On Fri, Dec 21, 2018 at 05:23:38PM +0100, Sebastian Andrzej Siewior wrote: > The sequence > > fpu->initialized = 1; /* step A */ > preempt_disable(); /* step B */ > fpu__restore(fpu); > preempt_enable(); > > in __fpu__restore_sig() is racy in regard to a context switch. > > For 32bit frames, __fpu__restore_sig() prepares the FPU state within > fpu->state. To ensure that a context switch (switch_fpu_prepare() in > particular) does not modify fpu->state it uses fpu__drop() which sets > fpu->initialized to 0. > > After fpu->initialized is cleared, the CPU's FPU state is not saved > to fpu->state during a context switch. The new state is loaded via > fpu__restore(). It gets loaded into fpu->state from userland and > ensured it is sane. fpu->initialized is then set to 1 in order to avoid > fpu__initialize() doing anything (overwrite the new state) which is part > of fpu__restore(). > > A context switch between step A and B above would save CPU's current FPU > registers to fpu->state and overwrite the newly prepared state. This > looks like a tiny race window but the Kernel Test Robot reported this > back in 2016 while we had lazy FPU support. Borislav Petkov made the > link between that report and another patch that has been posted. Since > the removal of the lazy FPU support, this race goes unnoticed because > the warning has been removed. > > Disable bottom halves around the restore sequence to avoid the race. BH > need to be disabled because BH is allowed to run (even with preemption > disabled) and might invoke kernel_fpu_begin() by doing IPsec. > > [ bp: massage commit message a bit. ] > > Signed-off-by: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> > Signed-off-by: Borislav Petkov <bp@xxxxxxx> > Acked-by: Ingo Molnar <mingo@xxxxxxxxxx> > Acked-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx> > Cc: Andy Lutomirski <luto@xxxxxxxxxx> > Cc: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> > Cc: "H. Peter Anvin" <hpa@xxxxxxxxx> > Cc: "Jason A. Donenfeld" <Jason@xxxxxxxxx> > Cc: kvm ML <kvm@xxxxxxxxxxxxxxx> > Cc: Paolo Bonzini <pbonzini@xxxxxxxxxx> > Cc: Radim Krčmář <rkrcmar@xxxxxxxxxx> > Cc: Rik van Riel <riel@xxxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > Cc: x86-ml <x86@xxxxxxxxxx> > Link: http://lkml.kernel.org/r/20181120102635.ddv3fvavxajjlfqk@xxxxxxxxxxxxx > Link: https://lkml.kernel.org/r/20160226074940.GA28911@xxxxxxx > Signed-off-by: Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> > --- > arch/x86/kernel/fpu/signal.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) What is the git commit id of this patch upstream? thanks, greg k-h
