Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1900746ybl; Tue, 3 Dec 2019 14:40:36 -0800 (PST) X-Google-Smtp-Source: APXvYqzT81NHldd3DFHByB2xJB/slBxs59NM7a8sJiBrFO2tJ0sQ8lW+Rgt8Q/Vek0RINzkKPRgj X-Received: by 2002:a9d:32e5:: with SMTP id u92mr182923otb.85.1575412836874; Tue, 03 Dec 2019 14:40:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575412836; cv=none; d=google.com; s=arc-20160816; b=Dh8fyZ1MA1MJ7GyQS0hCmEULXNkx9Qtp12MHSO4qWanDBRwlMO7xDXeIqh+UVsYOZl oPf5G6gfETTJMNQAFZ+q4CZ9u1c9PJeuWEyrc/P4BitkD/1EaYTExW33KB2f8wicxyrh HB3mik6jTx6g9ryk0XZTTrw5DFd6Zbttgi6Oy//8k7JKnTJC3Vn2Yru2RVGb8VFn7WzT fghQq4mNSYrPC9Y4tKbo24eEmTq2tqimHO2SNOF8Fxr3xmH7D+FGip7gmbZ5IA5PnoMS 1HgN0SoDbO+2HEN+CmSTpS4gRG0yeJZOWjJ5KedRpuCBWYE7FQTTB9vZlUu1/4zmicAL CXrw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Pa/NouIRGRhYE4bTEMyLNgWHintmUSyogU9r44016N0=; b=Fi3FdBcCL+rriNs1GDd1Os3uKW1BzudA6J9kQw3tnhxYC2+fz65WoPxLFVzbicTqUg OqEt8GP0mF25fc2WX2Y3ueXwSOEH0S2GZcIqOI5J8g/3V0f1RG6q120j+iN+c1DFssin Br0c2vExo82s5CanC+CnhzKrI8xvv3paSXwOG9KRm3n1pYZy+nFlQyFbRJBLgvg1ovn8 f2BZa13EF/oGZNGAc2HReFc7Xq6OtenQ9l1z5Ldorh4RsNuSULMe4mfsk3/bhxLenLfj JM99u5KmntatlrQP818faaestCMsPtbV2gtMblQWX2dFQ/++Z8XMRD+T3GKCt8/rVtlA +F6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wZqETis+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v24si2145327oiv.45.2019.12.03.14.40.24; Tue, 03 Dec 2019 14:40:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wZqETis+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728184AbfLCWjS (ORCPT + 99 others); Tue, 3 Dec 2019 17:39:18 -0500 Received: from mail.kernel.org ([198.145.29.99]:49180 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727836AbfLCWjQ (ORCPT ); Tue, 3 Dec 2019 17:39:16 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6122E2073C; Tue, 3 Dec 2019 22:39:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575412755; bh=3YuYJgHzPeqfnu9iRUvtg9XL7Q+BuK2tpsB3QoGyXMI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wZqETis+E9fdXXzsH8ZXCtUa7ed1qhaVwXeyOMohVmLZs+VjzgKiVOlIP7L2sAHcD loZ3PAK/xBQ50vrVCBHPKO/apv1FG/x7P4lNoFssGNVfhM7hxiOyV/AP0elWRBEZdU xRKpiiMK1awVzu/rwvjzTjOAyIwh0+RpY71d3IZI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sebastian Andrzej Siewior , Borislav Petkov , Rik van Riel , Aubrey Li , Austin Clements , Barret Rhoden , Dave Hansen , David Chase , "H. Peter Anvin" , ian@airs.com, Ingo Molnar , Josh Bleecher Snyder , Thomas Gleixner , x86-ml Subject: [PATCH 5.4 15/46] x86/fpu: Dont cache access to fpu_fpregs_owner_ctx Date: Tue, 3 Dec 2019 23:35:35 +0100 Message-Id: <20191203212732.978208719@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191203212705.175425505@linuxfoundation.org> References: <20191203212705.175425505@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sebastian Andrzej Siewior commit 59c4bd853abcea95eccc167a7d7fd5f1a5f47b98 upstream. The state/owner of the FPU is saved to fpu_fpregs_owner_ctx by pointing to the context that is currently loaded. It never changed during the lifetime of a task - it remained stable/constant. After deferred FPU registers loading until return to userland was implemented, the content of fpu_fpregs_owner_ctx may change during preemption and must not be