On Fri, Dec 21, 2018 at 05:23:38PM +0100, Sebastian Andrzej Siewior wrote: > The sequence > > fpu->initialized = 1; /* step A */ > preempt_disable(); /* step B */ > fpu__restore(fpu); > preempt_enable(); > > in __fpu__restore_sig() is racy in regard to a context switch. > > For 32bit frames, __fpu__restore_sig() prepares the FPU state within > fpu->state. To ensure that a context switch (switch_fpu_prepare() in > particular) does not modify fpu->state it uses fpu__drop() which sets > fpu->initialized to 0. > > After fpu->initialized is cleared, the CPU's FPU state is not saved > to fpu->state during a context switch. The new state is loaded via > fpu__restore(). It gets loaded into fpu->state from userland and > ensured it is sane. fpu->initialized is then set to 1 in order to avoid > fpu__initialize() doing anything (overwrite the new state) which is part > of fpu__restore(). > > A context switch between step A and B above would save CPU's current FPU > registers to fpu->state and overwrite the newly prepared state. This > looks like a tiny race window but the Kernel Test Robot reported this > back in 2016 while we had lazy FPU support. Borislav Petkov made the > link between that report and another patch that has been posted. Since > the removal of the lazy FPU support, this race goes unnoticed because > the warning has been removed. > > Disable bottom halves around the restore sequence to avoid the race. BH > need to be disabled because BH is allowed to run (even with preemption > disabled) and might invoke kernel_fpu_begin() by doing IPsec. > > [ bp: massage commit message a bit. ] > > Signed-off-by: Sebastian Andrzej Siewior <[email protected]> > Signed-off-by: Borislav Petkov <[email protected]> > Acked-by: Ingo Molnar <[email protected]> > Acked-by: Thomas Gleixner <[email protected]> > Cc: Andy Lutomirski <[email protected]> > Cc: Dave Hansen <[email protected]> > Cc: "H. Peter Anvin" <[email protected]> > Cc: "Jason A. Donenfeld" <[email protected]> > Cc: kvm ML <[email protected]> > Cc: Paolo Bonzini <[email protected]> > Cc: Radim Krčmář <[email protected]> > Cc: Rik van Riel <[email protected]> > Cc: [email protected] > Cc: x86-ml <[email protected]> > Link: http://lkml.kernel.org/r/[email protected] > Link: https://lkml.kernel.org/r/[email protected] > Signed-off-by: Sebastian Andrzej Siewior <[email protected]> > --- > arch/x86/kernel/fpu/signal.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-)
What is the git commit id of this patch upstream? thanks, greg k-h
