Received: by 10.192.245.15 with SMTP id i15csp1233471imn;
        Sun, 11 Mar 2018 09:43:49 -0700 (PDT)
X-Google-Smtp-Source: AG47ELs75qJwJkfIxKdBecHnE6Dvopblf0XxT42LY6O/BmNBp84c1fXlnIYX4x6yr5y3NXX3QSdT
X-Received: by 2002:a17:902:2803:: with SMTP id e3-v6mr5429014plb.238.1520786629587;
        Sun, 11 Mar 2018 09:43:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520786629; cv=none;
        d=google.com; s=arc-20160816;
        b=I/qlKCG9a19nFc1PgTp1EpDsVHrYMlitoZptQDCBAVLWwhsQtEojBTR+ldDxjefnWV
         xS4jv9cLQw4oxI1GIMuYZl5zE1qUJMl7JEK7NZS1avXLUbYh8O09PtGM6HtQf5nqzB9T
         74C4V5s0ndXthF8mx7y0Mx5EhB/kCu8fsbvI2TtVNmctAzBbTAjvWckrocr1sZUteK/6
         N0xXsfnNptPgTPXFgUql7Le6bVQZENrdMza8eQHftGvGU5CIVO+GXKzy8gqoJ+wFtNjn
         dtfcjpGFszCazZHihuFozmmSSRh+ovPFmjZmVXdsJnBx/pOh7ItBgWAzkjHI+SbnSO0d
         Vonw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :mime-version:dkim-signature:arc-authentication-results;
        bh=eP18dEDyvoB0fak32I081DvOTSp79UYjX8gl+YAHxPM=;
        b=U3JQYqC7umkWbeZH/MVOUNtwYQ+tYqKbKf7n7yI+B8QnAAiMaT3u0PS8l21B31ZW6r
         VtZIoobm9wY321Nvg71bpHLN0KoIqGrYaGQFqo3IsDAMh9Zh8+9ed6RR8b1Q0p8bXkoO
         wWh6tBpjpgokHswpV9GpK6rQf+6tSnf5PXhnyTo7vXKPiaW2HQZ4YpRHAKmiCeci3oCB
         ToA6gkcs7tN5Hc54+OkC6TWxGdvhjZWXcUUDYoM9Keesp0QiDakYGsooke/1S27npOsu
         zi+Gft9x+5530uIx/T/itzWvmJP3jC3kETKPPWVAC02xN4Iv/J6BAM2te7STW1nRbD6f
         a9mw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IBtUrJQC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c6-v6si4582208plr.398.2018.03.11.09.43.34;
        Sun, 11 Mar 2018 09:43:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IBtUrJQC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932275AbeCKQmQ (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Sun, 11 Mar 2018 12:42:16 -0400
Received: from mail-ot0-f193.google.com ([74.125.82.193]:34424 "EHLO
        mail-ot0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932153AbeCKQmP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 11 Mar 2018 12:42:15 -0400
Received: by mail-ot0-f193.google.com with SMTP id n74so13103587ota.1
        for <linux-kernel@vger.kernel.org>; Sun, 11 Mar 2018 09:42:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=eP18dEDyvoB0fak32I081DvOTSp79UYjX8gl+YAHxPM=;
        b=IBtUrJQCGAbjZnTMfsWR54ar2SfZSX3RlS5K44T7QdaUnHAYKG7anq4NP0H3gK99Uo
         RzJrJUkcGZ7ACDI9YJxU4zNemRt28WJpx6KEongJU5+mMRf8YDpphgJRY3/7yWNWu+yR
         DeduRWZx2XPXoyUpFBlR004bFHWQRckz2MivJ3hofJOYtPM6q7VEXeVWH5X9KJaozF2H
         8AW3bPoZ/EiNrnUXzaPK2wW9IyEIoS40vUtriD2EaoFtThqk0uVeHVfLB2HDrDw54jzc
         U4mydUMy4QZKaWnG/Btv9g+liQTU21AKvG9FcuMEYgh3sgJ9nGGZPTbY9JUSr3BzhUav
         HCEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=eP18dEDyvoB0fak32I081DvOTSp79UYjX8gl+YAHxPM=;
        b=g4HbfTOUbNGj03sBWHCzU/WbQsLCfnwQyePp+wMLM9LwbotqrcwV+wTsJqlYOCfeu6
         dRlL7SMPwFVuBX3TFO3GlLxU5cKGgZyyrQs0nH+TEHlrST/C+PF1irtdtVi/ZPbfeH/9
         tk3HL4qPs0cGABhMoLzk+O91VKf04UDqBqzGgrG4HeiMywLLLDOAlh7FmkofkZmJLAQz
         kqRdZyRyVFpDp+M7bWX3akrOzWa93GKAkwQEiaPlr2sSp7oGpPS/6meKqGj758Hi0zgH
         zmNyt2bMsbrGYWe8f2ujo4vguNN12fsUw4JZklBZ3MTTc5Smx+DOcdxFYs26FmBTi81l
         qYJA==
X-Gm-Message-State: AElRT7HqBY96llPcK1v11rAAJD/kd973cjJAxbSnv/26lBrnlZ5rsyYV
        IwanIist3oHIsIO5aTN6cfsHYFj16sESA6Pu9vl0zVJw
X-Received: by 10.157.113.15 with SMTP id n15mr3428165otj.137.1520786535134;
 Sun, 11 Mar 2018 09:42:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.151.230 with HTTP; Sun, 11 Mar 2018 09:42:14 -0700 (PDT)
From:   =?UTF-8?B?54Sm5pmT5Yas?= <milestonejxd@gmail.com>
Date:   Mon, 12 Mar 2018 00:42:14 +0800
Message-ID: <CAJDTihyScHH58fau9xPbPzgWeTGHQrPUUBVDxtCw2Fu7TZN8jQ@mail.gmail.com>
Subject: finish_wait with list_empty_careful maybe fragile or buggy
To:     linux-kernel@vger.kernel.org
Cc:     mingo@elte.hu
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

void finish_wait(struct wait_queue_head *wq_head, struct
wait_queue_entry *wq_entry)
{
    ....
->    if (!list_empty_careful(&wq_entry->entry)) {
->        spin_lock_irqsave(&wq_head->lock, flags);
->        list_del_init(&wq_entry->entry);
->        spin_unlock_irqrestore(&wq_head->lock, flags);
->    }
}

After careful look into the stop/wakeup code, I found the above code
fragile or even
buggy. This code was introduced at least 14 years ago and seems
fragile or buggy now
after years of study on SMP synchronization by us.

I understand this code are being used a lot and no bug seems to
emerge. But, as I'll
explain, it depends on a lot of unreliable implementation details.

Firstly,

static inline int list_empty_careful(const struct list_head *head)
{
    struct list_head *next = head->next;
    return (next == head) && (next == head->prev);
}

note that the read of head->next & head->prev is not protected by READ_ONCE. So
the read is free to be optimized out entirely. Luckily, this
optimization is hard for compilers
now, since all other accesses are out of finish_wait. And still, GCC
won't spit aligned
accesses into multiple instructions so it is atomic so far.

Secondly,

if ( ! list_empty_careful(&wq_entry->entry) ) {
     <remove entry with spinning-lock>
}
<ends stack frame of the function calling finish_wait>
<overwrites wq_entry with another frame>

and

__wake_up_common()   -->
<read wq_entry->func>  -->
<read wq_entry->flags>  -->
autoremove_wake_function()  -->
<remove wq_entry->entry from wait queue>  -->

are not properly ordered for SMP so that  <read wq_entry->flags> may
be reordered after
<remove wq_entry->entry from wait queue> since no dependency or memory
barrier forbids
it. This may cause <overwrites wq_entry with another frame> on one CPU
takes place before
<read wq_entry->flags> on another CPU and cause <read wq_entry->flags>
to return bad
value.

This behavior is not reported may thank to:
- quite a few code is using autoremove_wake_function
- CPU pipeline is not as deep as to make this emerge

Best regards,
Patrick Trol