[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <yw1xk338j7vd.fsf@unicorn.mansr.com>
Date: Thu, 06 Nov 2014 22:12:54 +0000
From: Måns Rullgård <mans@...sr.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Christian Riesch <christian.riesch@...cron.at>,
Jiri Slaby <jslaby@...e.cz>, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] n_tty: Add memory barrier to fix race condition in receive path
Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
> On Thu, Nov 06, 2014 at 09:38:59PM +0000, Måns Rullgård wrote:
>> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
>>
>> > On Thu, Nov 06, 2014 at 09:01:36PM +0000, Måns Rullgård wrote:
>> >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
>> >>
>> >> > On Thu, Nov 06, 2014 at 08:49:01PM +0000, Måns Rullgård wrote:
>> >> >> Greg Kroah-Hartman <gregkh@...uxfoundation.org> writes:
>> >> >>
>> >> >> > On Thu, Nov 06, 2014 at 12:39:59PM +0100, Christian Riesch wrote:
>> >> >> >> The current implementation of put_tty_queue() causes a race condition
>> >> >> >> when re-arranged by the compiler.
>> >> >> >>
>> >> >> >> On my build with gcc 4.8.3, cross-compiling for ARM, the line
>> >> >> >>
>> >> >> >> *read_buf_addr(ldata, ldata->read_head++) = c;
>> >> >> >>
>> >> >> >> was re-arranged by the compiler to something like
>> >> >> >>
>> >> >> >> x = ldata->read_head
>> >> >> >> ldata->read_head++
>> >> >> >> *read_buf_addr(ldata, x) = c;
>> >> >> >>
>> >> >> >> which causes a race condition. Invalid data is read if data is read
>> >> >> >> before it is actually written to the read buffer.
>> >> >> >
>> >> >> > Really? A compiler can rearange things like that and expect things to
>> >> >> > actually work? How is that valid?
>> >> >>
>> >> >> This is actually required by the C spec. There is a sequence point
>> >> >> before a function call, after the arguments have been evaluated. Thus
>> >> >> all side-effects, such as the post-increment, must be complete before
>> >> >> the function is called, just like in the example.
>> >> >>
>> >> >> There is no "re-arranging" here. The code is simply wrong.
>> >> >
>> >> > Ah, ok, time to dig out the C spec...
>> >> >
>> >> > Anyway, because of this, no need for the wmb() calls, just rearrange the
>> >> > logic and all should be good, right? Christian, can you test that
>> >> > instead?
>> >>
>> >> Weakly ordered SMP systems probably need some kind of barrier. I didn't
>> >> look at it carefully.
>> >
>> > It shouldn't need a barier, as it is a sequence point with the function
>> > call. Well, it's an inline function, but that "shouldn't" matter here,
>> > right?
>>
>> Sequence points say nothing about the order in which stores become
>> visible to other CPUs. That's why there are barrier instructions.
>
> Yes, but "order" matters.
>
> If I write code that does:
>
> 100 x = ldata->read_head;
> 101 &ldata->read_head[x & SOME_VALUE] = y;
> 102 ldata->read_head++;
>
> the compiler can not reorder lines 102 and 101 just because it feels
> like it, right? Or is it time to go spend some reading of the C spec
> again...
The compiler can't. The hardware can. All the hardware promises is
that at some unspecified time in the future, both memory locations will
have the correct values. Another CPU might see 'read_head' updated
before it sees the corresponding data value. A wmb() between the writes
forces the CPU to complete preceding stores before it begins subsequent
ones.
Documentation/memory-barriers.txt explains it all in detail.
--
Måns Rullgård
mans@...sr.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists