From: Jonathan Nieder <jrnieder@gmail.com>
To: linux-ia64@vger.kernel.org
Cc: "Michel Lespinasse" <walken@google.com>,
"Tony Luck" <tony.luck@intel.com>,
"Émeric Maschino" <emeric.maschino@gmail.com>,
"Patrick Baggett" <baggett.patrick@gmail.com>,
"Jakub Jelinek" <jakub@redhat.com>,
linux-kernel@vger.kernel.org
Subject: [regression] Re: [PATCH 2/3] futex: Sanitize cmpxchg_futex_value_locked API
Date: Mon, 05 Mar 2012 00:01:13 +0000 [thread overview]
Message-ID: <20120305000112.GA27512@burratino> (raw)
In-Reply-To: <20110311024851.GC26122@google.com>
(reset cc list)
Hi,
Michel Lespinasse wrote:
> This change makes the cmpxchg_futex_value_locked API more similar to the
> get_futex_value_locked one, returning an error code and updating the
> original value through a reference argument.
[...]
> Acked-by: Tony Luck <tony.luck@intel.com> [ia64]
Émeric Maschino (cc-ed) is experiencing random crashes, X restarts,
and so on on Itanium. Bisects to this patch[1].
Patrick Baggett, investigating, wrote[2]:
> It doesn't look like the return value (r8) is actually being set beyond
> initialized to 0. If there is some ia64 instruction that modifies it, GCC
> doesn't know about it from the inline assembly (r8 doesn't appear in the
> inputs/outputs list). From looking at the x86 version (agh, inline asm is
> hard to parse), it does modify the return value based on whether the
> comparison was a success or not, and the return value is certainly used by
> the callers.
And indeed, pinning that variable to that register (why not "prev"
instead?) looks suspicious.
Anywhere, here's the potentially problematic patch hunk. Ideas?
> --- a/arch/ia64/include/asm/futex.h
> +++ b/arch/ia64/include/asm/futex.h
> @@ -100,23 +100,26 @@ futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
> }
>
> static inline int
> -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
> +futex_atomic_cmpxchg_inatomic(int *uval, int __user *uaddr,
> + int oldval, int newval)
> {
> if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
> return -EFAULT;
>
> {
> - register unsigned long r8 __asm ("r8");
> + register unsigned long r8 __asm ("r8") = 0;
> + unsigned long prev;
> __asm__ __volatile__(
> " mf;; \n"
> " mov ar.ccv=%3;; \n"
> "[1:] cmpxchg4.acq %0=[%1],%2,ar.ccv \n"
> " .xdata4 \"__ex_table\", 1b-., 2f-. \n"
> "[2:]"
> - : "=r" (r8)
> + : "=r" (prev)
> : "r" (uaddr), "r" (newval),
> "rO" ((long) (unsigned) oldval)
> : "memory");
> + *uval = prev;
> return r8;
> }
> }
Jonathan
[1] https://bugzilla.kernel.org/show_bug.cgi?idB757
[2] http://thread.gmane.org/gmane.linux.debian.ports.ia64/3121/focus123
WARNING: multiple messages have this Message-ID (diff)
From: Jonathan Nieder <jrnieder@gmail.com>
To: linux-ia64@vger.kernel.org
Cc: "Michel Lespinasse" <walken@google.com>,
"Tony Luck" <tony.luck@intel.com>,
"Émeric Maschino" <emeric.maschino@gmail.com>,
"Patrick Baggett" <baggett.patrick@gmail.com>,
"Jakub Jelinek" <jakub@redhat.com>,
linux-kernel@vger.kernel.org
Subject: [regression] Re: [PATCH 2/3] futex: Sanitize cmpxchg_futex_value_locked API
Date: Sun, 4 Mar 2012 18:01:13 -0600 [thread overview]
Message-ID: <20120305000112.GA27512@burratino> (raw)
In-Reply-To: <20110311024851.GC26122@google.com>
(reset cc list)
Hi,
Michel Lespinasse wrote:
> This change makes the cmpxchg_futex_value_locked API more similar to the
> get_futex_value_locked one, returning an error code and updating the
> original value through a reference argument.
[...]
> Acked-by: Tony Luck <tony.luck@intel.com> [ia64]
Émeric Maschino (cc-ed) is experiencing random crashes, X restarts,
and so on on Itanium. Bisects to this patch[1].
Patrick Baggett, investigating, wrote[2]:
> It doesn't look like the return value (r8) is actually being set beyond
> initialized to 0. If there is some ia64 instruction that modifies it, GCC
> doesn't know about it from the inline assembly (r8 doesn't appear in the
> inputs/outputs list). From looking at the x86 version (agh, inline asm is
> hard to parse), it does modify the return value based on whether the
> comparison was a success or not, and the return value is certainly used by
> the callers.
And indeed, pinning that variable to that register (why not "prev"
instead?) looks suspicious.
