MFC:

sys/arm/include/asmacros.h rev 1.7 sys/arm/include/atomic.h rev 1.23 Close a race. The RAS implementation would set the end address, then the start address. These were used by the kernel to restart a RAS sequence if it was interrupted. When the thread switching code ran, it would check these values and adjust the PC and clear them if it did. However, there's a small flaw in this scheme. Thread T1, sets the end address and gets preempted. Thread T2 runs and also does a RAS operation. This resets end to zero. Thread T1 now runs again and sets start and then begins the RAS sequence, but is preempted before the RAS sequence executes its last instruction. The kernel code that would ordinarily restart the RAS sequence doesn't because the PC isn't between start and 0, so the PC isn't set to the start of the sequence. So when T1 is resumed again, it is at the wrong location for RAS to produce the correct results. This causes the wrong results for the atomic sequence. The window for the first race is 3 instructions. The window for the second race is 5-10 instructions depending on the atomic operation. This makes this failure fairly rare and hard to reproduce. Mutexs are implemented in libthr using atomic operations. When the above race would occur, a lock could get stuck locked, causing many downstream problems, as you might expect. Also, make sure to reset the start and end address when doing a syscall, or a malicious process could set them before doing a syscall. Reviewed by: imp, ups (thanks guys) Approved by: re (kensmith) Pointy hat to: cognet
2007-12-07 22:08:02 +00:00 · 2007-12-07 22:08:02 +00:00 · 2a7abbfa29
commit 2a7abbfa29
parent 805f201f2b
2 changed files with 73 additions and 40 deletions
--- a/sys/arm/include/asmacros.h
+++ b/sys/arm/include/asmacros.h
@ -67,7 +67,13 @@
 	stmia	r0, {r13-r14}^;		/* Push the user mode registers */ \
        mov     r0, r0;                 /* NOP for previous instruction */ \
 	mrs	r0, spsr_all;		/* Put the SPSR on the stack */	   \
-	str	r0, [sp, #-4]!;
+	str	r0, [sp, #-4]!;						   \
+	mov	r0, #0xe0000004;					   \
+	mov	r1, #0;							   \
+	str	r1, [r0];						   \
+	mov	r0, #0xe0000008;					   \
+	mov	r1, #0xffffffff;					   \
+	str	r1, [r0];

 /*
 * PULLFRAME - macro to pull a trap frame from the stack in the current mode
@ -116,18 +122,16 @@
 	ldr	r5, =0xe0000004;	/* Check if there's any RAS */	   \
 	ldr	r3, [r5];						   \
 	cmp	r3, #0;			/* Is the update needed ? */	   \
-	beq	1f;							   \
-	ldr	lr, [r0, #16];						   \
-	ldr	r1, =0xe0000008;					   \
-	ldr	r4, [r1];		/* Get the end of the RAS */	   \
-	mov	r2, #0;			/* Reset the magic addresses */	   \
-	str	r2, [r5];						   \
-	str	r2, [r1];						   \
-	cmp	lr, r3;			/* Were we in the RAS ? */	   \
-	blt	1f;							   \
-	cmp	lr, r4;							   \
-	strlt	r3, [r0, #16];		/* Yes, update the pc */	   \
-	1:								   \
+	ldrgt	lr, [r0, #16];						   \
+	ldrgt	r1, =0xe0000008;					   \
+	ldrgt	r4, [r1];		/* Get the end of the RAS */	   \
+	movgt	r2, #0;			/* Reset the magic addresses */	   \
+	strgt	r2, [r5];						   \
+	movgt	r2, #0xffffffff;					   \
+	strgt	r2, [r1];						   \
+	cmpgt	lr, r3;			/* Were we in the RAS ? */	   \
+	cmpgt	r4, lr;							   \
+	strgt	r3, [r0, #16];		/* Yes, update the pc */	   \
 	mrs	r0, spsr_all;		/* Put the SPSR on the stack */	   \
 	str	r0, [sp, #-4]!

--- a/sys/arm/include/atomic.h
+++ b/sys/arm/include/atomic.h
@ -148,22 +148,26 @@ atomic_cmpset_32(volatile u_int32_t *p, volatile u_int32_t cmpval, volatile u_in
 	register int done, ras_start;

 	__asm __volatile("1:\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
 	    "adr	%1, 1b\n"
 	    "mov	%0, #0xe0000004\n"
 	    "str	%1, [%0]\n"
+	    "mov	%0, #0xe0000008\n"
+	    "adr	%1, 2f\n"
+	    "str	%1, [%0]\n"
 	    "ldr	%1, [%2]\n"
 	    "cmp	%1, %3\n"
 	    "streq	%4, [%2]\n"
 	    "2:\n"
 	    "mov	%1, #0\n"
+	    "mov	%0, #0xe0000004\n"
+	    "str	%1, [%0]\n"
+	    "mov	%1, #0xffffffff\n"
+	    "mov	%0, #0xe0000008\n"
 	    "str	%1, [%0]\n"
 	    "moveq	%1, #1\n"
 	    "movne	%1, #0\n"
 	    : "=r" (ras_start), "=r" (done)
-	    ,"+r" (p), "+r" (cmpval), "+r" (newval));
+	    ,"+r" (p), "+r" (cmpval), "+r" (newval) : : "memory");
 	return (done);
 }

@ -173,19 +177,24 @@ atomic_add_32(volatile u_int32_t *p, u_int32_t val)
 	int ras_start, start;

 	__asm __volatile("1:\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
 	    "adr	%1, 1b\n"
 	    "mov	%0, #0xe0000004\n"
 	    "str	%1, [%0]\n"
+	    "mov	%0, #0xe0000008\n"
+	    "adr	%1, 2f\n"
+	    "str	%1, [%0]\n"
 	    "ldr	%1, [%2]\n"
 	    "add	%1, %1, %3\n"
 	    "str	%1, [%2]\n"
 	    "2:\n"
+	    "mov	%0, #0xe0000004\n"
 	    "mov	%1, #0\n"
 	    "str	%1, [%0]\n"
-	    : "=r" (ras_start), "=r" (start), "+r" (p), "+r" (val));
+	    "mov	%1, #0xffffffff\n"
+	    "mov	%0, #0xe0000008\n"
+	    "str	%1, [%0]\n"
+	    : "=r" (ras_start), "=r" (start), "+r" (p), "+r" (val)
+	    : : "memory");
 }

 static __inline void
@ -194,20 +203,25 @@ atomic_subtract_32(volatile u_int32_t *p, u_int32_t val)
 	int ras_start, start;

 	__asm __volatile("1:\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
 	    "adr	%1, 1b\n"
 	    "mov	%0, #0xe0000004\n"
 	    "str	%1, [%0]\n"
+	    "mov	%0, #0xe0000008\n"
+	    "adr	%1, 2f\n"
+	    "str	%1, [%0]\n"
 	    "ldr	%1, [%2]\n"
 	    "sub	%1, %1, %3\n"
 	    "str	%1, [%2]\n"
 	    "2:\n"
+	    "mov	%0, #0xe0000004\n"
 	    "mov	%1, #0\n"
 	    "str	%1, [%0]\n"
+	    "mov	%1, #0xffffffff\n"
+	    "mov	%0, #0xe0000008\n"
+	    "str	%1, [%0]\n"

-	    : "=r" (ras_start), "=r" (start), "+r" (p), "+r" (val));
+	    : "=r" (ras_start), "=r" (start), "+r" (p), "+r" (val)
+	    : : "memory");
 }

 static __inline void
@ -216,20 +230,25 @@ atomic_set_32(volatile uint32_t *address, uint32_t setmask)
 	int ras_start, start;

 	__asm __volatile("1:\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
 	    "adr	%1, 1b\n"
 	    "mov	%0, #0xe0000004\n"
 	    "str	%1, [%0]\n"
+	    "mov	%0, #0xe0000008\n"
+	    "adr	%1, 2f\n"
+	    "str	%1, [%0]\n"
 	    "ldr	%1, [%2]\n"
 	    "orr	%1, %1, %3\n"
 	    "str	%1, [%2]\n"
 	    "2:\n"
+	    "mov	%0, #0xe0000004\n"
 	    "mov	%1, #0\n"
 	    "str	%1, [%0]\n"
+	    "mov	%1, #0xffffffff\n"
+	    "mov	%0, #0xe0000008\n"
+	    "str	%1, [%0]\n"

-	    : "=r" (ras_start), "=r" (start), "+r" (address), "+r" (setmask));
+	    : "=r" (ras_start), "=r" (start), "+r" (address), "+r" (setmask)
+	    : : "memory");
 }

 static __inline void
@ -238,19 +257,24 @@ atomic_clear_32(volatile uint32_t *address, uint32_t clearmask)
 	int ras_start, start;

 	__asm __volatile("1:\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
 	    "adr	%1, 1b\n"
 	    "mov	%0, #0xe0000004\n"
 	    "str	%1, [%0]\n"
+	    "mov	%0, #0xe0000008\n"
+	    "adr	%1, 2f\n"
+	    "str	%1, [%0]\n"
 	    "ldr	%1, [%2]\n"
 	    "bic	%1, %1, %3\n"
 	    "str	%1, [%2]\n"
 	    "2:\n"
+	    "mov	%0, #0xe0000004\n"
 	    "mov	%1, #0\n"
 	    "str	%1, [%0]\n"
-	    : "=r" (ras_start), "=r" (start), "+r" (address), "+r" (clearmask));
+	    "mov	%1, #0xffffffff\n"
+	    "mov	%0, #0xe0000008\n"
+	    "str	%1, [%0]\n"
+	    : "=r" (ras_start), "=r" (start), "+r" (address), "+r" (clearmask)
+	    : : "memory");

 }

@ -260,19 +284,24 @@ atomic_fetchadd_32(volatile uint32_t *p, uint32_t v)
 	uint32_t ras_start, start;

 	__asm __volatile("1:\n"
-	    "mov	%0, #0xe0000008\n"
-	    "adr	%1, 2f\n"
-	    "str	%1, [%0]\n"
 	    "adr	%1, 1b\n"
 	    "mov	%0, #0xe0000004\n"
 	    "str	%1, [%0]\n"
-	    "ldr	%1, %2\n"
-	    "add	%3, %1, %3\n"
-	    "str	%3, %2\n"
+	    "mov	%0, #0xe0000008\n"
+	    "adr	%1, 2f\n"
+	    "str	%1, [%0]\n"
+	    "ldr	%1, [%2]\n"
+	    "add	%0, %1, %3\n"
+	    "str	%0, [%2]\n"
 	    "2:\n"
+	    "mov	%0, #0xe0000004\n"
 	    "mov	%3, #0\n"
 	    "str	%3, [%0]\n"
-	    : "=r" (ras_start), "=r" (start), "=m" (*p), "+r" (v));
+	    "mov	%0, #0xe0000008\n"
+	    "mov	%3, #0xffffffff\n"
+	    "str	%3, [%0]\n"
+	    : "=r" (ras_start), "=r" (start), "+r" (p), "+r" (v)
+	    : : "memory");
 	return (start);
 }