[PATCH v2 0/2] Fix mm/rodata_test

[PATCH v2 0/2] Fix mm/rodata_test

[Petr Tesarik]

Make sure that the test actually reads the read-only memory location.
Verify that the variable contains the expected value rather than any
non-zero value.

Petr Tesarik (2):
  mm/rodata_test: use READ_ONCE() to read const variable
  mm/rodata_test: verify test data is unchanged, rather than non-zero

 mm/rodata_test.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

-- 
2.46.1

[PATCH v2 1/2] mm/rodata_test: use READ_ONCE() to read const variable

[Petr Tesarik]

The C compiler may optimize away the memory read of a const variable if its
value is known at compile time.

In particular, GCC14 with -O2 generates no code at all for test 1, and it
generates the following x86_64 instructions for test 3:

	cmpl	$195, 4(%rsp)
	je	.L14

That is, it replaces the read of rodata_test_data with an immediate value
and compares it to the value of the local variable "zero".

Use READ_ONCE() to undo any such compiler optimizations and enforce a
memory read.

Fixes: 2959a5f726f6 ("mm: add arch-independent testcases for RODATA")
Signed-off-by: Petr Tesarik <ptesarik@suse.com>
---
 mm/rodata_test.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mm/rodata_test.c b/mm/rodata_test.c
index 6d783436951f..3b60425d80fe 100644
--- a/mm/rodata_test.c
+++ b/mm/rodata_test.c
@@ -20,7 +20,7 @@ void rodata_test(void)
 
 	/* test 1: read the value */
 	/* If this test fails, some previous testrun has clobbered the state */
-	if (!rodata_test_data) {
+	if (!READ_ONCE(rodata_test_data)) {
 		pr_err("test 1 fails (start data)\n");
 		return;
 	}
@@ -33,7 +33,7 @@ void rodata_test(void)
 	}
 
 	/* test 3: check the value hasn't changed */
-	if (rodata_test_data == zero) {
+	if (READ_ONCE(rodata_test_data) == zero) {
 		pr_err("test data was changed\n");
 		return;
 	}
-- 
2.46.1

[PATCH v2 2/2] mm/rodata_test: verify test data is unchanged, rather than non-zero

[Petr Tesarik]

Verify that the test variable holds the initialization value, rather than
any non-zero value.

Signed-off-by: Petr Tesarik <ptesarik@suse.com>
---
 mm/rodata_test.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/mm/rodata_test.c b/mm/rodata_test.c
index 3b60425d80fe..e7173fcd210c 100644
--- a/mm/rodata_test.c
+++ b/mm/rodata_test.c
@@ -12,7 +12,8 @@
 #include <linux/mm.h>
 #include <asm/sections.h>
 
-static const int rodata_test_data = 0xC3;
+#define TEST_VALUE 0xC3
+static const int rodata_test_data = TEST_VALUE;
 
 void rodata_test(void)
 {
@@ -20,7 +21,7 @@ void rodata_test(void)
 
 	/* test 1: read the value */
 	/* If this test fails, some previous testrun has clobbered the state */
-	if (!READ_ONCE(rodata_test_data)) {
+	if (unlikely(READ_ONCE(rodata_test_data) != TEST_VALUE)) {
 		pr_err("test 1 fails (start data)\n");
 		return;
 	}
@@ -33,7 +34,7 @@ void rodata_test(void)
 	}
 
 	/* test 3: check the value hasn't changed */
-	if (READ_ONCE(rodata_test_data) == zero) {
+	if (unlikely(READ_ONCE(rodata_test_data) != TEST_VALUE)) {
 		pr_err("test data was changed\n");
 		return;
 	}
-- 
2.46.1

Re: [PATCH v2 0/2] Fix mm/rodata_test

[Kees Cook]

On Tue, Nov 19, 2024 at 12:37:37PM +0100, Petr Tesarik wrote:
> Make sure that the test actually reads the read-only memory location.
> Verify that the variable contains the expected value rather than any
> non-zero value.
> 
> Petr Tesarik (2):
>   mm/rodata_test: use READ_ONCE() to read const variable
>   mm/rodata_test: verify test data is unchanged, rather than non-zero
> 
>  mm/rodata_test.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

Nice fixes! Thanks for catching these.

Reviewed-by: Kees Cook <kees@kernel.org>

-- 
Kees Cook