| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANpmjNPR+mbadR0DDKGUhTkaXJi=vsHmhvq3+Rz0Hrx=E9V_Qg@mail.gmail.com>
Date: Tue, 21 Jan 2020 16:19:22 +0100
From: Marco Elver <elver@...gle.com>
To: Qian Cai <cai@....pw>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
"the arch/x86 maintainers" <x86@...nel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH -next] x86/mm/pat: silence a data race in cpa_4k_install
On Tue, 21 Jan 2020 at 16:15, Qian Cai <cai@....pw> wrote:
>
> Macro Elver mentioned,
>
> "Yes. I was finally able to reproduce this data race on linux-next (my
> system doesn't crash though, maybe not enough cores?). Here is a trace
> with line numbers:
>
> read to 0xffffffffaa59a000 of 8 bytes by interrupt on cpu 7:
> cpa_inc_4k_install arch/x86/mm/pat/set_memory.c:131 [inline]
> __change_page_attr+0x10cf/0x1840 arch/x86/mm/pat/set_memory.c:1514
> __change_page_attr_set_clr+0xce/0x490 arch/x86/mm/pat/set_memory.c:1636
> __set_pages_np+0xc4/0xf0 arch/x86/mm/pat/set_memory.c:2148
> __kernel_map_pages+0xb0/0xc8 arch/x86/mm/pat/set_memory.c:2178
> kernel_map_pages include/linux/mm.h:2719 [inline]
> <snip>
>
> write to 0xffffffffaa59a000 of 8 bytes by task 1 on cpu 6:
> cpa_inc_4k_install arch/x86/mm/pat/set_memory.c:131 [inline]
> __change_page_attr+0x10ea/0x1840 arch/x86/mm/pat/set_memory.c:1514
> __change_page_attr_set_clr+0xce/0x490 arch/x86/mm/pat/set_memory.c:1636
> __set_pages_p+0xc4/0xf0 arch/x86/mm/pat/set_memory.c:2129
> __kernel_map_pages+0x2e/0xc8 arch/x86/mm/pat/set_memory.c:2176
> kernel_map_pages include/linux/mm.h:2719 [inline]
> <snip>
>
> Both accesses are due to the same "cpa_4k_install++" in
> cpa_inc_4k_install. Now you can see that a data race here could be
> potentially undesirable: depending on compiler optimizations or how
> x86 executes a non-LOCK'd increment, you may lose increments, corrupt
> the counter, etc. Since this counter only seems to be used for
> printing some stats, this data race itself is unlikely to cause harm
> to the system though."
Thank you for the patch!
Could you remove the verbatim copy of my email? Maybe something like:
"Increments to cpa_4k_install may happen concurrently, as detected by KCSAN:
<....... the stack traces ......>
Since the counter is only used to count stats, a data race will not be
harmful, thus we mark it as an intentional data race with the
'data_race()' macro.
Otherwise, this may generate a lot of noise on a debug kernel with
debug_pagealloc
with KCSAN enabled which could render the system unusable."
Thanks,
-- Marco
> This will generate a lot of noise on a debug kernel with debug_pagealloc
> with KCSAN enabled which could render the system unusable. Silence it by
> using the data_race() macro.
>
> Suggested-by: Macro Elver <elver@...gle.com>
> Signed-off-by: Qian Cai <cai@....pw>
> ---
> arch/x86/mm/pat/set_memory.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c
> index 20823392f4f2..a5c35e57905e 100644
> --- a/arch/x86/mm/pat/set_memory.c
> +++ b/arch/x86/mm/pat/set_memory.c
> @@ -128,7 +128,7 @@ static inline void cpa_inc_2m_checked(void)
>
> static inline void cpa_inc_4k_install(void)
> {
> - cpa_4k_install++;
> + data_race(cpa_4k_install++);
> }
>
> static inline void cpa_inc_lp_sameprot(int level)
> --
> 2.21.0 (Apple Git-122.2)
>
Powered by blists - more mailing lists