +677,13 @@ void __init fpu__init_system_xstate(void)
 		return;
 	}
 
-	update_regset_xstate_info(kernel_xstate_size, xfeatures_mask);
+	/*
+	 * Update info used for ptrace frames; use standard-format size and no
+	 * supervisor xstates.
+	 */
+	update_regset_xstate_info(user_xstate_size,
+		xfeatures_mask & ~XFEATURE_MASK_SUPERVISOR);
+
 	fpu__init_prepare_fx_sw_frame();
 	setup_init_fpu_buf();
 	setup_xstate_comp();
@@ -701,6 +707,15 @@ void fpu__resume_cpu(void)
 }
 
 /*
+ * Get an xstate component address for either kernel or user mode.
+ */
+static void *get_xsave_addr_no_check(const struct xregs_state *xsave,
+				     int feature_nr)
+{
+	return (void *)xsave + xstate_comp_offsets[feature_nr];
+}
+
+/*
  * Given the xsave area and a state inside, this function returns the
  * address of the state.
  *
@@ -748,7 +763,7 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
 	if (!(xsave->header.xfeatures & xstate_feature))
 		return NULL;
 
-	return (void *)xsave + xstate_comp_offsets[feature_nr];
+	return get_xsave_addr_no_check(xsave, feature_nr);
 }
 EXPORT_SYMBOL_GPL(get_xsave_addr);
 
@@ -783,3 +798,151 @@ const void *get_xsave_field_ptr(int xsave_state)
 
 	return get_xsave_addr(&fpu->state.xsave, xsave_state);
 }
+
+/*
+ * This is similar to user_regset_copyout(), but will not add offset to
+ * the source data pointer or increment pos, count, kbuf, and ubuf.
+ */
+static inline int xstate_copyout(unsigned int pos, unsigned int count,
+				 void *kbuf, void __user *ubuf,
+				 const void *data, const int start_pos,
+				 const int end_pos)
+{
+	if ((count == 0) || (pos < start_pos))
+		return 0;
+
+	if (end_pos < 0 || pos < end_pos) {
+		unsigned int copy =
+			(end_pos < 0 ? count : min(count, end_pos - pos));
+
+		if (kbuf)
+			memcpy(kbuf + pos, data, copy);
+		else if (__copy_to_user(ubuf + pos, data, copy))
+			return -EFAULT;
+	}
+	return 0;
+}
+
+/*
+ * Convert from kernel XSAVES compacted format to standard format and copy
+ * to a ptrace buffer. It supports partial copy but pos always starts from
+ * zero. This is called from xstateregs_get() and there we check the cpu
+ * has XSAVES.
+ */
+int copyout_from_xsaves(unsigned int pos, unsigned int count, void *kbuf,
+			void __user *ubuf, const struct xregs_state *xsave)
+{
+	unsigned int offset, size;
+	int ret, i;
+	struct xstate_header header;
+
+	/*
+	 * Currently copy_regset_to_user() starts from pos 0.
+	 */
+	if (unlikely(pos != 0))
+		return -EFAULT;
+
+	/*
+	 * The destination is a ptrace buffer; we put in only user xstates.
+	 */
+	memset(&header, 0, sizeof(header));
+	header.xfeatures = xsave->header.xfeatures;
+	header.xfeatures &= ~XFEATURE_MASK_SUPERVISOR;
+
+	/*
+	 * Copy xregs_state->header.
+	 */
+	offset = offsetof(struct xregs_state, header);
+	size = sizeof(header);
+
+	ret = xstate_copyout(offset, size, kbuf, ubuf, &header, 0, count);
+
+	if (ret)
+		return ret;
+
+	for (i = 0; i < XFEATURE_MAX; i++) {
+		/*
+		 * Copy only in-use xstates.
+		 */
+		if (((header.xfeatures >> i) & 1) && xfeature_enabled(i)) {
+			void *src = get_xsave_addr_no_check(xsave, i);
+
+			offset = xstate_offsets[i];
+			size = xstate_sizes[i];
+
+			ret = xstate_copyout(offset, size, kbuf, ubuf, src, 0,
+					     count);
+
+			if (ret)
+				return ret;
+
+			if (offset + size >= count)
+				break;
+		}
+	}
+
+	/*
+	 * Fill xsave->i387.sw_reserved value for ptrace frame.
+	 */
+	offset = offsetof(struct fxregs_state, sw_reserved);
+	size = sizeof(xstate_fx_sw_bytes);
+
+	ret = xstate_copyout(offset, size, kbuf, ubuf, xstate_fx_sw_bytes, 0,
+			     count);
+
+	if (ret)
+		return ret;
+
+	return 0;
+}
+
+/*
+ * Convert from a ptrace standard-format buffer to kernel XSAVES format
+ * and copy to the target thread. This is called from xstateregs_set() and
+ * there we check the cpu has XSAVES and a whole standard-sized buffer
+ * exists.
+ */
+int copyin_to_xsaves(const void *kbuf, const void __user *ubuf,
+		     struct xregs_state *xsave)
+{
+	unsigned int offset, size;
+	int i;
+	u64 xfeatures;
+
+	offset = offsetof(struct xregs_state, header);
+	size = sizeof(xfeatures);
+
+	if (kbuf)
+		memcpy(&xfeatures, kbuf + offset, size);
+	else if (__copy_from_user(&xfeatures, ubuf + offset, size))
+		return -EFAULT;
+
+	/*
+	 * Reject if the user tries to set any supervisor xstates.
+	 */
+	if (xfeatures & XFEATURE_MASK_SUPERVISOR)
+		return -EINVAL;
+
+	for (i = 0; i < XFEATURE_MAX; i++) {
+		u64 mask = ((u64)1 << i);
+
+		if ((xfeatures & mask) && xfeature_enabled(i)) {
+			void *dst = get_xsave_addr_no_check(xsave, i);
+
+			offset = xstate_offsets[i];
+			size = xstate_sizes[i];
+
+			if (kbuf)
+				memcpy(dst, kbuf + offset, size);
+			else if (__copy_from_user(dst, ubuf + offset, size))
+				return -EFAULT;
+		}
+	}
+
+	if (xsave->header.xfeatures & XFEATURE_MASK_SUPERVISOR)
+		xsave->header.xfeatures = xfeatures | XFEATURE_MASK_SUPERVISOR;
+	else
+		xsave->header.xfeatures = xfeatures;
+
+	return 0;
+}
-- 
1.9.1

