From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will.deacon@arm.com>,
linux-kernel@vger.kernel.org, mingo@kernel.org,
dhowells@redhat.com, stern@rowland.harvard.edu
Subject: Re: [PATCH locking/Documentation 1/2] Add note of release-acquire store vulnerability
Date: Thu, 29 Sep 2016 12:18:58 -0700 [thread overview]
Message-ID: <20160929191858.GD14933@linux.vnet.ibm.com> (raw)
In-Reply-To: <20160929184439.GD5016@twins.programming.kicks-ass.net>
On Thu, Sep 29, 2016 at 08:44:39PM +0200, Peter Zijlstra wrote:
> On Thu, Sep 29, 2016 at 11:10:15AM -0700, Paul E. McKenney wrote:
> > > >
> > > > P0(int *x, int *y)
> > > > {
> > > > WRITE_ONCE(*x, 1);
> > > > smp_wmb();
> > > > smp_store_release(y, 1);
> > > > }
> > > >
> > > > P1(int *y)
> > > > {
> > > > WRITE_ONCE(*y, 2);
> > > > }
> > > >
> > > > P2(int *x, int *y)
> > > > {
> > > > r1 = smp_load_acquire(y);
> > > > r2 = READ_ONCE(*x);
> > > > }
> > > >
> > > > Both ARM and powerpc allow the "after the dust settles" outcome (r1=2 &&
> > > > r2=0), as does the current version of the early prototype Linux-kernel
> > >
> > > And the above needs to be (r1!=2 || r2 != 0)... Sigh!
> >
> > Make that (y==2 && r1==2 && r2 == 0).
> >
> > Any further bids? ;-)
>
> Isn't that the trivial P1,P2,P0 order again?
I don't believe so. Wouldn't the final P0 would leave y==1?
> How about something like so on PPC?
>
> P0(int *x, int *y)
> {
> WRITE_ONCE(*x, 1);
> smp_store_release(y, 1);
> }
>
> P1(int *x, int *y)
> {
> WRITE_ONCE(x, 2);
Need "WRITE_ONCE(*x, 2)" here.
> smp_store_release(y, 2);
> }
>
> P2(int *x, int *y)
> {
> r1 = smp_load_acquire(y);
> r2 = READ_ONCE(*x);
> }
>
> (((x==1 && y==2) | (x==2 && y==1)) && (r1==1 || r1==2) && r2==0)
That exists-clause is quite dazzling... So if each of P0 and P1
win, but on different stores, and if P2 follows one or the other
of P0 or P1, can r2 get the pre-initialization value for x?
> If you execute P0 and P1 concurrently and one store of each 'wins' the
> LWSYNC of either is null and void, and therefore P2 is unordered and can
> observe r2==0.
That vaguely resembles the infamous Z6.3, but only vaguely. The Linux-kernel
memory model says "forbidden" to this:
C C-WillDeacon-AcqRelStore.litmus
{
}
P0(int *x, int *y)
{
WRITE_ONCE(*x, 1);
smp_store_release(y, 1);
}
P1(int *x, int *y)
{
WRITE_ONCE(*x, 2);
smp_store_release(y, 2);
}
P2(int *x, int *y)
{
r1 = smp_load_acquire(y);
r2 = READ_ONCE(*x);
}
exists
(((x=1 /\ y=2) \/ (x=2 /\ y=1)) /\ (2:r1=1 \/ 2:r1=2) /\ 2:r2=0)
So let's try PPCMEM. If PPCMEM allows it, then the kernel model is
clearly broken.
PPC PeterZijlstra+o-r+o-r+a-o-SB.litmus
{
0:r1=1; 0:r2=2; 0:r3=x; 0:r4=y;
1:r1=1; 1:r2=2; 1:r3=x; 1:r4=y;
2:r3=x; 2:r4=y;
}
P0 | P1 | P2 ;
stw r1,0(r3) | stw r2,0(r3) | lwz r1,0(r4) ;
lwsync | lwsync | lwsync ;
stw r1,0(r4) | stw r2,0(r4) | lwz r2,0(r3) ;
exists
(((x=1 /\ y=2) \/ (x=2 /\ y=1)) /\ (2:r1=1 \/ 2:r1=2) /\ 2:r2=0)
Now herd says that this is forbidden, but let's ask ppcmem. Futzing with
the web site seems to say "no". The lwsyncs insist on propagating the
change to x to P2 before the change to y. The full-state-space search
tool might take awhile, so will get you know if it disagrees. Just in
case I missed some odd combination of ppcmem events.
But at the moment, my guess is that your dazzling condition cannot
happen on PowerPC, and that at least this aspect of the current draft
of the kernel memory model is in fact correct.
Or did I incorrectly translate your litmus test?
Thanx, Paul
next prev parent reply other threads:[~2016-09-29 19:19 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-29 15:54 [PATCH locking/Documentation 1/2] Add note of release-acquire store vulnerability Paul E. McKenney
2016-09-29 15:58 ` Peter Zijlstra
2016-09-29 16:03 ` Will Deacon
2016-09-29 16:17 ` Peter Zijlstra
2016-09-29 16:44 ` Paul E. McKenney
2016-09-29 16:43 ` Paul E. McKenney
2016-09-29 17:10 ` Will Deacon
2016-09-29 17:23 ` Paul E. McKenney
2016-09-29 18:04 ` Paul E. McKenney
2016-09-29 18:10 ` Paul E. McKenney
2016-09-29 18:44 ` Peter Zijlstra
2016-09-29 19:18 ` Paul E. McKenney [this message]
2016-09-29 19:36 ` Alan Stern
2016-09-29 20:26 ` Paul E. McKenney
2016-09-30 8:53 ` Peter Zijlstra
2016-09-30 9:00 ` Peter Zijlstra
2016-09-30 9:57 ` Peter Zijlstra
2016-09-30 12:14 ` Paul E. McKenney
2016-09-30 12:51 ` Peter Zijlstra
2016-09-30 13:35 ` Paul E. McKenney
2016-09-30 5:53 ` Boqun Feng
2016-09-30 9:20 ` Will Deacon
2016-09-30 11:35 ` Paul E. McKenney
2016-09-30 10:25 ` Peter Zijlstra
2016-09-30 12:17 ` Paul E. McKenney
2016-09-30 12:45 ` Peter Zijlstra
2016-09-30 13:10 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160929191858.GD14933@linux.vnet.ibm.com \
--to=paulmck@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=stern@rowland.harvard.edu \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox