Re: [PATCH v3] skbuff: fix a data race in skb_queue_len()

From: Jason A. Donenfeld
Date: Thu Feb 06 2020 - 11:38:52 EST

Next message: Randy Dunlap: "Re: linux-next: Tree for Jan 30 + 20200206 (drivers/infiniband/hw/mlx5/)"
Previous message: Roberto Sassu: "RE: [PATCH v2 5/8] ima: Switch to dynamically allocated buffer for template digests"
In reply to: David Miller: "Re: [PATCH v3] skbuff: fix a data race in skb_queue_len()"
Next in thread: Eric Dumazet: "Re: [PATCH v3] skbuff: fix a data race in skb_queue_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Eric,

On Tue, Feb 04, 2020 at 01:40:29PM -0500, Qian Cai wrote:
> - list->qlen--;
> + WRITE_ONCE(list->qlen, list->qlen - 1);

Sorry I'm a bit late to the party here, but this immediately jumped out.
This generates worse code with a bigger race in some sense:

list->qlen-- is:

0: 83 6f 10 01 subl $0x1,0x10(%rdi)

whereas WRITE_ONCE(list->qlen, list->qlen - 1) is:

0: 8b 47 10 mov 0x10(%rdi),%eax
3: 83 e8 01 sub $0x1,%eax
6: 89 47 10 mov %eax,0x10(%rdi)

Are you sure that's what we want?

Jason

Next message: Randy Dunlap: "Re: linux-next: Tree for Jan 30 + 20200206 (drivers/infiniband/hw/mlx5/)"
Previous message: Roberto Sassu: "RE: [PATCH v2 5/8] ima: Switch to dynamically allocated buffer for template digests"
In reply to: David Miller: "Re: [PATCH v3] skbuff: fix a data race in skb_queue_len()"
Next in thread: Eric Dumazet: "Re: [PATCH v3] skbuff: fix a data race in skb_queue_len()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]