lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHbLzkrot3t5XwvHS4wveOZeK2OxcbC+8DX=UThQTcaFp-Ym_Q@mail.gmail.com>
Date:   Tue, 6 Sep 2022 12:11:28 -0700
From:   Yang Shi <shy828301@...il.com>
To:     David Hildenbrand <david@...hat.com>
Cc:     Jason Gunthorpe <jgg@...dia.com>,
        John Hubbard <jhubbard@...dia.com>, peterx@...hat.com,
        kirill.shutemov@...ux.intel.com, hughd@...gle.com,
        akpm@...ux-foundation.org, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] mm: gup: fix the fast GUP race against THP collapse

On Tue, Sep 6, 2022 at 7:44 AM David Hildenbrand <david@...hat.com> wrote:
>
> On 06.09.22 16:30, Jason Gunthorpe wrote:
> > On Tue, Sep 06, 2022 at 03:57:30PM +0200, David Hildenbrand wrote:
> >
> >>> READ_ONCE primarily is a marker that the data being read is unstable
> >>> and that the compiler must avoid all instability when reading it. eg
> >>> in this case the compiler could insanely double read the value, even
> >>> though the 'if' requires only a single read. This would result in
> >>> corrupt calculation.
> >>
> >> As we have a full memory barrier + compile barrier, the compiler might
> >> indeed do double reads and all that stuff. BUT, it has to re-read after we
> >> incremented the refcount, and IMHO that's the important part to detect the
> >> change.
> >
> > Yes, it is important, but it is not the only important part.
> >
> > The compiler still has to exectute "if (*a != b)" *correctly*.
> >
> > This is what READ_ONCE is for. It doesn't set order, it doesn't
> > implement a barrier, it tells the compiler that '*a' is unstable data
> > and the compiler cannot make assumptions based on the idea that
> > reading '*a' multiple times will always return the same value.
> >
> > If the compiler makes those assumptions then maybe even though 'if (*a
> > != b)' is the reality, it could mis-compute '*a == b'. You enter into
> > undefined behavior here.
> >
> > Though it is all very unlikely, the general memory model standard is
> > to annotate with READ_ONCE.
>
> The only thing I could see going wrong in the comparison once the stars
> alingn would be something like the following:
>
> if (*a != b)
>
> implemented as
>
> if ((*a).lower != b.lower && (*a).higher != b.higher)
>
>
> This could only go wrong if we have more than one change such that:
>
> Original:
>
> *a = 0x00000000ffffffffull;
>
>
> First modification:
> *a = 0xffffffffffffffffull;
>
> Second modification:
> *a = 0x00000000eeeeeeeeull;

IIUC this is typically a 32-bit thing.

>
>
> If we race with both modifications, we could see that ffffffff matches,
> and could see that 00000000 matches as well.
>
>
> So I agree that we should change it, but not necessarily as an urgent
> fix and not necessarily in this patch. It's best to adjust all gup_*
> functions in one patch.
>
> ... I do wonder if we want to reuse ptep_get_lockless() instead of the
> READ_ONCE(). CONFIG_GUP_GET_PTE_LOW_HIGH is confusing.
>
> --
> Thanks,
>
> David / dhildenb
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