• Suresh Siddha's avatar
    x86, fpu: fix CONFIG_PREEMPT=y corruption of application's FPU stack · 870568b3
    Suresh Siddha authored
    Jürgen Mell reported an FPU state corruption bug under CONFIG_PREEMPT,
    and bisected it to commit v2.6.19-1363-gacc20761, "i386: add sleazy FPU
    optimization".
    
    Add tsk_used_math() checks to prevent calling math_state_restore()
    which can sleep in the case of !tsk_used_math(). This prevents
    making a blocking call in __switch_to().
    
    Apparently "fpu_counter > 5" check is not enough, as in some signal handling
    and fork/exec scenarios, fpu_counter > 5 and !tsk_used_math() is possible.
    
    It's a side effect though. This is the failing scenario:
    
    process 'A' in save_i387_ia32() just after clear_used_math()
    
    Got an interrupt and pre-empted out.
    
    At the next context switch to process 'A' again, kernel tries to restore
    the math state proactively and sees a fpu_counter > 0 and !tsk_used_math()
    
    This results in init_fpu() during the __switch_to()'s math_state_restore()
    
    And resulting in fpu corruption which will be saved/restored
    (save_i387_fxsave and restore_i387_fxsave) during the remaining
    part of the signal handling after the context switch.
    Bisected-by: default avatarJürgen Mell <j.mell@t-online.de>
    Signed-off-by: default avatarSuresh Siddha <suresh.b.siddha@intel.com>
    Tested-by: default avatarJürgen Mell <j.mell@t-online.de>
    Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
    Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
    Cc: stable@kernel.org
    870568b3
process_64.c 20.7 KB