Re: [PATCH] random: remove batched entropy locking

From: Jason A. Donenfeld
Date: Fri Jan 28 2022 - 10:48:44 EST

Next message: Andy Shevchenko: "Re: [PATCH v2 2/2] i2c: designware: Add AMD PSP I2C bus support"
Previous message: Heiko Stübner: "Re: [PATCH v7 5/5] rockchip/soc/drivers: Add DTPM description for rk3399"
In reply to: Jason A. Donenfeld: "Re: [PATCH] random: remove batched entropy locking"
Next in thread: Jason A. Donenfeld: "[PATCH v2] random: remove batched entropy locking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Andy,

On Fri, Jan 28, 2022 at 4:34 PM Jason A. Donenfeld <Jason@xxxxxxxxx> wrote:
> Andy - could you take a look at this and let me know if it's still
> correct after I've ported it out of your series and into a standalone
> thing here? I'd prefer to hold off on moving forward on this until I
> receive our green light. I'm also still a bit uncertain about your NB:
> comment regarding the acceptable race. If you could elaborate on that
> argument, it might save me a few cycles with my thinking cap on.
[...]
> + position = READ_ONCE(batch->position);
> + /* NB: position can change to ARRAY_SIZE(batch->entropy_u64) out
> + * from under us -- see invalidate_batched_entropy(). If this,
> + * happens it's okay if we still return the data in the batch. */
> + if (unlikely(position + 1 > ARRAY_SIZE(batch->entropy_u64))) {
> extract_crng((u8 *)batch->entropy_u64);
> - batch->position = 0;
> + position = 0;

So the argument for this is something along the lines of -- if the
pool is invalidated _after_ the position value is read, in the worst
case, we read old data, and then we set position to value 1, so the
remaining reads _also_ are of invalidated data, and then eventually
this depletes and we get newly extracted data? So this means that in
some racey situations, we're lengthening the window during which
get_random_u{32,64}() returns bad randomness, right?

Couldn't that race be avoided entirely by something like the below?

Jason

diff --git a/drivers/char/random.c b/drivers/char/random.c
index 50c50a59847e..664f1a7eb293 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -2082,14 +2082,15 @@ u64 get_random_u64(void)
u64 ret;
unsigned long flags;
struct batched_entropy *batch;
- unsigned int position;
+ unsigned int position, original;
static void *previous;

warn_unseeded_randomness(&previous);

local_irq_save(flags);
batch = this_cpu_ptr(&batched_entropy_u64);
- position = READ_ONCE(batch->position);
+try_again:
+ original = position = READ_ONCE(batch->position);
/* NB: position can change to ARRAY_SIZE(batch->entropy_u64) out
* from under us -- see invalidate_batched_entropy(). If this
* happens it's okay if we still return the data in the batch. */
@@ -2098,6 +2099,8 @@ u64 get_random_u64(void)
position = 0;
}
ret = batch->entropy_u64[position++];
+ if (unlikely(cmpxchg(&batch->position, original, batch) != original))
+ goto try_again;
WRITE_ONCE(batch->position, position);
local_irq_restore(flags);
return ret;

Next message: Andy Shevchenko: "Re: [PATCH v2 2/2] i2c: designware: Add AMD PSP I2C bus support"
Previous message: Heiko Stübner: "Re: [PATCH v7 5/5] rockchip/soc/drivers: Add DTPM description for rk3399"
In reply to: Jason A. Donenfeld: "Re: [PATCH] random: remove batched entropy locking"
Next in thread: Jason A. Donenfeld: "[PATCH v2] random: remove batched entropy locking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]