CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	kib <kib@FreeBSD.org>
	Fri, 12 Jul 2019 18:43:24 +0000 (18:43 +0000)
committer	kib <kib@FreeBSD.org>
	Fri, 12 Jul 2019 18:43:24 +0000 (18:43 +0000)
commit	ea314818c6b9e079e07ec395c7b878adb8c7ac11
tree	c817bfb1c1f4a31f9ad5e1e76b6e4b430b415ac1	tree \| snapshot
parent	911dbf2f91ae3072a1a94f784f0a35ab18d4eb33	commit \| diff

Provide protection against starvation of the ll/sc loops when accessing userpace.

Casueword(9) on ll/sc architectures must be prepared for userspace
constantly modifying the same cache line as containing the CAS word,
and not loop infinitely.  Otherwise, rogue userspace livelocks the
kernel.

To fix the issue, change casueword(9) interface to return new value 1
indicating that either comparision or store failed, instead of relying
on the oldval == *oldvalp comparison.  The primitive no longer retries
the operation if it failed spuriously.  Modify callers of
casueword(9), all in kern_umtx.c, to handle retries, and react to
stops and requests to terminate between retries.

On x86, despite cmpxchg should not return spurious failures, we can
take advantage of the new interface and just return PSL.ZF.

Reviewed by: andrew (arm64, previous version), markj
Tested by: pho
Reported by: https://xenbits.xen.org/xsa/advisory-295.txt
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D20772

share/man/man9/casuword.9		diff \| blob \| history
sys/amd64/amd64/support.S		diff \| blob \| history
sys/arm/arm/fusu.S		diff \| blob \| history
sys/arm64/arm64/support.S		diff \| blob \| history
sys/i386/i386/copyout.c		diff \| blob \| history
sys/kern/kern_umtx.c		diff \| blob \| history
sys/mips/mips/support.S		diff \| blob \| history
sys/powerpc/powerpc/copyinout.c		diff \| blob \| history
sys/riscv/riscv/support.S		diff \| blob \| history
sys/sparc64/sparc64/support.S		diff \| blob \| history
sys/sparc64/sparc64/vm_machdep.c		diff \| blob \| history