cached. This went unnoticed for some time and was now noticed, in particular since gcc 9 is caching that load in copy_fpstate_to_sigframe() and reusing it in the retry loop: copy_fpstate_to_sigframe() load fpu_fpregs_owner_ctx and save on stack fpregs_lock() copy_fpregs_to_sigframe() /* failed */ fpregs_unlock() *** PREEMPTION, another uses FPU, changes fpu_fpregs_owner_ctx *** fault_in_pages_writeable() /* succeed, retry */ fpregs_lock() __fpregs_load_activate() fpregs_state_valid() /* uses fpu_fpregs_owner_ctx from stack */ copy_fpregs_to_sigframe() /* succeeds, random FPU content */ This is a comparison of the assembly produced by gcc 9, without vs with this patch: | # arch/x86/kernel/fpu/signal.c:173: if (!access_ok(buf, size)) | cmpq %rdx, %rax # tmp183, _4 | jb .L190 #, |-# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read_stable(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu; |-#APP |-# 512 "arch/x86/include/asm/fpu/internal.h" 1 |- movq %gs:fpu_fpregs_owner_ctx,%rax #, pfo_ret__ |-# 0 "" 2 |-#NO_APP |- movq %rax, -88(%rbp) # pfo_ret__, %sfp … |-# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read_stable(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu; |- movq -88(%rbp), %rcx # %sfp, pfo_ret__ |- cmpq %rcx, -64(%rbp) # pfo_ret__, %sfp |+# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu; |+#APP |+# 512 "arch/x86/include/asm/fpu/internal.h" 1 |+ movq %gs:fpu_fpregs_owner_ctx(%rip),%rax # fpu_fpregs_owner_ctx, pfo_ret__ |+# 0 "" 2 |+# arch/x86/include/asm/fpu/internal.h:512: return fpu == this_cpu_read(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu; |+#NO_APP |+ cmpq %rax, -64(%rbp) # pfo_ret__, %sfp Use this_cpu_read() instead this_cpu_read_stable() to avoid caching of fpu_fpregs_owner_ctx during preemption points. The Fixes: tag points to the commit where deferred FPU loading was added. Since this commit, the compiler is no longer allowed to move the load of fpu_fpregs_owner_ctx somewhere else / outside of the locked section. A task preemption will change its value and stale content will be observed. [ bp: Massage. ] Debugged-by: Austin Clements Debugged-by: David Chase Debugged-by: Ian Lance Taylor Fixes: 5f409e20b7945 ("x86/fpu: Defer FPU state load until return to userspace") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Borislav Petkov Reviewed-by: Rik van Riel Tested-by: Borislav Petkov Cc: Aubrey Li Cc: Austin Clements Cc: Barret Rhoden Cc: Dave Hansen Cc: David Chase Cc: "H. Peter Anvin" Cc: ian@airs.com Cc: Ingo Molnar Cc: Josh Bleecher Snyder Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20191128085306.hxfa2o3knqtu4wfn@linutronix.de Link: https://bugzilla.kernel.org/show_bug.cgi?id=205663 Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/fpu/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/include/asm/fpu/internal.h +++ b/arch/x86/include/asm/fpu/internal.h @@ -509,7 +509,7 @@ static inline void __fpu_invalidate_fpre static inline int fpregs_state_valid(struct fpu *fpu, unsigned int cpu) { - return fpu == this_cpu_read_stable(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu; + return fpu == this_cpu_read(fpu_fpregs_owner_ctx) && cpu == fpu->last_cpu; } /*