Received: by 10.223.185.116 with SMTP id b49csp6406321wrg;
        Wed, 28 Feb 2018 08:54:22 -0800 (PST)
X-Google-Smtp-Source: AH8x224T7A+ufw1gW5p8Bnvn7LNRAqSiy3ULZT/IPU0DPoAE3akvRkpSOVj2DaYPYIW4fWJtAxD+
X-Received: by 2002:a17:902:7e4a:: with SMTP id a10-v6mr18589556pln.207.1519836862145;
        Wed, 28 Feb 2018 08:54:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1519836862; cv=none;
        d=google.com; s=arc-20160816;
        b=ckRLzAIqL4TnvFiBozfoW1gZMK/OihjG3X2T9RmIASpQHOwFMkeJ34PpGhWm4M6klh
         DWX8BiYS4tnZ2ZEsx2waIcjXRKb9aXg5s2aHGoAU9DV2qyjgHmycELUAOwXer7/tmjHl
         rKosF11EdWXiuP3bT0WKPsTJjqQrE8eqfgJu22XwjoebaRZ5FCfsLB6zHoMSBwE//Ai+
         jzl3Qaq1pq4w0PMXIC5FkpQS1EIRoR3EJ3qM6gx63KawcQt1MXv66bk0J7Xeb4s2kTwL
         yB48Kr/66idJ7VYzj/3gOQLkFfyhhB5eXQIu6pi8uhJqpFWtH6nRJjobZIna9nDV+YYI
         SYGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition
         :arc-authentication-results;
        bh=+OYCI16J8/3AkQXds8yFCPO8HcAJo/24I5WpmSOdmHw=;
        b=Va8IsI0twjPVgUvW69Z9KW4e3MOVgHkbudMhSf3J+q3/3kBwC9wTmkkIRw4Lhp1t5V
         hylebZabYkJpukB2ao7P/dtD01Wucpicr4WFuEKPbK8it2N+IaGBwf1nuUKz/48GNi2G
         aO3L67U9kDEp6ccpyO9RKlI4liZyIgDeFYBsebRW+9/L3c5cRcf8IRTQecYAU87rDqpz
         VBx6aHRqoYGjl2l5rP87WGicXw3s7W0v2fZ6odLO99blFBbRyQwDcwTYilArKmbFf7B9
         3R+rGXvXl55ATpV91c+abwRQ+9f9ItKUAeaDs4v4SMsXx9W9l6nNNtLr21APO34r3odW
         hzgw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f1-v6si1540344plb.73.2018.02.28.08.54.07;
        Wed, 28 Feb 2018 08:54:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934230AbeB1P6A (ORCPT <rfc822;speed.demon0047@gmail.com>
        + 99 others); Wed, 28 Feb 2018 10:58:00 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34533 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S933979AbeB1P54 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 28 Feb 2018 10:57:56 -0500
Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.84_2)
        (envelope-from <ben@decadent.org.uk>)
        id 1er3Yt-0006Xj-QW; Wed, 28 Feb 2018 15:22:32 +0000
Received: from ben by deadeye with local (Exim 4.90_1)
        (envelope-from <ben@decadent.org.uk>)
        id 1er3Ye-0008S2-Qs; Wed, 28 Feb 2018 15:22:16 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org, "Will Deacon" <will.deacon@arm.com>,
        "Ard Biesheuvel" <ard.biesheuvel@linaro.org>,
        "Dave Martin" <Dave.Martin@arm.com>
Date:   Wed, 28 Feb 2018 15:20:18 +0000
Message-ID: <lsq.1519831218.579340890@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 060/254] arm64: fpsimd: Prevent registers leaking
 from dead tasks
In-Reply-To: <lsq.1519831217.271785318@decadent.org.uk>
X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.55-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dave Martin <Dave.Martin@arm.com>

commit 071b6d4a5d343046f253a5a8835d477d93992002 upstream.

Currently, loading of a task's fpsimd state into the CPU registers
is skipped if that task's state is already present in the registers
of that CPU.

However, the code relies on the struct fpsimd_state * (and by
extension struct task_struct *) to unambiguously identify a task.

There is a particular case in which this doesn't work reliably:
when a task exits, its task_struct may be recycled to describe a
new task.

Consider the following scenario:

 1) Task P loads its fpsimd state onto cpu C.
        per_cpu(fpsimd_last_state, C) := P;
        P->thread.fpsimd_state.cpu := C;

 2) Task X is scheduled onto C and loads its fpsimd state on C.
        per_cpu(fpsimd_last_state, C) := X;
        X->thread.fpsimd_state.cpu := C;

 3) X exits, causing X's task_struct to be freed.

 4) P forks a new child T, which obtains X's recycled task_struct.
	T == X.
	T->thread.fpsimd_state.cpu == C (inherited from P).

 5) T is scheduled on C.
	T's fpsimd state is not loaded, because
	per_cpu(fpsimd_last_state, C) == T (== X) &&
	T->thread.fpsimd_state.cpu == C.

        (This is the check performed by fpsimd_thread_switch().)

So, T gets X's registers because the last registers loaded onto C
were those of X, in (2).

This patch fixes the problem by ensuring that the sched-in check
fails in (5): fpsimd_flush_task_state(T) is called when T is
forked, so that T->thread.fpsimd_state.cpu == C cannot be true.
This relies on the fact that T is not schedulable until after
copy_thread() completes.

Once T's fpsimd state has been loaded on some CPU C there may still
be other cpus D for which per_cpu(fpsimd_last_state, D) ==
&X->thread.fpsimd_state.  But D is necessarily != C in this case,
and the check in (5) must fail.

An alternative fix would be to do refcounting on task_struct.  This
would result in each CPU holding a reference to the last task whose
fpsimd state was loaded there.  It's not clear whether this is
preferable, and it involves higher overhead than the fix proposed
in this patch.  It would also move all the task_struct freeing
work into the context switch critical section, or otherwise some
deferred cleanup mechanism would need to be introduced, neither of
which seems obviously justified.

Fixes: 005f78cd8849 ("arm64: defer reloading a task's FPSIMD state to userland resume")
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[will: word-smithed the comment so it makes more sense]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 arch/arm64/kernel/process.c | 9 +++++++++
 1 file changed, 9 insertions(+)

--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -269,6 +269,15 @@ int copy_thread(unsigned long clone_flag
 
 	memset(&p->thread.cpu_context, 0, sizeof(struct cpu_context));
 
+	/*
+	 * In case p was allocated the same task_struct pointer as some
+	 * other recently-exited task, make sure p is disassociated from
+	 * any cpu that may have run that now-exited task recently.
+	 * Otherwise we could erroneously skip reloading the FPSIMD
+	 * registers for p.
+	 */
+	fpsimd_flush_task_state(p);
+
 	if (likely(!(p->flags & PF_KTHREAD))) {
 		*childregs = *current_pt_regs();
 		childregs->regs[0] = 0;