Re: READ_ONCE() + STACKPROTECTOR_STRONG == :/ (was Re: [GIT PULL] Please pull powerpc/linux.git powerpc-5.5-2 tag (topic/kasan-bitops))
From: Arnd Bergmann <arnd@arndb.de>
Date: 2019-12-13 20:37:13
Also in:
linux-arch, lkml
Subsystem:
sparse checker, the rest, xen hypervisor interface · Maintainers:
Chris Li, Linus Torvalds, Juergen Gross, Stefano Stabellini
On Thu, Dec 12, 2019 at 9:50 PM Linus Torvalds [off-list ref] wrote:
On Thu, Dec 12, 2019 at 11:34 AM Will Deacon [off-list ref] wrote:quoted
The root of my concern in all of this, and what started me looking at it in the first place, is the interaction with 'typeof()'. Inheriting 'volatile' for a pointer means that local variables in macros declared using typeof() suddenly start generating *hideous* code, particularly when pointless stack spills get stackprotector all excited.Yeah, removing volatile can be a bit annoying. For the particular case of the bitops, though, it's not an issue. Since you know the type there, you can just cast it. And if we had the rule that READ_ONCE() was an arithmetic type, you could do typeof(0+(*p)) __var; since you might as well get the integer promotion anyway (on the non-volatile result). But that doesn't work with structures or unions, of course. I'm not entirely sure we have READ_ONCE() with a struct. I do know we have it with 64-bit entities on 32-bit machines, but that's ok with the "0+" trick.
I'll have my randconfig builder look for instances, so far I found one,
see below. My feeling is that it would be better to enforce at least
the size being a 1/2/4/8, to avoid cases where someone thinks
the access is atomic, but it falls back on a memcpy.
Arnd
diff --git a/drivers/xen/time.c b/drivers/xen/time.c
index 0968859c29d0..adb492c0aa34 100644
--- a/drivers/xen/time.c
+++ b/drivers/xen/time.c@@ -64,7 +64,7 @@ static void xen_get_runstate_snapshot_cpu_delta( do { state_time = get64(&state->state_entry_time); rmb(); /* Hypervisor might update data. */ - *res = READ_ONCE(*state); + memcpy(res, state, sizeof(*res)); rmb(); /* Hypervisor might update data. */ } while (get64(&state->state_entry_time) != state_time || (state_time & XEN_RUNSTATE_UPDATE));
diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 5e88e7e33abe..f4ae360efdba 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h@@ -179,6 +179,8 @@ void ftrace_likely_update(structftrace_likely_data *f, int val,
#include <uapi/linux/types.h>
+extern void __broken_access_once(void *, const void *, unsigned long);
+
#define __READ_ONCE_SIZE \
({ \
switch (size) { \@@ -187,9 +189,7 @@ void ftrace_likely_update(structftrace_likely_data *f, int val,
case 4: *(__u32 *)res = *(volatile __u32 *)p; break; \
case 8: *(__u64 *)res = *(volatile __u64 *)p; break; \
default: \
- barrier(); \
- __builtin_memcpy((void *)res, (const void *)p, size); \
- barrier(); \
+ __broken_access_once((void *)res, (const void *)p,
size); \
} \
})
@@ -225,9 +225,7 @@ static __always_inline void__write_once_size(volatile void *p, void *res, int s
case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
default:
- barrier();
- __builtin_memcpy((void *)p, (const void *)res, size);
- barrier();
+ __broken_access_once((void *)p, (const void *)res, size);
}
}