From: Sasha Levin Date: Fri, 24 Jul 2020 18:12:22 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.14.190~36 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7cdebe383cf19af3e3c637da9cd61846874ff3c7;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/series b/queue-4.4/series index 4495f0c79bc..6cededea3fc 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -8,3 +8,4 @@ net-sky2-initialize-return-of-gm_phy_read.patch drm-nouveau-i2c-g94-increase-nv_pmgr_dp_auxctl_trans.patch sunrpc-reverting-d03727b248d0-nfsv4-fix-close-not-waiting-for-direct-io-compeletion.patch perf-core-fix-locking-for-children-siblings-group-read.patch +x86-fpu-disable-bottom-halves-while-loading-fpu-regi.patch diff --git a/queue-4.4/x86-fpu-disable-bottom-halves-while-loading-fpu-regi.patch b/queue-4.4/x86-fpu-disable-bottom-halves-while-loading-fpu-regi.patch new file mode 100644 index 00000000000..cc1b60cd1d8 --- /dev/null +++ b/queue-4.4/x86-fpu-disable-bottom-halves-while-loading-fpu-regi.patch @@ -0,0 +1,88 @@ +From ee3574385545733fc5d70ed04b4068e7fd50d3b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Nov 2018 11:26:35 +0100 +Subject: x86/fpu: Disable bottom halves while loading FPU registers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sebastian Andrzej Siewior + +[ Upstream commit 68239654acafe6aad5a3c1dc7237e60accfebc03 ] + +The sequence + + fpu->initialized = 1; /* step A */ + preempt_disable(); /* step B */ + fpu__restore(fpu); + preempt_enable(); + +in __fpu__restore_sig() is racy in regard to a context switch. + +For 32bit frames, __fpu__restore_sig() prepares the FPU state within +fpu->state. To ensure that a context switch (switch_fpu_prepare() in +particular) does not modify fpu->state it uses fpu__drop() which sets +fpu->initialized to 0. + +After fpu->initialized is cleared, the CPU's FPU state is not saved +to fpu->state during a context switch. The new state is loaded via +fpu__restore(). It gets loaded into fpu->state from userland and +ensured it is sane. fpu->initialized is then set to 1 in order to avoid +fpu__initialize() doing anything (overwrite the new state) which is part +of fpu__restore(). + +A context switch between step A and B above would save CPU's current FPU +registers to fpu->state and overwrite the newly prepared state. This +looks like a tiny race window but the Kernel Test Robot reported this +back in 2016 while we had lazy FPU support. Borislav Petkov made the +link between that report and another patch that has been posted. Since +the removal of the lazy FPU support, this race goes unnoticed because +the warning has been removed. + +Disable bottom halves around the restore sequence to avoid the race. BH +need to be disabled because BH is allowed to run (even with preemption +disabled) and might invoke kernel_fpu_begin() by doing IPsec. + + [ bp: massage commit message a bit. ] + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Borislav Petkov +Acked-by: Ingo Molnar +Acked-by: Thomas Gleixner +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: "H. Peter Anvin" +Cc: "Jason A. Donenfeld" +Cc: kvm ML +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Rik van Riel +Cc: stable@vger.kernel.org +Cc: x86-ml +Link: http://lkml.kernel.org/r/20181120102635.ddv3fvavxajjlfqk@linutronix.de +Link: https://lkml.kernel.org/r/20160226074940.GA28911@pd.tnic +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/fpu/signal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c +index 31fad2cbd734b..8fc842dae3b39 100644 +--- a/arch/x86/kernel/fpu/signal.c ++++ b/arch/x86/kernel/fpu/signal.c +@@ -317,10 +317,10 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) + sanitize_restored_xstate(tsk, &env, xfeatures, fx_only); + } + ++ local_bh_disable(); + fpu->fpstate_active = 1; +- preempt_disable(); + fpu__restore(fpu); +- preempt_enable(); ++ local_bh_enable(); + + return err; + } else { +-- +2.25.1 +