Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4241467imu; Mon, 12 Nov 2018 07:59:15 -0800 (PST) X-Google-Smtp-Source: AJdET5dQoAitZUvQeqn/IfUeLELD7KyKi/La3iraTFfJD5tmbdycdEXPjztGcTIIHTkys8dQ3d7l X-Received: by 2002:a62:3a82:: with SMTP id v2mr1415694pfj.174.1542038355181; Mon, 12 Nov 2018 07:59:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542038355; cv=none; d=google.com; s=arc-20160816; b=yVH3j0OOt+aPs3vaq8XLkyMXbOsntb9sEnvStzy+kw16saq87T7BkGX7Wytw79G7s5 RJpHrwlY1zQuM/Y0lGRw/OlvEJwxF9SxRAHu1mr4O+anGkge+o38Jkn74s9zWNGHjeV4 88ztYbmKzL48hMrw78SuuxoWYQzoKPJ7MW4dA2pLoL1z1k+Ok4iAcJrCsMEIKLJPVWmv lXRfCg1fFco5CPPn+hymo3yR42XBJ+aN05HupLCHALnuskFg6/Sv00Z+6DEnHUwhB5uL f+6UreUWjHZp1dcowDFRXIPg+McM0t6S3DqjzPc6gd0+ZD94ZvhPCl27EggBj15rKuXP rr8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=2X5XKkKOWtJiOM5K7DycCzqvYJL+t//mnOWb/QBBmO4=; b=Ap6Sg/HuxW3VpDGXuesDNUJ5kEjpcNStAkYnyp0l4kMo7ITBPbB/NcKL74lbdKbyEb HHxtJXS5fOR4kUDmDcaO1ZEgwhhdzC34LX3Qnj6Ox5OhUhGdS+dAkzvsBZIYIFujyNHF 7UrGPrmqrm+FeycRSBTp52ZHpY3P9XtGUxTQpzutU+W8j2O9JM1S3zv8BSVREHTrgbj7 Fghj6tJVsPK0Pr3iZg3ziLv3nNelrdlhfYHlXh0HFcA2ROgoXVGAMWKBYFYT9b4MfK8n 1dRqbsAAkVrNtlMX6lc9SGjrE70g7ujtdGtypGq9aSPnHMjEpgX3eY5KWCdnP0Sytvq0 +C9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 70-v6si8072269pla.156.2018.11.12.07.58.59; Mon, 12 Nov 2018 07:59:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729713AbeKMBuk (ORCPT + 99 others); Mon, 12 Nov 2018 20:50:40 -0500 Received: from Galois.linutronix.de ([146.0.238.70]:52050 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726385AbeKMBuk (ORCPT ); Mon, 12 Nov 2018 20:50:40 -0500 Received: from bigeasy by Galois.linutronix.de with local (Exim 4.80) (envelope-from ) id 1gMEZv-0001ya-BS; Mon, 12 Nov 2018 16:56:43 +0100 Date: Mon, 12 Nov 2018 07:56:43 -0800 From: Sebastian Andrzej Siewior To: Borislav Petkov , x86@kernel.org Cc: Ingo Molnar , linux-kernel@vger.kernel.org, Andy Lutomirski , Paolo Bonzini , Radim =?utf-8?B?S3LEjW3DocWZ?= , kvm@vger.kernel.org, "Jason A. Donenfeld" , Rik van Riel , Dave Hansen Subject: [PATCH] x86/fpu: Disable BH while while loading FPU registers in __fpu__restore_sig() Message-ID: <20181112155643.vclej44qzg3pmbow@linutronix.de> References: <20181107194858.9380-1-bigeasy@linutronix.de> <20181107194858.9380-3-bigeasy@linutronix.de> <20181108145721.GC7543@zn.tnic> <20181109173521.2m6iijp5wkncgi77@linutronix.de> <20181109185202.GF21243@zn.tnic> <20181109232521.l2ll2n3coxygkxv4@linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20181109232521.l2ll2n3coxygkxv4@linutronix.de> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The sequence fpu->initialized = 1; preempt_disable(); fpu__restore(fpu); preempt_enable(); is racy in regard to a context switch. A context switch after the first line would save the `actual' content of the FPU registers and trash away the state that has been prepared (since fpu__drop()). Use local_bh_disable() around the restore sequence to avoid the race. BH needs to be disabled because BH is allowed to run (even with preemption disabled) and might invoke kernel_fpu_begin(). This possible race has been reported by the Kernel Test Robot in FEB 2016 while there still was lazy FPU support. Link: https://lkml.kernel.org/r/20160226074940.GA28911@pd.tnic Cc: stable@vger.kernel.org Signed-off-by: Sebastian Andrzej Siewior --- arch/x86/kernel/fpu/signal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c index 61a949d84dfa5..d99a8ee9e185e 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -344,10 +344,10 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size) sanitize_restored_xstate(tsk, &env, xfeatures, fx_only); } + local_bh_disable(); fpu->initialized = 1; - preempt_disable(); fpu__restore(fpu); - preempt_enable(); + local_bh_enable(); return err; } else { -- 2.19.1