On Thu, 24 Jul 2008, Suresh Siddha wrote:
quoted text
> 
> In the error condition for restore_fpu_checking() (especially during
> the 64bit signal return), we are doing init_fpu(), which saves the live
> FPU register state (possibly belonging to some other process context) into the
> thread struct (through unlazy_fpu() in init_fpu()). This is wrong and can leak
> the FPU data.
> 
> Remove the unlazy_fpu() from the init_fpu(). init_fpu() will now always
> init the FPU data in the thread struct. For the error conditions in
> restore_fpu_checking(), restore the initialized FPU data from the thread
> struct.

Why? The thread struct is guaranteed to contain pointless data.

If we cannot restore the FP state from the signal stack, we should not try 
to restore it from anywhere _else_ either, since nowhere else will have 
any better results.

I suspect we should just reset the x87 state (which was the _intention_ of 
the code), possibly by just doing "stts + used_math = 0". The signal 
handling code already checks for errors, and will force a SIGSEGV if this 
ever happens.

(Yes, there is also a restore_fpu_checking() in math_state_restore(), but 
that one _already_ uses &current->thread.xstate->fxsave as the buffer to 
restore from, so trying to do that _again_ when it fails seems to be 
really really wrong - we already _did_ that, and that was what failed to 
begin with)

				Linus
--
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/