| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Jun 2014 06:34:03 -0400 (EDT) From: Mikulas Patocka <mpatocka@...hat.com> To: Peter Zijlstra <peterz@...radead.org> cc: Linus Torvalds <torvalds@...ux-foundation.org>, jejb@...isc-linux.org, deller@....de, John David Anglin <dave.anglin@...l.net>, linux-parisc@...r.kernel.org, linux-kernel@...r.kernel.org, chegu_vinod@...com, paulmck@...ux.vnet.ibm.com, Waiman.Long@...com, tglx@...utronix.de, riel@...hat.com, akpm@...ux-foundation.org, davidlohr@...com, hpa@...or.com, andi@...stfloor.org, aswin@...com, scott.norton@...com, Jason Low <jason.low2@...com> Subject: Re: [PATCH] fix a race condition in cancelable mcs spinlocks On Sun, 1 Jun 2014, Peter Zijlstra wrote: > On Sun, Jun 01, 2014 at 01:53:11PM -0400, Mikulas Patocka wrote: > > PA-RISC doesn't have xchg or cmpxchg atomic instructions like other > > processors. It only has ldcw and ldcd instructions that load a word (or > > doubleword) from memory and atomically store zero at the same location. > > These instructions can only be used to implement spinlocks, direct > > implementation of other atomic operations is impossible. > > > > Consequently, Linux xchg and cmpxchg functions are implemented in such a > > way that they hash the address, use the hash to index a spinlock, take the > > spinlock, perform the xchg or cmpxchg operation non-atomically and drop > > the spinlock. > > > > If you write to some variable with ACCESS_ONCE and use cmpxchg or xchg at > > the same time, you break it. ACCESS_ONCE doesn't take the hashed spinlock, > > so, in this case, cmpxchg or xchg isn't really atomic at all. > > And this is really the first place in the kernel that breaks like this? > I've been using xchg() and cmpxchg() without such consideration for > quite a while. It happens on a common mutex operation and it took an hour of stress-testing to trigger it. The other cases may be buggy too, but no one has written a stress test specifically tailored for them. > Doesn't sparc32 have similarly broken atomic ops? Yes. tile32, arc and metag seem to be broken by this too. hexagon also has non-standard atomic_set, so it may be broken too. > Ideally, if we really want to preserve such broken-ness, we'd add some > debugging infrastructure to detect such nonsense. > > > This patch fixes the bug by introducing a new type atomic_pointer_t > > (backed by atomic_long_t) and replacing the offending pointer with it. > > atomic_long_set takes the hashed spinlock, so it avoids the race > > condition. > > So I hate that twice, once since xchg() and cmpxchg() do not share the > atomic_ prefix, its inappropriate and misleading here, and secondly, > non of this is specific to pointers, xchg() and cmpxchg() take any > (naturally aligned) 'native' size type. I think we don't need xchg() and cmpxchg() at all, because we have atomic types. Mikulas -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists