[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230703190044.311730-1-jhubbard@nvidia.com>
Date: Mon, 3 Jul 2023 12:00:44 -0700
From: John Hubbard <jhubbard@...dia.com>
To: Andrew Morton <akpm@...ux-foundation.org>
CC: Albert Ou <aou@...s.berkeley.edu>,
Alexandre Ghiti <alexghiti@...osinc.com>,
Andrew Jones <ajones@...tanamicro.com>,
"Hugh Dickins" <hughd@...gle.com>,
Palmer Dabbelt <palmer@...belt.com>,
"Paul Walmsley" <paul.walmsley@...ive.com>,
Qinglin Pan <panqinglin2020@...as.ac.cn>,
<linux-riscv@...ts.infradead.org>, <linux-mm@...ck.org>,
LKML <linux-kernel@...r.kernel.org>,
John Hubbard <jhubbard@...dia.com>,
James Houghton <jthoughton@...gle.com>,
Ryan Roberts <ryan.roberts@....com>
Subject: [PATCH] mm: riscv: fix an unsafe pte read in huge_pte_alloc()
The WARN_ON_ONCE() statement in riscv's huge_pte_alloc() is susceptible
to false positives, because the pte is read twice at the C language
level, locklessly, within the same conditional statement. Depending on
compiler behavior, this can lead to generated machine code that actually
reads the pte just once, or twice. Reading twice will expose the code to
changing pte values and cause incorrect behavior.
In [1], similar code actually caused a kernel crash on 64-bit x86, when
using clang to build the kernel, but only after the conversion from *pte
reads, to ptep_get(pte). The latter uses READ_ONCE(), which forced a
double read of *pte.
Rather than waiting for the upcoming ptep_get() conversion, just convert
this part of the code now, but in a way that avoids the above problem:
take a single snapshot of the pte before using it in the WARN
conditional.
As expected, this preparatory step does not actually change the
generated code ("make mm/hugetlbpage.s"), on riscv64, when using a gcc
12.2 cross compiler.
[1] https://lore.kernel.org/20230630013203.1955064-1-jhubbard@nvidia.com
Suggested-by: James Houghton <jthoughton@...gle.com>
Cc: Ryan Roberts <ryan.roberts@....com>
Signed-off-by: John Hubbard <jhubbard@...dia.com>
---
arch/riscv/mm/hugetlbpage.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/mm/hugetlbpage.c b/arch/riscv/mm/hugetlbpage.c
index 542883b3b49b..96225a8533ad 100644
--- a/arch/riscv/mm/hugetlbpage.c
+++ b/arch/riscv/mm/hugetlbpage.c
@@ -73,7 +73,11 @@ pte_t *huge_pte_alloc(struct mm_struct *mm,
}
out:
- WARN_ON_ONCE(pte && pte_present(*pte) && !pte_huge(*pte));
+ if (pte) {
+ pte_t pteval = ptep_get_lockless(pte);
+
+ WARN_ON_ONCE(pte_present(pteval) && !pte_huge(pteval));
+ }
return pte;
}
base-commit: 0a8d6c9c7128a93689fba384cdd7f72b0ce19abd
--
2.41.0
Powered by blists - more mailing lists