• Thomas Gleixner's avatar
    x86/cpufeatures: Force disable X86_FEATURE_ENQCMD and remove update_pasid() · 9bfecd05
    Thomas Gleixner authored
    While digesting the XSAVE-related horrors which got introduced with
    the supervisor/user split, the recent addition of ENQCMD-related
    functionality got on the radar and turned out to be similarly broken.
    
    update_pasid(), which is only required when X86_FEATURE_ENQCMD is
    available, is invoked from two places:
    
     1) From switch_to() for the incoming task
    
     2) Via a SMP function call from the IOMMU/SMV code
    
    #1 is half-ways correct as it hacks around the brokenness of get_xsave_addr()
       by enforcing the state to be 'present', but all the conditionals in that
       code are completely pointless for that.
    
       Also the invocation is just useless overhead because at that point
       it's guaranteed that TIF_NEED_FPU_LOAD is set on the incoming task
       and all of this can be handled at return to user space.
    
    #2 is broken beyond repair. The comment in the code claims that it is safe
       to invoke this in an IPI, but that's just wishful thinking.
    
       FPU state of a running task is protected by fregs_lock() which is
       nothing else than a local_bh_disable(). As BH-disabled regions run
       usually with interrupts enabled the IPI can hit a code section which
       modifies FPU state and there is absolutely no guarantee that any of the
       assumptions which are made for the IPI case is true.
    
       Also the IPI is sent to all CPUs in mm_cpumask(mm), but the IPI is
       invoked with a NULL pointer argument, so it can hit a completely
       unrelated task and unconditionally force an update for nothing.
       Worse, it can hit a kernel thread which operates on a user space
       address space and set a random PASID for it.
    
    The offending commit does not cleanly revert, but it's sufficient to
    force disable X86_FEATURE_ENQCMD and to remove the broken update_pasid()
    code to make this dysfunctional all over the place. Anything more
    complex would require more surgery and none of the related functions
    outside of the x86 core code are blatantly wrong, so removing those
    would be overkill.
    
    As nothing enables the PASID bit in the IA32_XSS MSR yet, which is
    required to make this actually work, this cannot result in a regression
    except for related out of tree train-wrecks, but they are broken already
    today.
    
    Fixes: 20f0afd1 ("x86/mmu: Allocate/free a PASID")
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
    Acked-by: default avatarAndy Lutomirski <luto@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/87mtsd6gr9.ffs@nanos.tec.linutronix.de
    9bfecd05
xstate.c 37.3 KB