diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2012-02-16 12:15:04 -0500 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2012-02-29 19:34:23 -0500 |
| commit | c3cb6440304a2f9afd240bd860860d4a4955d409 (patch) | |
| tree | f40d5487916ed7e2ed874650e81764618be3b8b9 /arch/x86/kernel | |
| parent | 09ffc93a8a1e8cf06547d20f5a0ddfe880179fe0 (diff) | |
i387: fix x86-64 preemption-unsafe user stack save/restore
commit 15d8791cae75dca27bfda8ecfe87dca9379d6bb0 upstream.
Commit 5b1cbac37798 ("i387: make irq_fpu_usable() tests more robust")
added a sanity check to the #NM handler to verify that we never cause
the "Device Not Available" exception in kernel mode.
However, that check actually pinpointed a (fundamental) race where we do
cause that exception as part of the signal stack FPU state save/restore
code.
Because we use the floating point instructions themselves to save and
restore state directly from user mode, we cannot do that atomically with
testing the TS_USEDFPU bit: the user mode access itself may cause a page
fault, which causes a task switch, which saves and restores the FP/MMX
state from the kernel buffers.
This kind of "recursive" FP state save is fine per se, but it means that
when the signal stack save/restore gets restarted, it will now take the
'#NM' exception we originally tried to avoid. With preemption this can
happen even without the page fault - but because of the user access, we
cannot just disable preemption around the save/restore instruction.
There are various ways to solve this, including using the
"enable/disable_page_fault()" helpers to not allow page faults at all
during the sequence, and fall back to copying things by hand without the
use of the native FP state save/restore instructions.
However, the simplest thing to do is to just allow the #NM from kernel
space, but fix the race in setting and clearing CR0.TS that this all
exposed: the TS bit changes and the TS_USEDFPU bit absolutely have to be
atomic wrt scheduling, so while the actual state save/restore can be
interrupted and restarted, the act of actually clearing/setting CR0.TS
and the TS_USEDFPU bit together must not.
Instead of just adding random "preempt_disable/enable()" calls to what
is already excessively ugly code, this introduces some helper functions
that mostly mirror the "kernel_fpu_begin/end()" functionality, just for
the user state instead.
Those helper functions should probably eventually replace the other
ad-hoc CR0.TS and TS_USEDFPU tests too, but I'll need to think about it
some more: the task switching functionality in particular needs to
expose the difference between the 'prev' and 'next' threads, while the
new helper functions intentionally were written to only work with
'current'.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'arch/x86/kernel')
| -rw-r--r-- | arch/x86/kernel/traps.c | 1 | ||||
| -rw-r--r-- | arch/x86/kernel/xsave.c | 10 |
2 files changed, 3 insertions, 8 deletions
diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 15903de0111..5878de3fb08 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c | |||
| @@ -777,7 +777,6 @@ EXPORT_SYMBOL_GPL(math_state_restore); | |||
| 777 | dotraplinkage void __kprobes | 777 | dotraplinkage void __kprobes |
| 778 | do_device_not_available(struct pt_regs *regs, long error_code) | 778 | do_device_not_available(struct pt_regs *regs, long error_code) |
| 779 | { | 779 | { |
| 780 | WARN_ON_ONCE(!user_mode_vm(regs)); | ||
| 781 | #ifdef CONFIG_MATH_EMULATION | 780 | #ifdef CONFIG_MATH_EMULATION |
| 782 | if (read_cr0() & X86_CR0_EM) { | 781 | if (read_cr0() & X86_CR0_EM) { |
| 783 | struct math_emu_info info = { }; | 782 | struct math_emu_info info = { }; |
diff --git a/arch/x86/kernel/xsave.c b/arch/x86/kernel/xsave.c index a3911343976..86f1f09a738 100644 --- a/arch/x86/kernel/xsave.c +++ b/arch/x86/kernel/xsave.c | |||
| @@ -168,7 +168,7 @@ int save_i387_xstate(void __user *buf) | |||
| 168 | if (!used_math()) | 168 | if (!used_math()) |
| 169 | return 0; | 169 | return 0; |
| 170 | 170 | ||
| 171 | if (task_thread_info(tsk)->status & TS_USEDFPU) { | 171 | if (user_has_fpu()) { |
| 172 | if (use_xsave()) | 172 | if (use_xsave()) |
| 173 | err = xsave_user(buf); | 173 | err = xsave_user(buf); |
| 174 | else | 174 | else |
| @@ -176,8 +176,7 @@ int save_i387_xstate(void __user *buf) | |||
| 176 | 176 | ||
| 177 | if (err) | 177 | if (err) |
| 178 | return err; | 178 | return err; |
| 179 | task_thread_info(tsk)->status &= ~TS_USEDFPU; | 179 | user_fpu_end(); |
| 180 | stts(); | ||
| 181 | } else { | 180 | } else { |
| 182 | sanitize_i387_state(tsk); | 181 | sanitize_i387_state(tsk); |
| 183 | if (__copy_to_user(buf, &tsk->thread.fpu.state->fxsave, | 182 | if (__copy_to_user(buf, &tsk->thread.fpu.state->fxsave, |
| @@ -292,10 +291,7 @@ int restore_i387_xstate(void __user *buf) | |||
| 292 | return err; | 291 | return err; |
| 293 | } | 292 | } |
| 294 | 293 | ||
| 295 | if (!(task_thread_info(current)->status & TS_USEDFPU)) { | 294 | user_fpu_begin(); |
| 296 | clts(); | ||
| 297 | task_thread_info(current)->status |= TS_USEDFPU; | ||
| 298 | } | ||
| 299 | if (use_xsave()) | 295 | if (use_xsave()) |
| 300 | err = restore_user_xstate(buf); | 296 | err = restore_user_xstate(buf); |
| 301 | else | 297 | else |