Re: [PATCH] trace: further security fixes: add compiler memory barriers

["Jan Beulich" <JBeulich@novell.com>]

>>> On 05.07.10 at 10:06, Keir Fraser <keir.fraser@eu.citrix.com> wrote:
> I think I already applied this patch.

Indeed - I forgot to check the staging tree before sending, and
assumed you would be waiting for George's ack.

Jan

> On 05/07/2010 09:01, "Jan Beulich" <JBeulich@novell.com> wrote:
> 
>> This is to ensure fields shared writably with Dom0 get read only once
>> for any consistency checking followed by actual calculations.
>> 
>> I realized there was another multiple-read issue, a fix for which is
>> also included (which at once simplifies __insert_record()).
>> 
>> Signed-off-by: Jan Beulich <jbeulich@novell.com>
>> 
>> --- a/xen/common/trace.c 2010-07-01 10:05:54.000000000 +0200
>> +++ b/xen/common/trace.c 2010-07-01 14:01:47.000000000 +0200
>> @@ -437,11 +437,13 @@ static inline bool_t bogus(u32 prod, u32
>>  static inline u32 calc_unconsumed_bytes(const struct t_buf *buf)
>>  {
>>      u32 prod = buf->prod, cons = buf->cons;
>> -    s32 x = prod - cons;
>> +    s32 x;
>>  
>> +    barrier(); /* must read buf->prod and buf->cons only once */
>>      if ( bogus(prod, cons) )
>>          return data_size;
>>  
>> +    x = prod - cons;
>>      if ( x < 0 )
>>          x += 2*data_size;
>>  
>> @@ -453,12 +455,14 @@ static inline u32 calc_unconsumed_bytes(
>>  
>>  static inline u32 calc_bytes_to_wrap(const struct t_buf *buf)
>>  {
>> -    u32 prod = buf->prod;
>> -    s32 x = data_size - prod;
>> +    u32 prod = buf->prod, cons = buf->cons;
>> +    s32 x;
>>  
>> -    if ( bogus(prod, buf->cons) )
>> +    barrier(); /* must read buf->prod and buf->cons only once */
>> +    if ( bogus(prod, cons) )
>>          return 0;
>>  
>> +    x = data_size - prod;
>>      if ( x <= 0 )
>>          x += data_size;
>>  
>> @@ -473,11 +477,14 @@ static inline u32 calc_bytes_avail(const
>>      return data_size - calc_unconsumed_bytes(buf);
>>  }
>>  
>> -static inline struct t_rec *next_record(const struct t_buf *buf)
>> +static inline struct t_rec *next_record(const struct t_buf *buf,
>> +                                        uint32_t *next)
>>  {
>> -    u32 x = buf->prod;
>> +    u32 x = buf->prod, cons = buf->cons;
>>  
>> -    if ( !tb_init_done || bogus(x, buf->cons) )
>> +    barrier(); /* must read buf->prod and buf->cons only once */
>> +    *next = x;
>> +    if ( !tb_init_done || bogus(x, cons) )
>>          return NULL;
>>  
>>      if ( x >= data_size )
>> @@ -504,23 +511,21 @@ static inline void __insert_record(volat
>>      BUG_ON(local_rec_size != rec_size);
>>      BUG_ON(extra & 3);
>>  
>> +    rec = next_record(buf, &next);
>> +    if ( !rec )
>> +        return;
>>      /* Double-check once more that we have enough space.
>>       * Don't bugcheck here, in case the userland tool is doing
>>       * something stupid. */
>> -    next = calc_bytes_avail(buf);
>> -    if ( next < rec_size )
>> +    if ( (unsigned char *)rec + rec_size > this_cpu(t_data) + data_size )
>>      {
>>          if ( printk_ratelimit() )
>>              printk(XENLOG_WARNING
>> -                   "%s: avail=%u (size=%08x prod=%08x cons=%08x) rec=%u\n",
>> -                   __func__, next, data_size, buf->prod, buf->cons,
>> rec_size);
>> +                   "%s: size=%08x prod=%08x cons=%08x rec=%u\n",
>> +                   __func__, data_size, next, buf->cons, rec_size);
>>          return;
>>      }
>> -    rmb();
>>  
>> -    rec = next_record(buf);
>> -    if ( !rec )
>> -        return;
>>      rec->event = event;
>>      rec->extra_u32 = extra_word;
>>      dst = (unsigned char *)rec->u.nocycles.extra_u32;
>> @@ -537,9 +542,6 @@ static inline void __insert_record(volat
>>  
>>      wmb();
>>  
>> -    next = buf->prod;
>> -    if ( bogus(next, buf->cons) )
>> -        return;
>>      next += rec_size;
>>      if ( next >= 2*data_size )
>>          next -= 2*data_size;
>> 
>> 
>>