* Re: rcar-dmac.c: race condition regarding cookie handling? [not found] ` <CAMuHMdW=igXesjxvNk=+in62neW=kipnFW2BUH3P7sfDnqXzEQ@mail.gmail.com> @ 2024-01-29 17:38 ` Kees Cook 2024-01-29 19:08 ` Geert Uytterhoeven 0 siblings, 1 reply; 3+ messages in thread From: Kees Cook @ 2024-01-29 17:38 UTC (permalink / raw) To: Geert Uytterhoeven Cc: Behme Dirk (CM/ESO2), Linux-Renesas, Yoshihiro Shimoda, linux-hardening On Mon, Jan 29, 2024 at 10:57:40AM +0100, Geert Uytterhoeven wrote: > Hi Dirk, > > CC Kees (for the wrap-around in dma_cookie_assign() not handled in [A]) > [...] > Was the system running for a very long time? > dma_cookie_assign() relies on 2-complement signed wrap-around: > > cookie = chan->cookie + 1; > if (cookie < DMA_MIN_COOKIE) > cookie = DMA_MIN_COOKIE; > > but given the kernel is compiled with -fno-strict-overflow (which > implies -fwrapv) that should work. For my own reference: typedef s32 dma_cookie_t; #define DMA_MIN_COOKIE 1 struct dma_chan { ... dma_cookie_t cookie; Correct, as you say, with -fno-strict-overflow this is well defined, and will wrap the value around negative if chan->cookie was S32_MAX. In the future, when the signed integer wrap-around sanitizer works again, we'll want to change the math to something like: cookie = add_wrap(typeof(cookie), chan->cookie, 1); But that will be an ongoing conversion once folks have agreed on the semantics of the wrapping helpers, which is not settled yet. If you want to handle this today without depending on wrap-around, it's a little bit more involved to do it open coded, but it's possible: if (chan->cookie == type_max(typeof(chan->cookie))) cookie = DMA_MIN_COOKIE; else cookie = chan->cookie + 1; the "type_max(...)" part could also just be written as S32_MAX. -Kees -- Kees Cook ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: rcar-dmac.c: race condition regarding cookie handling? 2024-01-29 17:38 ` rcar-dmac.c: race condition regarding cookie handling? Kees Cook @ 2024-01-29 19:08 ` Geert Uytterhoeven 2024-01-29 19:28 ` Kees Cook 0 siblings, 1 reply; 3+ messages in thread From: Geert Uytterhoeven @ 2024-01-29 19:08 UTC (permalink / raw) To: Kees Cook Cc: Behme Dirk (CM/ESO2), Linux-Renesas, Yoshihiro Shimoda, linux-hardening Hi Kees, On Mon, Jan 29, 2024 at 6:38 PM Kees Cook <keescook@chromium.org> wrote> > On Mon, Jan 29, 2024 at 10:57:40AM +0100, Geert Uytterhoeven wrote: > > CC Kees (for the wrap-around in dma_cookie_assign() not handled in [A]) > > [...] > > Was the system running for a very long time? > > dma_cookie_assign() relies on 2-complement signed wrap-around: > > > > cookie = chan->cookie + 1; > > if (cookie < DMA_MIN_COOKIE) > > cookie = DMA_MIN_COOKIE; > > > > but given the kernel is compiled with -fno-strict-overflow (which > > implies -fwrapv) that should work. > > For my own reference: > > typedef s32 dma_cookie_t; > #define DMA_MIN_COOKIE 1 > > struct dma_chan { > ... > dma_cookie_t cookie; > > Correct, as you say, with -fno-strict-overflow this is well defined, and > will wrap the value around negative if chan->cookie was S32_MAX. > > In the future, when the signed integer wrap-around sanitizer works > again, we'll want to change the math to something like: > > cookie = add_wrap(typeof(cookie), chan->cookie, 1); > > But that will be an ongoing conversion once folks have agreed on the > semantics of the wrapping helpers, which is not settled yet. > > If you want to handle this today without depending on wrap-around, > it's a little bit more involved to do it open coded, but it's possible: > > if (chan->cookie == type_max(typeof(chan->cookie))) > cookie = DMA_MIN_COOKIE; > else > cookie = chan->cookie + 1; > > the "type_max(...)" part could also just be written as S32_MAX. It's actually more complicated: this code is also used to make sure any other values outside the valid range (e.g. initial zero are converted to DMA_MIN_COOKIE. So the above would not be correct replacements for the current logic. DMA cookies can also contain negative error values, hence the signed type. However, I don't think that can be the case for the chan->cookie counter, only for cookies stored in descriptors. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: rcar-dmac.c: race condition regarding cookie handling? 2024-01-29 19:08 ` Geert Uytterhoeven @ 2024-01-29 19:28 ` Kees Cook 0 siblings, 0 replies; 3+ messages in thread From: Kees Cook @ 2024-01-29 19:28 UTC (permalink / raw) To: Geert Uytterhoeven Cc: Behme Dirk (CM/ESO2), Linux-Renesas, Yoshihiro Shimoda, linux-hardening On Mon, Jan 29, 2024 at 08:08:28PM +0100, Geert Uytterhoeven wrote: > Hi Kees, > > On Mon, Jan 29, 2024 at 6:38 PM Kees Cook <keescook@chromium.org> wrote> > > On Mon, Jan 29, 2024 at 10:57:40AM +0100, Geert Uytterhoeven wrote: > > > CC Kees (for the wrap-around in dma_cookie_assign() not handled in [A]) > > > [...] > > > Was the system running for a very long time? > > > dma_cookie_assign() relies on 2-complement signed wrap-around: > > > > > > cookie = chan->cookie + 1; > > > if (cookie < DMA_MIN_COOKIE) > > > cookie = DMA_MIN_COOKIE; > > > > > > but given the kernel is compiled with -fno-strict-overflow (which > > > implies -fwrapv) that should work. > > > > For my own reference: > > > > typedef s32 dma_cookie_t; > > #define DMA_MIN_COOKIE 1 > > > > struct dma_chan { > > ... > > dma_cookie_t cookie; > > > > Correct, as you say, with -fno-strict-overflow this is well defined, and > > will wrap the value around negative if chan->cookie was S32_MAX. > > > > In the future, when the signed integer wrap-around sanitizer works > > again, we'll want to change the math to something like: > > > > cookie = add_wrap(typeof(cookie), chan->cookie, 1); > > > > But that will be an ongoing conversion once folks have agreed on the > > semantics of the wrapping helpers, which is not settled yet. > > > > If you want to handle this today without depending on wrap-around, > > it's a little bit more involved to do it open coded, but it's possible: > > > > if (chan->cookie == type_max(typeof(chan->cookie))) > > cookie = DMA_MIN_COOKIE; > > else > > cookie = chan->cookie + 1; > > > > the "type_max(...)" part could also just be written as S32_MAX. > > It's actually more complicated: this code is also used to make sure > any other values outside the valid range (e.g. initial zero are > converted to DMA_MIN_COOKIE. So the above would not be correct > replacements for the current logic. > > DMA cookies can also contain negative error values, hence the signed > type. However, I don't think that can be the case for the chan->cookie > counter, only for cookies stored in descriptors. Ah! Okay, well, if it was true here too, then the "if" would just need to be expanded: if (chan->cookie < DMA_MIN_COOKIE || chan->cookie == type_max(typeof(chan->cookie))) cookie = DMA_MIN_COOKIE; else cookie = chan->cookie + 1; -- Kees Cook ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-29 19:28 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <12ff20eb-d4b5-41f4-a494-cfb6b7abe617@de.bosch.com>
[not found] ` <CAMuHMdW=igXesjxvNk=+in62neW=kipnFW2BUH3P7sfDnqXzEQ@mail.gmail.com>
2024-01-29 17:38 ` rcar-dmac.c: race condition regarding cookie handling? Kees Cook
2024-01-29 19:08 ` Geert Uytterhoeven
2024-01-29 19:28 ` Kees Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox