All of
 help / color / mirror / Atom feed
From: Steven Rostedt <>
To: LKML <>
Cc: Linus Torvalds <>,
	Peter Zijlstra <>,
	Kees Cook <>,
	Andrew Morton <>,
	"Tobin C. Harding" <>
Subject: [PATCH] vsprintf: Fix memory barriers of ptr_key to have_filed_random_ptr_key
Date: Tue, 15 May 2018 10:05:58 -0400	[thread overview]
Message-ID: <20180515100558.21df515e@gandalf.local.home> (raw)

From: Steven Rostedt (VMware) <>

Reviewing Tobin's patches for getting pointers out early before
entropy has been established, I noticed that there's a lone smp_mb() in
the code. As with most lone memory barriers, this one appears to be
incorrectly used.

We currently basically have this:

	get_random_bytes(&ptr_key, sizeof(ptr_key));
	 * have_filled_random_ptr_key==true is dependent on get_random_bytes().
	 * ptr_to_id() needs to see have_filled_random_ptr_key==true
	 * after get_random_bytes() returns.
	WRITE_ONCE(have_filled_random_ptr_key, true);

And later we have:

	if (unlikely(!have_filled_random_ptr_key))
		return string(buf, end, "(ptrval)", spec);

/* Missing memory barrier here. */

	hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key);

As the CPU can perform speculative loads, we could have a situation
with the following:

	CPU0				CPU1
	----				----
				   load ptr_key = 0
   store ptr_key = random
   store have_filled_random_ptr_key

				   load have_filled_random_ptr_key = true

				    BAD BAD BAD!

Because nothing prevents CPU1 from loading ptr_key before loading

Note, I also do not see the reason to use smp_mb() instead of smp_wmb()
since we are only worried about the store of ptr_key with respect to
the store of have_filled_random_ptr_key.

Fixes: ad67b74d2469d ("printk: hash addresses printed with %p")
Signed-off-by: Steven Rostedt (VMware) <>
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 30c0cb8cc9bc..e8a0b8e54bd3 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -1680,7 +1680,7 @@ static void fill_random_ptr_key(struct random_ready_callback *unused)
 	 * ptr_to_id() needs to see have_filled_random_ptr_key==true
 	 * after get_random_bytes() returns.
-	smp_mb();
+	smp_wmb();
 	WRITE_ONCE(have_filled_random_ptr_key, true);
@@ -1715,6 +1715,9 @@ static char *ptr_to_id(char *buf, char *end, void *ptr, struct printf_spec spec)
 		return string(buf, end, "(ptrval)", spec);
+	/* Read ptr_key after reading have_filled_random_ptr_key */
+	smp_rmb();
 #ifdef CONFIG_64BIT
 	hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key);

             reply	other threads:[~2018-05-15 14:06 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-15 14:05 Steven Rostedt [this message]
2018-05-15 16:55 ` [PATCH] vsprintf: Fix memory barriers of ptr_key to have_filed_random_ptr_key Linus Torvalds
2018-05-15 18:57   ` Steven Rostedt
2018-05-15 19:03     ` Linus Torvalds
2018-05-15 20:10       ` Steven Rostedt
2018-05-15 22:31         ` Linus Torvalds
2018-05-15 22:41           ` Steven Rostedt
2018-05-15 23:00             ` Steven Rostedt
2018-05-15 23:10               ` Linus Torvalds
2018-05-23 10:40     ` Pavel Machek
2018-05-24 18:44       ` Steven Rostedt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180515100558.21df515e@gandalf.local.home \ \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.