| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Feb 2014 07:51:48 -0500
From: Peter Hurley <peter@...leysoftware.com>
To: Tejun Heo <tj@...nel.org>
CC: laijs@...fujitsu.com, linux-kernel@...r.kernel.org,
Stefan Richter <stefanr@...6.in-berlin.de>,
linux1394-devel@...ts.sourceforge.net,
Chris Boot <bootc@...tc.net>, linux-scsi@...r.kernel.org,
target-devel@...r.kernel.org
Subject: Re: [PATCH 4/9] firewire: don't use PREPARE_DELAYED_WORK
On 02/21/2014 05:03 AM, Tejun Heo wrote:
> On Fri, Feb 21, 2014 at 12:13:16AM -0500, Peter Hurley wrote:
>> CPU 0 | CPU 1
>> |
>> INIT_WORK(fw_device_workfn) |
>> |
>> workfn = funcA |
>> queue_work_on() |
>> . | process_one_work()
>> . | ..
>> . | worker->current_func = work->func
>> . |
>> . | speculative load of workfn = funcA
>> . | .
>> workfn = funcB | .
>> queue_work_on() | .
>> local_irq_save() | .
>> test_and_set_bit() == 1 | .
>> | set_work_pool_and_clear_pending()
>> work is not queued | smp_wmb
>> funcB never runs | set_work_data()
>> | atomic_set()
>> | spin_unlock_irq()
>> |
>> | worker->current_func(work) @ fw_device_workfn
>> | workfn() @ funcA
>>
>>
>> The speculative load of workfn on CPU 1 is valid because no rmb will occur
>> between the load and the execution of workfn() on CPU 1.
>>
>> Thus funcB will never execute because, in this circumstance, a second
>> worker is not queued (because PENDING had not yet been cleared).
>
> There's no right or wrong execution. Executions of either funcA or
> funcB are correct results. The only memory ordering guarantee
> workqueue gives is that anything written before the work item is
> queued will be visible when that instance starts executing. When a
> work item is not queued, no ordering is guaranteed between the
> queueing attempt and the execution of the existing instance.
I think the vast majority of kernel code which uses the workqueue
assumes there is a memory ordering guarantee.
Meaning that if a work item is not queue-able then the previously
queued instance _has not yet started_ and so, by deduction, must be
able to see the newly written values.
Consider:
add something important to list to work on
queue work
or
update index in buffer indicating more data
queue work
Neither of these uses expect that the workqueue does not guarantee
that this latest data is acted upon.
Another way to look at this problem is that process_one_work()
doesn't become the existing instance _until_ PENDING is cleared.
> We can
> add such guarantee, not sure how much it'd matter but it's not like
> it's gonna cost a lot either.
>
> This doesn't have much to do with the current series tho. In fact,
> PREPARE_WORK can't ever be made to give such guarantee.
Yes, I agree that PREPARE_DELAYED_WORK was also broken usage with the
same problem. [And there are other bugs in that firewire device work
code which I'm working on.]
> The function pointer has to fetched before clearing of PENDING.
Why?
As long as the load takes place within the pool->lock, I don't think
it matters (especially now PREPARE_WORK is removed).
Regards,
Peter Hurley
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists