* Jason A. Donenfeld: > Hi Florian, > > On Mon, Dec 05, 2022 at 07:56:47PM +0100, Florian Weimer wrote: >> * Jason A. Donenfeld: >> >> > +retry_generation: >> > + /* >> > + * @rng_info->generation must always be read here, as it serializes @state->key with the >> > + * kernel's RNG reseeding schedule. >> > + */ >> > + current_generation = READ_ONCE(rng_info->generation); >> >> > + if (unlikely(READ_ONCE(state->generation) != READ_ONCE(rng_info- >> >> I'm pretty sure you need some sort of barrier here. We have a similar >> TM-lite construct in glibc ld.so for locating link maps by address, and >> there the compiler performed reordering. >> >> _dl_find_object miscompilation on powerpc64le >> <https://sourceware.org/bugzilla/show_bug.cgi?id=28745> >> >> I'm not familiar with READ_ONCE, but Documentation/atomic_t.txt suggests >> it's a “regular LOAD”, and include/asm-generic/rwonce.h concurs. > > Do you mean compiler barriers or SMP barriers? Compiler barrier. >> Likewise, the signal safety mechanism needs compiler barriers (signal >> fences). > > READ_ONCE() should prevent the compiler from reordering the read. READ_ONCE looks just like a volatile read. Other reads can be ordered around it. For example, this: void f1 (int, int, int); extern int a; extern int b; void f2 (volatile int *p) { int a1 = a; int p1 = *p; int b1 = b; return f1 (a1, p1, b1); } Turns into: .globl f2 .type f2, @function f2: movl (%rdi), %esi movl b(%rip), %edx movl a(%rip), %edi jmp f1 Looks like compiler reodering to me. >> I'm also not sure how READ_ONCE realizes atomic 64-bit reads on 32-bit >> platforms. i386 can do them in user space via the FPU worst-case (if >> the control word hasn't been corrupted). CMPXCHG8B is not applicable >> here because it's a read-only mapping. Maybe add a comment at least >> about that “strong prevailing wind”? > > There's read tearing in that case, which isn't super, but perhaps not > all together harmful. Maybe add a comment that it was considered? Thanks, Florian