Anywhere, here's the potentially problematic patch hunk. Ideas?
> --- a/arch/ia64/include/asm/futex.h
> +++ b/arch/ia64/include/asm/futex.h
> @@ -100,23 +100,26 @@ futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
> }
>
> static inline int
> -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
> +futex_atomic_cmpxchg_inatomic(int *uval, int __user *uaddr,
> + int oldval, int newval)
> {
> if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
> return -EFAULT;
>
> {
> - register unsigned long r8 __asm ("r8");
> + register unsigned long r8 __asm ("r8") = 0;
> + unsigned long prev;
> __asm__ __volatile__(
> " mf;; \n"
> " mov ar.ccv=%3;; \n"
> "[1:] cmpxchg4.acq %0=[%1],%2,ar.ccv \n"
> " .xdata4 \"__ex_table\", 1b-., 2f-. \n"
> "[2:]"
> - : "=r" (r8)
> + : "=r" (prev)
> : "r" (uaddr), "r" (newval),
> "rO" ((long) (unsigned) oldval)
> : "memory");
> + *uval = prev;
> return r8;
> }
> }
Jonathan
[1] https://bugzilla.kernel.org/show_bug.cgi?id=42757
[2] http://thread.gmane.org/gmane.linux.debian.ports.ia64/3121/focus=3123
next prev parent reply other threads:[~2012-03-05 0:01 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-07 2:11 [PATCH] futex: cmpxchg_futex_value_locked API change Michel Lespinasse
2011-03-07 8:54 ` Martin Schwidefsky
2011-03-07 14:25 ` Chris Metcalf
2011-03-07 21:58 ` Luck, Tony
2011-03-08 20:17 ` Thomas Gleixner
2011-03-09 11:25 ` Michel Lespinasse
2011-03-09 15:04 ` Thomas Gleixner
2011-03-09 15:08 ` Martin Schwidefsky
2011-03-09 22:17 ` Michel Lespinasse
2011-03-09 17:50 ` Darren Hart
2011-03-10 18:55 ` Thomas Gleixner
2011-03-11 2:16 ` Michel Lespinasse
2011-03-11 2:47 ` [PATCH 1/3] futex: do not pagefault_disable in futex_atomic_cmpxchg_inatomic() Michel Lespinasse
2011-03-11 11:31 ` [tip:core/futexes] futex: Remove redundant " tip-bot for Michel Lespinasse
2011-03-13 22:49 ` [PATCH 1/3] futex: do not " Linus Torvalds
2011-03-14 0:55 ` Darren Hart
2011-03-14 1:15 ` Darren Hart
2011-03-14 9:13 ` Peter Zijlstra
2011-03-14 9:13 ` Thomas Gleixner
2011-03-14 13:56 ` Thomas Gleixner
2011-03-14 20:07 ` Darren Hart
2011-03-14 20:15 ` [tip:core/futexes] futex: Deobfuscate handle_futex_death() tip-bot for Thomas Gleixner
2011-03-14 20:16 ` [tip:core/futexes] arm: Remove bogus comment in futex_atomic_cmpxchg_inatomic() tip-bot for Thomas Gleixner
2011-03-14 9:15 ` [PATCH 1/3] futex: do not pagefault_disable " Michel Lespinasse
2011-03-11 2:48 ` [PATCH 2/3] futex: cmpxchg_futex_value_locked API change Michel Lespinasse
2011-03-11 11:31 ` [tip:core/futexes] futex: Sanitize cmpxchg_futex_value_locked API tip-bot for Michel Lespinasse
2012-03-05 0:01 ` Jonathan Nieder [this message]
2012-03-05 0:01 ` [regression] Re: [PATCH 2/3] " Jonathan Nieder
2012-03-05 23:21 ` Luck, Tony
2012-03-05 23:21 ` Luck, Tony
2012-03-05 23:42 ` Jonathan Nieder
2012-03-05 23:42 ` Jonathan Nieder
2012-03-08 20:59 ` Émeric Maschino
2012-03-08 20:59 ` Émeric Maschino
2012-03-08 21:12 ` Émeric Maschino
2012-03-08 21:12 ` Émeric Maschino
2012-04-15 21:35 ` Émeric Maschino
2012-04-15 21:35 ` Émeric Maschino
2011-03-11 2:50 ` [PATCH 3/3] futex: fix futex operation types Michel Lespinasse
2011-03-11 11:32 ` [tip:core/futexes] futex: Sanitize futex ops argument types tip-bot for Michel Lespinasse
2011-03-09 11:08 ` [PATCH] futex: cmpxchg_futex_value_locked API change Michal Simek
2011-03-09 12:41 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120305000112.GA27512@burratino \
--to=jrnieder@gmail.com \
--cc=baggett.patrick@gmail.com \
--cc=emeric.maschino@gmail.com \
--cc=jakub@redhat.com \
--cc=linux-ia64@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tony.luck@intel.com \
--cc=walken@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.