lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160229222209.GD7499@dvhart-mobl5.amr.corp.intel.com>
Date:	Mon, 29 Feb 2016 14:22:09 -0800
From:	Darren Hart <dvhart@...radead.org>
To:	Jianyu Zhan <nasa4836@...il.com>
Cc:	linux-kernel@...r.kernel.org, tglx@...utronix.de,
	dave@...olabs.net, peterz@...radead.org, akpm@...ux-foundation.org,
	mingo@...nel.org, dvhart@...ux.intel.com, bigeasy@...utronix.de
Subject: Re: [PATCH] futex:  replace bare barrier() with a READ_ONCE()

On Mon, Feb 29, 2016 at 07:41:33PM +0800, Jianyu Zhan wrote:
> Commit e91467ecd1ef ("bug in futex unqueue_me") introduces a barrier()
> in unqueue_me(), to address a pointer aliasing problem in s390x, between
> q->lock_ptr and local variable lock_ptr.
> 
> Since there is a retry logic to reload q->lock_ptr into local variable lock_ptr,
> s390x generates code that aliases q->lock_ptr with lock_ptr, while q->lock_ptr
> might change between retries, which beats the alias and causes problem.

You've mention it causes problems a few times, but you do not specify what
problem it causes or how it manifests.

Is this a theoretical bug, or have you experienced a failure case. If so, how
did this manifest? Do you have a reproducer we could add to the futex testsuite
in the kernel selftests?

> 
> This patch replaces this bare barrier() with a READ_ONCE(), a weaker form of
> barrier(), which could be more informative.
> 
> And furthermore, this retry logic is effectively the same with:
> 
> 	while (lock_ptr = q->lock_ptr)
> 		do_something_with(lock_ptr);
> 
> and compiler is at its will to merge successive load of q->lock_ptr, which is also problematic
> at this scenario. READ_ONCE() can avoid this problem.
> 
> Signed-off-by: Jianyu Zhan <nasa4836@...il.com>
> ---
>  kernel/futex.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index 5d6ce64..20e8466 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -1927,8 +1927,12 @@ static int unqueue_me(struct futex_q *q)
>  
>  	/* In the common case we don't take the spinlock, which is nice. */
>  retry:
> -	lock_ptr = q->lock_ptr;
> -	barrier();
> +	/*
> +	 *  q->lock_ptr can change and a pointer aliasing(of lock_ptr) will cause problem, 
> +	 *  and also to avoid potential compiler merging of successive load of q->lock_ptr under
> +	 *  this retry logic, so we use READ_ONCE() here.
> +	 */
> +	lock_ptr = READ_ONCE(q->lock_ptr);
>  	if (lock_ptr != NULL) {
>  		spin_lock(lock_ptr);
>  		/*
> -- 
> 2.4.3
> 
> 

-- 
Darren Hart
Intel Open Source Technology Center

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