Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a84eeaa9 authored by Dave Hansen's avatar Dave Hansen Committed by Ingo Molnar
Browse files

x86/mpx: Use the new get_xsave_field_ptr()API 



The MPX registers (bndcsr/bndcfgu/bndstatus) are not directly
accessible via normal instructions.  They essentially act as
if they were floating point registers and are saved/restored
along with those registers.

There are two main paths in the MPX code where we care about
the contents of these registers:

	1. #BR (bounds) faults
	2. the prctl() code where we are setting MPX up

Both of those paths _might_ be called without the FPU having
been used.  That means that 'tsk->thread.fpu.state' might
never be allocated.

Also, fpu_save_init() is not preempt-safe.  It was a bug to
call it without disabling preemption.  The new
get_xsave_addr() calls unlazy_fpu() instead and properly
disables preemption.

Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave@sr71.net>
Cc: Fenghua Yu <fenghua.yu@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Suresh Siddha <sbsiddha@gmail.com>
Cc: bp@alien8.de
Link: http://lkml.kernel.org/r/20150607183701.BC0D37CF@viggo.jf.intel.com


Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
parent 04cd027b

arch/x86/include/asm/mpx.h

+4 −4
Original line number Diff line number Diff line
@@ -60,8 +60,8 @@ 


#ifdef CONFIG_X86_INTEL_MPX

siginfo_t *mpx_generate_siginfo(struct pt_regs *regs,

				struct xregs_state *xsave_buf);

int mpx_handle_bd_fault(struct xregs_state *xsave_buf);

				struct task_struct *tsk);

int mpx_handle_bd_fault(struct task_struct *tsk);

static inline int kernel_managing_mpx_tables(struct mm_struct *mm)

{

	return (mm->bd_addr != MPX_INVALID_BOUNDS_DIR);
@@ -78,11 +78,11 @@ void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma, 
		      unsigned long start, unsigned long end);

#else

static inline siginfo_t *mpx_generate_siginfo(struct pt_regs *regs,

					      struct xregs_state *xsave_buf)

					      struct task_struct *tsk)

{

	return NULL;

}

static inline int mpx_handle_bd_fault(struct xregs_state *xsave_buf)

static inline int mpx_handle_bd_fault(struct task_struct *tsk)

{

	return -EINVAL;

}

arch/x86/kernel/traps.c

+8 −9
Original line number Diff line number Diff line
@@ -59,6 +59,7 @@ 
#include <asm/fixmap.h>

#include <asm/mach_traps.h>

#include <asm/alternative.h>

#include <asm/fpu/xstate.h>

#include <asm/mpx.h>



#ifdef CONFIG_X86_64
@@ -371,9 +372,8 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) 
dotraplinkage void do_bounds(struct pt_regs *regs, long error_code)

{

	struct task_struct *tsk = current;

	struct xregs_state *xsave_buf;

	enum ctx_state prev_state;

	struct bndcsr *bndcsr;

	const struct bndcsr *bndcsr;

	siginfo_t *info;



	prev_state = exception_enter();
@@ -392,12 +392,11 @@ dotraplinkage void do_bounds(struct pt_regs *regs, long error_code) 


	/*

	 * We need to look at BNDSTATUS to resolve this exception.

	 * It is not directly accessible, though, so we need to

	 * do an xsave and then pull it out of the xsave buffer.

	 * A NULL here might mean that it is in its 'init state',

	 * which is all zeros which indicates MPX was not

	 * responsible for the exception.

	 */

	copy_fpregs_to_fpstate(&tsk->thread.fpu);

	xsave_buf = &(tsk->thread.fpu.state.xsave);

	bndcsr = get_xsave_addr(xsave_buf, XSTATE_BNDCSR);

	bndcsr = get_xsave_field_ptr(XSTATE_BNDCSR);

	if (!bndcsr)

		goto exit_trap;
@@ -408,11 +407,11 @@ dotraplinkage void do_bounds(struct pt_regs *regs, long error_code) 
	 */

	switch (bndcsr->bndstatus & MPX_BNDSTA_ERROR_CODE) {

	case 2:	/* Bound directory has invalid entry. */

		if (mpx_handle_bd_fault(xsave_buf))

		if (mpx_handle_bd_fault(tsk))

			goto exit_trap;

		break; /* Success, it was handled */

	case 1: /* Bound violation. */

		info = mpx_generate_siginfo(regs, xsave_buf);

		info = mpx_generate_siginfo(regs, tsk);

		if (IS_ERR(info)) {

			/*

			 * We failed to decode the MPX instruction.  Act as if

arch/x86/mm/mpx.c

+15 −15
Original line number Diff line number Diff line
@@ -272,9 +272,9 @@ static int mpx_insn_decode(struct insn *insn, 
 * The caller is expected to kfree() the returned siginfo_t.

