lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251218142736.464b7a4a.gary@garyguo.net>
Date: Thu, 18 Dec 2025 14:27:36 +0000
From: Gary Guo <gary@...yguo.net>
To: David Laight <david.laight.linux@...il.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, Boqun Feng
 <boqun.feng@...il.com>, Joel Fernandes <joel@...lfernandes.org>, "Paul E.
 McKenney" <paulmck@...nel.org>, linux-kernel@...r.kernel.org, Nicholas
 Piggin <npiggin@...il.com>, Michael Ellerman <mpe@...erman.id.au>, Greg
 Kroah-Hartman <gregkh@...uxfoundation.org>, Sebastian Andrzej Siewior
 <bigeasy@...utronix.de>, Will Deacon <will@...nel.org>, Peter Zijlstra
 <peterz@...radead.org>, Alan Stern <stern@...land.harvard.edu>, John Stultz
 <jstultz@...gle.com>, Neeraj Upadhyay <Neeraj.Upadhyay@....com>, Linus
 Torvalds <torvalds@...ux-foundation.org>, Andrew Morton
 <akpm@...ux-foundation.org>, Frederic Weisbecker <frederic@...nel.org>,
 Josh Triplett <josh@...htriplett.org>, Uladzislau Rezki <urezki@...il.com>,
 Steven Rostedt <rostedt@...dmis.org>, Lai Jiangshan
 <jiangshanlai@...il.com>, Zqiang <qiang.zhang1211@...il.com>, Ingo Molnar
 <mingo@...hat.com>, Waiman Long <longman@...hat.com>, Mark Rutland
 <mark.rutland@....com>, Thomas Gleixner <tglx@...utronix.de>, Vlastimil
 Babka <vbabka@...e.cz>, maged.michael@...il.com, Mateusz Guzik
 <mjguzik@...il.com>, Jonas Oberhauser <jonas.oberhauser@...weicloud.com>,
 rcu@...r.kernel.org, linux-mm@...ck.org, lkmm@...ts.linux.dev, Nikita Popov
 <github@...pov.com>, llvm@...ts.linux.dev
Subject: Re: [RFC PATCH v4 1/4] compiler.h: Introduce ptr_eq() to preserve
 address dependency

On Thu, 18 Dec 2025 09:03:13 +0000
David Laight <david.laight.linux@...il.com> wrote:

> On Wed, 17 Dec 2025 20:45:28 -0500
> Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:
> 
> > diff --git a/include/linux/compiler.h b/include/linux/compiler.h
> > index 5b45ea7dff3e..c5ca3b54c112 100644
> > --- a/include/linux/compiler.h
> > +++ b/include/linux/compiler.h
> > @@ -163,6 +163,69 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
> >  	__asm__ ("" : "=r" (var) : "0" (var))
> >  #endif
> >  
> > +/*
> > + * Compare two addresses while preserving the address dependencies for
> > + * later use of the address. It should be used when comparing an address
> > + * returned by rcu_dereference().
> > + *
> > + * This is needed to prevent the compiler CSE and SSA GVN optimizations
> > + * from using @a (or @b) in places where the source refers to @b (or @a)
> > + * based on the fact that after the comparison, the two are known to be
> > + * equal, which does not preserve address dependencies and allows the
> > + * following misordering speculations:
> > + *
> > + * - If @b is a constant, the compiler can issue the loads which depend
> > + *   on @a before loading @a.
> > + * - If @b is a register populated by a prior load, weakly-ordered
> > + *   CPUs can speculate loads which depend on @a before loading @a.
> > + *
> > + * The same logic applies with @a and @b swapped.
> > + *
> > + * Return value: true if pointers are equal, false otherwise.
> > + *
> > + * The compiler barrier() is ineffective at fixing this issue. It does
> > + * not prevent the compiler CSE from losing the address dependency:
> > + *
> > + * int fct_2_volatile_barriers(void)
> > + * {
> > + *     int *a, *b;
> > + *
> > + *     do {
> > + *         a = READ_ONCE(p);
> > + *         asm volatile ("" : : : "memory");
> > + *         b = READ_ONCE(p);
> > + *     } while (a != b);
> > + *     asm volatile ("" : : : "memory");  <-- barrier()
> > + *     return *b;
> > + * }
> > + *
> > + * With gcc 14.2 (arm64):
> > + *
> > + * fct_2_volatile_barriers:
> > + *         adrp    x0, .LANCHOR0
> > + *         add     x0, x0, :lo12:.LANCHOR0
> > + * .L2:
> > + *         ldr     x1, [x0]  <-- x1 populated by first load.
> > + *         ldr     x2, [x0]
> > + *         cmp     x1, x2
> > + *         bne     .L2
> > + *         ldr     w0, [x1]  <-- x1 is used for access which should depend on b.
> > + *         ret
> > + *
> > + * On weakly-ordered architectures, this lets CPU speculation use the
> > + * result from the first load to speculate "ldr w0, [x1]" before
> > + * "ldr x2, [x0]".
> > + * Based on the RCU documentation, the control dependency does not
> > + * prevent the CPU from speculating loads.  
> 
> I'm not sure that example (of something that doesn't work) is really necessary.
> The simple example of, given:
> 	return a == b ? *a : 0;
> the generated code might speculatively dereference 'b' (not a) before returning
> zero when the pointers are different.

I'm not sure I understand what you're saying.

`b` cannot be speculatively dereferenced by the compiler in code-path
where pointers are different, as the compiler cannot ascertain that it is
valid.

The speculative execution on the processor side *does not* matter here as
it needs to honour address dependency (unless you're Alpha, which is why we
add a `mb()` in each `READ_ONCE`).

Best,
Gary

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