Re: ptep_establish/establish_pte needs set_pte_atomic and all set_pte must be written in asm

[Andrea Arcangeli]

On Sun, Sep 26, 2004 at 10:59:43AM +1000, Benjamin Herrenschmidt wrote:
> On Sun, 2004-09-26 at 10:46, Andrea Arcangeli wrote:
> 
> > As far as the C language is concerned that *ptep = something can be
> > implemented with 8 writes of 1 byte each (or alternatively with an
> > assembler instruction that may make the written data visible not
> > atomically to other cpus, despite it was written with a single opcode,
> > similarly to what happens if you use incl without the lock prefix). I'm
> > not saying such instruction exists in ppc64, but the compiler is
> > definitely allowed to break the above. You can blame on the compiler to
> > be inefficient, but you can't blame on the compiler for the security
> > hazard it would generate. Only the kernel would be to blame if for
> > whatever reason a gcc version would be underoptimized.
> 
> BTW, for your reading pleasure :)
> 
> #define atomic_set(v,i)		(((v)->counter) = (i))
> 
> (asm-i386/atomic.h)

and then check this:

typedef struct { volatile int counter; } atomic_t;
		 ^^^^^^^^

if the pte was at least volatile it would be a lot safer. C knows it
must not mess with volatile.

> And that's really far from beeing the 2 only cases where the kernel _relies_
> on a write of a simple type like int or long to an aligned location to be
> atomic. Almost all drivers manipulating DMA descriptors do that, jiffies
> is a good example too afaik, and more and more and more ... so if the

jiffies, writel/readl all volatile incidentally.

> compiler is breaking that up, I think the set_pte race is the least of
> our problems :)

the only one not volatile, or can you find more?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/