| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 May 2019 12:48:24 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Yabin Cui <yabinc@...gle.com>
Cc: Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo <acme@...nel.org>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...hat.com>,
Namhyung Kim <namhyung@...nel.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] perf/ring_buffer: Fix exposing a temporarily decreased
data_head.
On Tue, May 14, 2019 at 05:30:59PM -0700, Yabin Cui wrote:
> In perf_output_put_handle(), an IRQ/NMI can happen in below location and
> write records to the same ring buffer:
> ...
> local_dec_and_test(&rb->nest)
> ... <-- an IRQ/NMI can happen here
> rb->user_page->data_head = head;
> ...
>
> In this case, a value A is written to data_head in the IRQ, then a value
> B is written to data_head after the IRQ. And A > B. As a result,
> data_head is temporarily decreased from A to B. And a reader may see
> data_head < data_tail if it read the buffer frequently enough, which
> creates unexpected behaviors.
Indeed, good catch! Have you observed this, or is this patch due to code
inspection?
> This can be fixed by moving dec(&rb->nest) to after updating data_head,
> which prevents the IRQ/NMI above from updating data_head.
>
> Signed-off-by: Yabin Cui <yabinc@...gle.com>
> ---
> kernel/events/ring_buffer.c | 11 ++++++++++-
> 1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/events/ring_buffer.c b/kernel/events/ring_buffer.c
> index 674b35383491..0b9aefe13b04 100644
> --- a/kernel/events/ring_buffer.c
> +++ b/kernel/events/ring_buffer.c
> @@ -54,8 +54,10 @@ static void perf_output_put_handle(struct perf_output_handle *handle)
> * IRQ/NMI can happen here, which means we can miss a head update.
> */
>
> - if (!local_dec_and_test(&rb->nest))
> + if (local_read(&rb->nest) > 1) {
> + local_dec(&rb->nest);
> goto out;
> + }
>
> /*
> * Since the mmap() consumer (userspace) can run on a different CPU:
> @@ -86,6 +88,13 @@ static void perf_output_put_handle(struct perf_output_handle *handle)
> smp_wmb(); /* B, matches C */
> rb->user_page->data_head = head;
At the very least this needs:
barrier();
> + /*
> + * Clear rb->nest after updating data_head. This prevents IRQ/NMI from
> + * updating data_head before us. If that happens, we will expose a
> + * temporarily decreased data_head.
> + */
> + local_set(&rb->nest, 0);
Since you rely on the 'decrement' (1->0) to happen after we've written
head.
And similarly, you need:
barrier();
Because we must re-check the head after we've 'decremented'.
> /*
> * Now check if we missed an update -- rely on previous implied
> * compiler barriers to force a re-read.
A more paranoid person might've written:
WARN_ON_ONCE(local_cmpxchg(&rb->nest, 1, 0) != 1);
which would've also implied both barrier()s.
Powered by blists - more mailing lists