lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f704b0c40c393d1c326f13d043505960924f879a.camel@kernel.org>
Date: Wed, 29 Jan 2025 18:06:14 -0500
From: Jeff Layton <jlayton@...nel.org>
To: Andreas Schwab <schwab@...e.de>, linux-riscv@...ts.infradead.org
Cc: linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
Subject: Re: Multigrain timestamps do not work on RISC-V

On Wed, 2025-01-29 at 18:20 +0100, Andreas Schwab wrote:
> On Jan 29 2025, Andreas Schwab wrote:
> 
> > My guess would be that something in inode_set_ctime_current is going
> > wrong.
> 
> The bug is in the arch_cmpxchg macros in <asm/cmpxchg.h>, they mishandle
> atomic exchange of u32 values:
> 
>     # fs/inode.c:2802: 	if (cns == now.tv_nsec && inode->i_ctime_sec == now.tv_sec) {
>     #NO_APP
>             ld	a5,-96(s0)		# _33, now.tv_nsec
>     # fs/inode.c:2802: 	if (cns == now.tv_nsec && inode->i_ctime_sec == now.tv_sec) {
>             slli	a4,s2,32	#, _49, cns
>             srli	a4,a4,32	#, _49, _49
>     # fs/inode.c:2802: 	if (cns == now.tv_nsec && inode->i_ctime_sec == now.tv_sec) {
>             beq	a4,a5,.L1248	#, _49, _33,
>     .L1205:
>             addi	a3,s1,120	#, __ai_ptr, inode
>     .L1221:
>     # fs/inode.c:2809: 	if (try_cmpxchg(&inode->i_ctime_nsec, &cur, now.tv_nsec)) {
>     #APP
>     # 2809 "fs/inode.c" 1
>             0:	lr.w a2, 0(a3)	# __ret, *__ai_ptr_20
>             bne  a2, a4, 1f	# __ret, _49
> 
> Here the unsigned extended value of cur (a4) is compared with the sign
> extended value of inode->i_ctime_nsec (a2).  They cannot match if cur
> has I_CTIME_QUERIED set (the sign bit).  The lr/sc loop is exited before
> the store conditional is executed.
> 
>             sc.w.rl a1, a5, 0(a3)	# __rc, _33, *__ai_ptr_20
>             bnez a1, 0b	# __rc
>             fence rw,rw
>     1:
> 
>     # 0 "" 2
>     #NO_APP
>             sext.w	a5,a2	# __ret, __ret
> 
> A redundant sign extension of the current contents of inode->i_ctime_nsec.
> 
>     # fs/inode.c:2809: 	if (try_cmpxchg(&inode->i_ctime_nsec, &cur, now.tv_nsec)) {
>             bne	a5,s2,.L1211	#, __ret, cns,
> 
> Here the sign extended value of inode->i_ctime_nsec (a5) is compared
> with the sign extended expected value (s2).  They match, and try_cmpxchg
> returns true, but the store never happend.
> 

Wow, nice catch! Had me worried there for a bit!

-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