x86/fpu: Refine and simplify the magic number check during signal return

Before restoring xstate from the user space buffer, the kernel performs
sanity checks on these magic numbers: magic1 in the software reserved
area, and magic2 at the end of XSAVE region.

The position of magic2 is calculated based on the xstate size derived
from the user space buffer. But, the in-kernel record is directly
available and reliable for this purpose.

This reliance on user space data is also inconsistent with the recent
fix in:

  d877550eaf2d ("x86/fpu: Stop relying on userspace for info to fault in xsave buffer")

Simply use fpstate->user_size, and then get rid of unnecessary
size-evaluation code.

Signed-off-by: Chang S. Bae <chang.seok.bae@intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lore.kernel.org/r/20241211014500.3738-1-chang.seok.bae@intel.com

diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index 8f62e0666dea51c949a7b32085b20227df04700d..6c69cb28b2983bc02faf7f647c010277f5fec4ba 100644 (file)
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -27,19 +27,14 @@
 static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf,
                                            struct _fpx_sw_bytes *fx_sw)
 {
-       int min_xstate_size = sizeof(struct fxregs_state) +
-                             sizeof(struct xstate_header);
        void __user *fpstate = fxbuf;
        unsigned int magic2;
 
        if (__copy_from_user(fx_sw, &fxbuf->sw_reserved[0], sizeof(*fx_sw)))
                return false;
 
-       /* Check for the first magic field and other error scenarios. */
-       if (fx_sw->magic1 != FP_XSTATE_MAGIC1 ||
-           fx_sw->xstate_size < min_xstate_size ||
-           fx_sw->xstate_size > current->thread.fpu.fpstate->user_size ||
-           fx_sw->xstate_size > fx_sw->extended_size)
+       /* Check for the first magic field */
+       if (fx_sw->magic1 != FP_XSTATE_MAGIC1)
                goto setfx;
 
        /*
@@ -48,7 +43,7 @@ static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf,
         * fpstate layout with out copying the extended state information
         * in the memory layout.
         */
-       if (__get_user(magic2, (__u32 __user *)(fpstate + fx_sw->xstate_size)))
+       if (__get_user(magic2, (__u32 __user *)(fpstate + current->thread.fpu.fpstate->user_size)))
                return false;
 
        if (likely(magic2 == FP_XSTATE_MAGIC2))