Provide protection against starvation of the ll/sc loops when accessing userpace.
Casueword(9) on ll/sc architectures must be prepared for userspace
constantly modifying the same cache line as containing the CAS word,
and not loop infinitely. Otherwise, rogue userspace livelocks the
kernel.
To fix the issue, change casueword(9) interface to return new value 1
indicating that either comparision or store failed, instead of relying
on the oldval == *oldvalp comparison. The primitive no longer retries
the operation if it failed spuriously. Modify callers of
casueword(9), all in kern_umtx.c, to handle retries, and react to
stops and requests to terminate between retries.
On x86, despite cmpxchg should not return spurious failures, we can
take advantage of the new interface and just return PSL.ZF.
Reviewed by: andrew (arm64, previous version), markj
Tested by: pho
Reported by: https://xenbits.xen.org/xsa/advisory-295.txt
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D20772
2019-07-12 18:43:24 +00:00
|
|
|
.\" Copyright (c) 2014, 2019 The FreeBSD Foundation
|
2014-10-28 15:22:13 +00:00
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Part of this documentation was written by
|
|
|
|
.\" Konstantin Belousov <kib@FreeBSD.org> under sponsorship
|
|
|
|
.\" from the FreeBSD Foundation.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
Provide protection against starvation of the ll/sc loops when accessing userpace.
Casueword(9) on ll/sc architectures must be prepared for userspace
constantly modifying the same cache line as containing the CAS word,
and not loop infinitely. Otherwise, rogue userspace livelocks the
kernel.
To fix the issue, change casueword(9) interface to return new value 1
indicating that either comparision or store failed, instead of relying
on the oldval == *oldvalp comparison. The primitive no longer retries
the operation if it failed spuriously. Modify callers of
casueword(9), all in kern_umtx.c, to handle retries, and react to
stops and requests to terminate between retries.
On x86, despite cmpxchg should not return spurious failures, we can
take advantage of the new interface and just return PSL.ZF.
Reviewed by: andrew (arm64, previous version), markj
Tested by: pho
Reported by: https://xenbits.xen.org/xsa/advisory-295.txt
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D20772
2019-07-12 18:43:24 +00:00
|
|
|
.Dd April 19, 2019
|
2014-10-28 15:22:13 +00:00
|
|
|
.Dt CASU 9
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm casueword ,
|
|
|
|
.Nm casueword32 ,
|
|
|
|
.Nm casuword ,
|
|
|
|
.Nm casuword32
|
|
|
|
.Nd fetch, compare and store data from user-space
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.In sys/types.h
|
|
|
|
.In sys/systm.h
|
|
|
|
.Ft int
|
2019-07-12 18:39:41 +00:00
|
|
|
.Fo casueword
|
|
|
|
.Fa "volatile u_long *base"
|
|
|
|
.Fa "u_long oldval"
|
|
|
|
.Fa "u_long *oldvalp"
|
|
|
|
.Fa "u_long newval"
|
|
|
|
.Fc
|
2014-10-28 15:22:13 +00:00
|
|
|
.Ft int
|
2019-07-12 18:39:41 +00:00
|
|
|
.Fo casueword32
|
|
|
|
.Fa "volatile uint32_t *base"
|
|
|
|
.Fa "uint32_t oldval"
|
|
|
|
.Fa "uint32_t *oldvalp"
|
|
|
|
.Fa "uint32_t newval"
|
|
|
|
.Fc
|
2014-10-28 15:22:13 +00:00
|
|
|
.Ft u_long
|
2019-07-12 18:39:41 +00:00
|
|
|
.Fo casuword
|
|
|
|
.Fa "volatile u_long *base"
|
|
|
|
.Fa "u_long oldval"
|
|
|
|
.Fa "u_long newval"
|
|
|
|
.Fc
|
2014-10-28 15:22:13 +00:00
|
|
|
.Ft uint32_t
|
2019-07-12 18:39:41 +00:00
|
|
|
.Fo casuword32
|
|
|
|
.Fa "volatile uint32_t *base"
|
|
|
|
.Fa "uint32_t oldval"
|
|
|
|
.Fa "uint32_t newval"
|
|
|
|
.Fc
|
2014-10-28 15:22:13 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
functions are designed to perform atomic compare-and-swap operation on
|
|
|
|
the value in the usermode memory of the current process.
|
|
|
|
.Pp
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
routines reads the value from user memory with address
|
|
|
|
.Pa base ,
|
|
|
|
and compare the value read with
|
|
|
|
.Pa oldval .
|
|
|
|
If the values are equal,
|
|
|
|
.Pa newval
|
|
|
|
is written to the
|
|
|
|
.Pa *base .
|
|
|
|
In case of
|
|
|
|
.Fn casueword32
|
|
|
|
and
|
|
|
|
.Fn casueword ,
|
|
|
|
old value is stored into the (kernel-mode) variable pointed by
|
|
|
|
.Pa *oldvalp .
|
|
|
|
The userspace value must be naturally aligned.
|
|
|
|
.Pp
|
|
|
|
The callers of
|
|
|
|
.Fn casuword
|
|
|
|
and
|
|
|
|
.Fn casuword32
|
|
|
|
functions cannot distinguish between -1 read from
|
|
|
|
userspace and function failure.
|
|
|
|
.Sh RETURN VALUES
|
|
|
|
The
|
|
|
|
.Fn casuword
|
|
|
|
and
|
|
|
|
.Fn casuword32
|
|
|
|
functions return the data fetched or -1 on failure.
|
|
|
|
The
|
|
|
|
.Fn casueword
|
|
|
|
and
|
|
|
|
.Fn casueword32
|
Provide protection against starvation of the ll/sc loops when accessing userpace.
Casueword(9) on ll/sc architectures must be prepared for userspace
constantly modifying the same cache line as containing the CAS word,
and not loop infinitely. Otherwise, rogue userspace livelocks the
kernel.
To fix the issue, change casueword(9) interface to return new value 1
indicating that either comparision or store failed, instead of relying
on the oldval == *oldvalp comparison. The primitive no longer retries
the operation if it failed spuriously. Modify callers of
casueword(9), all in kern_umtx.c, to handle retries, and react to
stops and requests to terminate between retries.
On x86, despite cmpxchg should not return spurious failures, we can
take advantage of the new interface and just return PSL.ZF.
Reviewed by: andrew (arm64, previous version), markj
Tested by: pho
Reported by: https://xenbits.xen.org/xsa/advisory-295.txt
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D20772
2019-07-12 18:43:24 +00:00
|
|
|
functions return 0 on success, -1 on failure to access memory,
|
|
|
|
and 1 when comparison or store failed.
|
|
|
|
The store can fail on load-linked/store-conditional architectures.
|
2014-10-28 15:22:13 +00:00
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr atomic 9 ,
|
|
|
|
.Xr fetch 9 ,
|
|
|
|
.Xr store 9
|