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Dave Hansen]

On 02/22/2016 11:00 AM, Yu-cheng Yu wrote:
> +	if (xsave->header.xfeatures & XFEATURE_MASK_SUPERVISOR)
> +		xsave->header.xfeatures = xfeatures | XFEATURE_MASK_SUPERVISOR;
> +	else
> +		xsave->header.xfeatures = xfeatures;

This is dangerous.  It says, "if any supervisor feature bit is set, then
set *ALL* of the known bits".  There's no way that can work.

Don't you just want to or in the new bits that were in the passed-in
'xfeatures':

	xsave->header.xfeatures |= xfeatures;

'xfeatures' is known not to contain any supervisor bits.

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Yu-cheng Yu]

On Mon, Feb 22, 2016 at 12:00:02PM -0800, Dave Hansen wrote:
> On 02/22/2016 11:00 AM, Yu-cheng Yu wrote:
> > +	if (xsave->header.xfeatures & XFEATURE_MASK_SUPERVISOR)
> > +		xsave->header.xfeatures = xfeatures | XFEATURE_MASK_SUPERVISOR;
> > +	else
> > +		xsave->header.xfeatures = xfeatures;
> 
> This is dangerous.  It says, "if any supervisor feature bit is set, then
> set *ALL* of the known bits".  There's no way that can work.
> 
> Don't you just want to or in the new bits that were in the passed-in
> 'xfeatures':
> 
> 	xsave->header.xfeatures |= xfeatures;
> 
> 'xfeatures' is known not to contain any supervisor bits.
> 

It should have been:

	xsave->header.xfeatures = xfeatures |
		(xsave->header.xfeatures & XFEATURE_MASK_SUPERVISOR);

I'll fix it.

--Yu-cheng

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Dave Hansen]

On 02/22/2016 12:48 PM, Yu-cheng Yu wrote:
> It should have been:
> 
> 	xsave->header.xfeatures = xfeatures |
> 		(xsave->header.xfeatures & XFEATURE_MASK_SUPERVISOR);
> 
> I'll fix it.

Can we break it out to make it more clear?

/*
 * The state that came in from userspace was user-state only.
 * Mask all the user states out of 'xfeatures'.
 */
xsave->header.xfeatures &= XFEATURE_MASK_SUPERVISOR;
/*
 * add back in the features that came in from userspace
 */
xsave->header.xfeatures |= xfeatures

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Yu-cheng Yu]

On Mon, Feb 22, 2016 at 02:19:05PM -0800, Dave Hansen wrote:
> On 02/22/2016 12:48 PM, Yu-cheng Yu wrote:
> > It should have been:
> > 
> > 	xsave->header.xfeatures = xfeatures |
> > 		(xsave->header.xfeatures & XFEATURE_MASK_SUPERVISOR);
> > 
> > I'll fix it.
> 
> Can we break it out to make it more clear?
> 
> /*
>  * The state that came in from userspace was user-state only.
>  * Mask all the user states out of 'xfeatures'.
>  */
> xsave->header.xfeatures &= XFEATURE_MASK_SUPERVISOR;
> /*
>  * add back in the features that came in from userspace
>  */
> xsave->header.xfeatures |= xfeatures

I will update it in the next version. Thanks!

