| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190425090907.GB14281@hirez.programming.kicks-ass.net>
Date: Thu, 25 Apr 2019 11:09:07 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: huangpei@...ngson.cn
Cc: Paul Burton <paul.burton@...s.com>,
"stern@...land.harvard.edu" <stern@...land.harvard.edu>,
"akiyks@...il.com" <akiyks@...il.com>,
"andrea.parri@...rulasolutions.com"
<andrea.parri@...rulasolutions.com>,
"boqun.feng@...il.com" <boqun.feng@...il.com>,
"dlustig@...dia.com" <dlustig@...dia.com>,
"dhowells@...hat.com" <dhowells@...hat.com>,
"j.alglave@....ac.uk" <j.alglave@....ac.uk>,
"luc.maranget@...ia.fr" <luc.maranget@...ia.fr>,
"npiggin@...il.com" <npiggin@...il.com>,
"paulmck@...ux.ibm.com" <paulmck@...ux.ibm.com>,
"will.deacon@....com" <will.deacon@....com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"torvalds@...ux-foundation.org" <torvalds@...ux-foundation.org>,
Huacai Chen <chenhc@...ote.com>
Subject: Re: Re: [RFC][PATCH 2/5] mips/atomic: Fix loongson_llsc_mb() wreckage
On Thu, Apr 25, 2019 at 09:33:48AM +0200, Peter Zijlstra wrote:
> > Let me explain the bug more specific:
> >
> > the bug ONLY matters in following situation:
> >
> > #. more than one cpu (assume cpu A and B) doing ll/sc on same shared
> > var V
> >
> > #. speculative memory access from A cause A erroneously succeed sc
> > operation, since the erroneously successful sc operation violate the
> > coherence protocol. (here coherence protocol means the rules that CPU
> > follow to implement ll/sc right)
> >
> > #. B succeed sc operation too, but this sc operation is right both
> > logically and follow the coherence protocol, and makes A's sc wrong
> > logically since only ONE sc operation can succeed.
>
> (I know your coherence protocol is probably more complicated than MESI,
> but bear with me)
>
> So A speculatively gets V's line in Exclusive mode, speculates the Lock
> flag is still there and completes the Store. This speculative store then
> leaks out and violates MESI because there _should_ only be one Exclusive
> owner of a line (B).
>
> Something like that?
So B gets E (from LL), does I on A, then SC succeeds and get M. A got
I, speculates E, speculates M and lets the M escape.
That gets us with 2 competing Ms (which is of course completely
insane), one wins one looses (at random I presume).
And this violates atomic guarantees because one operation got lost.
> > If it is not LL/SC but other memory access from B on V, A's ll/sc can
> > follow the atomic semantics even if A violate the coherence protocol
> > in the same situation.
>
> *shudder*...
>
> C atomic-set
>
> {
> atomic_set(v, 1);
> }
>
> P1(atomic_t *v)
> {
> atomic_add_unless(v, 1, 0);
> }
>
> P2(atomic_t *v)
> {
> atomic_set(v, 0);
> }
>
> exists
> (v=2)
>
> So that one will still work? (that is, v=2 is forbidden)
But then in this case, P1 has E from LL, P2 does M from the STORE, which
should cause I on P1. P1 speculates E, speculates M and lets M escape.
We again have two competing Ms, one wins at random, and v==2 if P1
wins. This again violates the atomic guarantees and would invalidate
your claim of it only mattering for competing LL/SC.
Or am I missing something? (quite likely, I always get confused with
these things)
Powered by blists - more mailing lists