 */

siginfo_t *mpx_generate_siginfo(struct pt_regs *regs,

				struct xregs_state *xsave_buf)

				struct task_struct *tsk)

{

	struct bndreg *bndregs, *bndreg;

	const struct bndreg *bndregs, *bndreg;

	siginfo_t *info = NULL;

	struct insn insn;

	uint8_t bndregno;
@@ -294,8 +294,8 @@ siginfo_t *mpx_generate_siginfo(struct pt_regs *regs, 
		err = -EINVAL;

		goto err_out;

	}

	/* get the bndregs _area_ of the xsave structure */

	bndregs = get_xsave_addr(xsave_buf, XSTATE_BNDREGS);

	/* get bndregs field from current task's xsave area */

	bndregs = get_xsave_field_ptr(XSTATE_BNDREGS);

	if (!bndregs) {

		err = -EINVAL;

		goto err_out;
@@ -342,7 +342,7 @@ siginfo_t *mpx_generate_siginfo(struct pt_regs *regs, 


static __user void *task_get_bounds_dir(struct task_struct *tsk)

{

	struct bndcsr *bndcsr;

	const struct bndcsr *bndcsr;



	if (!cpu_feature_enabled(X86_FEATURE_MPX))

		return MPX_INVALID_BOUNDS_DIR;
@@ -357,8 +357,7 @@ static __user void *task_get_bounds_dir(struct task_struct *tsk) 
	 * The bounds directory pointer is stored in a register

	 * only accessible if we first do an xsave.

	 */

	copy_fpregs_to_fpstate(&tsk->thread.fpu);

	bndcsr = get_xsave_addr(&tsk->thread.fpu.state.xsave, XSTATE_BNDCSR);

	bndcsr = get_xsave_field_ptr(XSTATE_BNDCSR);

	if (!bndcsr)

		return MPX_INVALID_BOUNDS_DIR;
@@ -389,9 +388,10 @@ int mpx_enable_management(struct task_struct *tsk) 
	 * directory into XSAVE/XRSTOR Save Area and enable MPX through

	 * XRSTOR instruction.

	 *

	 * copy_xregs_to_kernel() is expected to be very expensive. Storing the bounds

	 * directory here means that we do not have to do xsave in the unmap

	 * path; we can just use mm->bd_addr instead.

	 * The copy_xregs_to_kernel() beneath get_xsave_field_ptr() is

	 * expected to be relatively expensive. Storing the bounds

	 * directory here means that we do not have to do xsave in the

	 * unmap path; we can just use mm->bd_addr instead.

	 */

	bd_base = task_get_bounds_dir(tsk);

	down_write(&mm->mmap_sem);
@@ -497,12 +497,12 @@ static int allocate_bt(long __user *bd_entry) 
 * bound table is 16KB. With 64-bit mode, the size of BD is 2GB,

 * and the size of each bound table is 4MB.

 */

static int do_mpx_bt_fault(struct xregs_state *xsave_buf)

static int do_mpx_bt_fault(struct task_struct *tsk)

{

	unsigned long bd_entry, bd_base;

	struct bndcsr *bndcsr;

	const struct bndcsr *bndcsr;



	bndcsr = get_xsave_addr(xsave_buf, XSTATE_BNDCSR);

	bndcsr = get_xsave_field_ptr(XSTATE_BNDCSR);

	if (!bndcsr)

		return -EINVAL;

	/*
@@ -525,7 +525,7 @@ static int do_mpx_bt_fault(struct xregs_state *xsave_buf) 
	return allocate_bt((long __user *)bd_entry);

}



int mpx_handle_bd_fault(struct xregs_state *xsave_buf)

int mpx_handle_bd_fault(struct task_struct *tsk)

{

	/*

	 * Userspace never asked us to manage the bounds tables,
@@ -534,7 +534,7 @@ int mpx_handle_bd_fault(struct xregs_state *xsave_buf) 
	if (!kernel_managing_mpx_tables(current->mm))

		return -EINVAL;



	if (do_mpx_bt_fault(xsave_buf)) {

	if (do_mpx_bt_fault(tsk)) {

		force_sig(SIGSEGV, current);

		/*

		 * The force_sig() is essentially "handling" this