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Andy Lutomirski]

On Mon, Feb 22, 2016 at 11:00 AM, Yu-cheng Yu <yu-cheng.yu@intel.com> wrote:
> XSAVES uses compacted format and is a kernel instruction. The kernel
> should use standard-format, non-supervisor state data for PTRACE.
>

> +/*
> + * Convert from kernel XSAVES compacted format to standard format and copy
> + * to a ptrace buffer. It supports partial copy but pos always starts from
> + * zero. This is called from xstateregs_get() and there we check the cpu
> + * has XSAVES.
> + */
> +int copyout_from_xsaves(unsigned int pos, unsigned int count, void *kbuf,
> +                       void __user *ubuf, const struct xregs_state *xsave)

Now that you've written this code, can it be shared with the signal
handling code?

--Andy


--Andy

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Yu-cheng Yu]

On Mon, Feb 22, 2016 at 02:45:54PM -0800, Andy Lutomirski wrote:
> > +/*
> > + * Convert from kernel XSAVES compacted format to standard format and copy
> > + * to a ptrace buffer. It supports partial copy but pos always starts from
> > + * zero. This is called from xstateregs_get() and there we check the cpu
> > + * has XSAVES.
> > + */
> > +int copyout_from_xsaves(unsigned int pos, unsigned int count, void *kbuf,
> > +                       void __user *ubuf, const struct xregs_state *xsave)
> 
> Now that you've written this code, can it be shared with the signal
> handling code?
> 

For signal handling, we most likely save registers directly to memory.
But for ptrace, the thread being debugged is not the active thread.
Please let me think about it more.

--Yu-cheng

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Dave Hansen]

On 02/22/2016 02:45 PM, Andy Lutomirski wrote:
>> +/*
>> > + * Convert from kernel XSAVES compacted format to standard format and copy
>> > + * to a ptrace buffer. It supports partial copy but pos always starts from
>> > + * zero. This is called from xstateregs_get() and there we check the cpu
>> > + * has XSAVES.
>> > + */
>> > +int copyout_from_xsaves(unsigned int pos, unsigned int count, void *kbuf,
>> > +                       void __user *ubuf, const struct xregs_state *xsave)
> Now that you've written this code, can it be shared with the signal
> handling code?

It could be.  But the signal handler code has the advantage of already
having the data in the registers since it's running on its *own* FPU
state, so it can just call XSAVE(S) directly.

This ptrace code *could* do a kernel_fpu_begin(), XRSTOR the user buffer
into the registers, XRSTOR the ptracee's system state in to the
registers, then XSAVES the whole thing to the kernel buffer, then
kernel_fpu_end().

Or, we could remove the signal handler's ability to XSAVE directly to
userspace.  But it already *had* that and we know it works.

Re: [PATCH 08/10] x86/xsaves: Fix PTRACE frames for XSAVES

[Andy Lutomirski]

On Mon, Feb 22, 2016 at 2:53 PM, Dave Hansen
<dave.hansen@linux.intel.com> wrote:
> On 02/22/2016 02:45 PM, Andy Lutomirski wrote:
>>> +/*
>>> > + * Convert from kernel XSAVES compacted format to standard format and copy
>>> > + * to a ptrace buffer. It supports partial copy but pos always starts from
>>> > + * zero. This is called from xstateregs_get() and there we check the cpu
>>> > + * has XSAVES.
>>> > + */
>>> > +int copyout_from_xsaves(unsigned int pos, unsigned int count, void *kbuf,
>>> > +                       void __user *ubuf, const struct xregs_state *xsave)
>> Now that you've written this code, can it be shared with the signal
>> handling code?
>
> It could be.  But the signal handler code has the advantage of already
> having the data in the registers since it's running on its *own* FPU
> state, so it can just call XSAVE(S) directly.
>
> This ptrace code *could* do a kernel_fpu_begin(), XRSTOR the user buffer
> into the registers, XRSTOR the ptracee's system state in to the
> registers, then XSAVES the whole thing to the kernel buffer, then
> kernel_fpu_end().
>
> Or, we could remove the signal handler's ability to XSAVE directly to
> userspace.  But it already *had* that and we know it works.

Some day I kind of want to delete all this xsave/xrstor directly on
user buffers code.   I've never been thrilled with the concept, and it
has messy (although AFAICT not presently buggy [1]) interactions with
context switches, and it can't run with preemption disabled because it
can take page faults.

In the mean time, it's fine as far as I know, but maybe it would be
cleaner if it used the software copy code.  Or maybe we can change it
later if a good reason shows up.

[1] actually there's a minor bug in the 32-bit compat code that
Borislav has a patch for.

-- 
Andy Lutomirski
AMA Capital Management, LLC