| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240807225106.GM6051@frogsfrogsfrogs>
Date: Wed, 7 Aug 2024 15:51:06 -0700
From: "Darrick J. Wong" <djwong@...nel.org>
To: Thomas Gleixner <tglx@...utronix.de>
Cc: Peter Zijlstra <peterz@...radead.org>,
Chandan Babu R <chandanbabu@...nel.org>,
Matthew Wilcox <willy@...radead.org>,
xfs <linux-xfs@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
linux-kernel <linux-kernel@...r.kernel.org>, x86@...nel.org
Subject: Re: Are jump labels broken on 6.11-rc1?
On Wed, Aug 07, 2024 at 08:05:03AM -0700, Darrick J. Wong wrote:
> On Wed, Aug 07, 2024 at 04:55:53PM +0200, Thomas Gleixner wrote:
> > On Wed, Aug 07 2024 at 16:34, Peter Zijlstra wrote:
> > > On Wed, Aug 07, 2024 at 04:03:12PM +0200, Thomas Gleixner wrote:
> > >
> > >> > + if (static_key_dec(key, true)) // dec-not-one
> > >>
> > >> Eeew.
> > >
> > > :-) I knew you'd hate on that
> >
> > So you added it just to make me grumpy enough to fix it for you, right?
>
> FWIW with peter's 'ugly' patch applied, fstests didn't cough up any
> static key complaints overnight.
But with Thomas' patch and the "if (v < 0) return false;" change
applied, the kernel crashes on boot:
[ 11.563329] jump_label: Fatal kernel bug, unexpected op at mem_cgroup_sk_alloc+0x5/0xc0 [ffffffff81377af5] (eb 01 c3 53 48 != 66 90 0f 1f 00)) size:2 type:1
[ 11.566166] ------------[ cut here ]------------
[ 11.567150] kernel BUG at arch/x86/kernel/jump_label.c:73!
[ 11.568416] Oops: invalid opcode: 0000 [#1] PREEMPT SMP
[ 11.569586] CPU: 1 UID: 0 PID: 58 Comm: 1:1 Not tainted 6.11.0-rc2-djwx #rc2 d917e89fa198c1bdec418be517dc3e49f564823f
[ 11.571790] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
[ 11.573738] Workqueue: cgroup_destroy css_free_rwork_fn
[ 11.574898] RIP: 0010:__jump_label_patch+0x10a/0x110
[ 11.576122] Code: eb a0 0f 0b 0f 0b 48 c7 c3 a4 7a 7b 82 41 56 45 89 e1 49 89 d8 4c 89 e9 4c 89 ea 4c 89 ee 48 c7 c7 60 8a e7 81 e8 66 dd 0d 00 <0f> 0b 0f 1f 40 00 0f 1f 44 00 00 e9 36 0
[ 11.579843] RSP: 0018:ffffc90000527d70 EFLAGS: 00010246
[ 11.580986] RAX: 0000000000000090 RBX: ffffffff81c088c1 RCX: 0000000000000000
[ 11.582470] RDX: 0000000000000000 RSI: ffffffff81eacf61 RDI: 00000000ffffffff
[ 11.583962] RBP: ffffc90000527da0 R08: 0000000000000000 R09: 205d393233333635
[ 11.585449] R10: 0000000000000731 R11: 62616c5f706d756a R12: 0000000000000002
[ 11.589526] R13: ffffffff81377af5 R14: 0000000000000001 R15: 0000000000000000
[ 11.591030] FS: 0000000000000000(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000
[ 11.592776] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 11.594018] CR2: 00007fec0a3f5d90 CR3: 0000000002033004 CR4: 00000000001706f0
[ 11.595506] Call Trace:
[ 11.596174] <TASK>
[ 11.605028] arch_jump_label_transform_queue+0x33/0x70
[ 11.606170] __jump_label_update+0x6e/0x130
[ 11.607131] __static_key_slow_dec_cpuslocked+0x50/0x60
[ 11.608280] static_key_slow_dec+0x2d/0x50
[ 11.609230] mem_cgroup_css_free+0xc2/0xd0
[ 11.610183] css_free_rwork_fn+0x40/0x3f0
[ 11.612094] process_one_work+0x17a/0x3b0
[ 11.613045] worker_thread+0x252/0x360
[ 11.615974] kthread+0xe5/0x120
--D
> > >> +/*
> > >> + * Fastpath: Decrement if the reference count is greater than one
> > >> + *
> > >> + * Returns false, if the reference count is 1 or -1 to force the caller
> > >> + * into the slowpath.
> > >> + *
> > >> + * The -1 case is to handle a decrement during a concurrent first enable,
> > >> + * which sets the count to -1 in static_key_slow_inc_cpuslocked(). As the
> > >> + * slow path is serialized the caller will observe 1 once it acquired the
> > >> + * jump_label_mutex, so the slow path can succeed.
> > >> + */
> > >> +static bool static_key_dec_not_one(struct static_key *key)
> > >> +{
> > >> + int v = static_key_dec(key, true);
> > >> +
> > >> + return v != 1 && v != -1;
> > >
> > > if (v < 0)
> > > return false;
> >
> > Hmm. I think we should do:
> >
> > #define KEY_ENABLE_IN_PROGRESS -1
> >
> > or even a more distinct value like (INT_MIN / 2)
> >
> > and replace all the magic -1 numbers with it. Then the check becomes
> > explicit:
> >
> > if (v == KEY_ENABLE_IN_PROGRESS)
> > return false;
> >
> > > /*
> > > * Notably, 0 (underflow) returns true such that it bails out
> > > * without doing anything.
> > > */
> > > return v != 1;
> > >
> > > Perhaps?
> >
> > Sure.
> >
> > >> +}
> > >> +
> > >> +/*
> > >> + * Slowpath: Decrement and test whether the refcount hit 0.
> > >> + *
> > >> + * Returns true if the refcount hit zero, i.e. the previous value was one.
> > >> + */
> > >> +static bool static_key_dec_and_test(struct static_key *key)
> > >> +{
> > >> + int v = static_key_dec(key, false);
> > >> +
> > >> + lockdep_assert_held(&jump_label_mutex);
> > >> + return v == 1;
> > >> }
> > >
> > > But yeah, this is nicer!
> >
> > :)
>
> It probably goes without saying that if either of you send a cleaned up
> patch with all these changes baked in, I will test it for you all. :)
>
> --D
>
> >
> > Thanks,
> >
> > tglx
> >
>
Powered by blists - more mailing lists