Received: by 10.192.245.15 with SMTP id i15csp1237767imn;
        Sun, 11 Mar 2018 10:00:07 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtpyyS2i/oIDYrJPvaoNNDCueE4nddOKCB3+i0TT6YHqjoASufeUF6Yfq0fF3tiv93SfRGN
X-Received: by 10.101.69.205 with SMTP id m13mr4384088pgr.323.1520787607259;
        Sun, 11 Mar 2018 10:00:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520787607; cv=none;
        d=google.com; s=arc-20160816;
        b=bPlAaOnJHdh5y2of2HPzUHPGNG6ZiGlqcbqS8iAcCY7DX8yrNpwoMjzL7m6NiXeDFg
         To0rw8B25nIjA2MzgnohJkNXGbEP6KY8nujhCKaOvfXuEAbIIO1sTDkqnKFa8TRPat8X
         IAZZa+g8mx8nqmTxsoIPen5CK1PCRl9s+uCuJ59xUaeepXbJNtR2b8yHlCJAlRzln/sa
         RpO2Gj3onLg5vAVqxo2SyocYvp6iElovLe3itkR/+1GmJ6rDpXba1OMCCaxDpuwnuHxr
         W6+5Ob4R+eJmQ+fNjv5m8LnMbGmTJvkbnlO9+TPF3MSvL5xX6pkAKGxNATqbgoEUXb+F
         9BZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :mime-version:dkim-signature:arc-authentication-results;
        bh=GNUmS3fm5kvns7vkyhsLV8h+Z+0Nd3pvWVg0RmEbXm8=;
        b=ByV8wHV1E85pszC0e4gNO57s0EwNZ7wDFkh1bUJgCp5aSMrPw6Jl+8Oat16T9qXMHQ
         1+o1xlwRL68eByNPbREytGSpBYZAc/8N+HXP4kgVPA3B89ALbWjA2dJh8YvFzexMoaAP
         E1bK9zla4psodiRChH81Cnued2gygZZwdR+tYdw306j4T1OJV6kTVCwt9hrd9AXC2l9B
         LwJ0PtCD36+7g/An8SYCFuzO1JjwvpvCdjjsZykQBoU6GMF9f8SIxxZlF9U0ZbO34xKv
         TLTiaCFIP5vZY76Ksom9N++Ja8mjH5UqQirqflIUxfImDIoYS44kKEEXaeGYieDFtO0M
         0gpQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Zphmu0hB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u3si3718225pgr.447.2018.03.11.09.59.52;
        Sun, 11 Mar 2018 10:00:07 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Zphmu0hB;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932242AbeCKQ7B (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Sun, 11 Mar 2018 12:59:01 -0400
Received: from mail-oi0-f65.google.com ([209.85.218.65]:42410 "EHLO
        mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932153AbeCKQ7A (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 11 Mar 2018 12:59:00 -0400
Received: by mail-oi0-f65.google.com with SMTP id c18so10517195oiy.9
        for <linux-kernel@vger.kernel.org>; Sun, 11 Mar 2018 09:59:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=GNUmS3fm5kvns7vkyhsLV8h+Z+0Nd3pvWVg0RmEbXm8=;
        b=Zphmu0hBJoxQeK7yGr2MqF2wRs8kLmkG4vxbaUsrWRgrEmNk6wM+bsgy8Cdg7LnPIt
         t8bEoZy5Lwon16ydmLvP24nDFNNNjhe26Vj9ujfUVVf5xJF/l+FQrU5Cffmq1Gf4NGey
         gCyqr2Weu4LLJT8ZSSa6ksMK1A7kJRaF6SncKglHeMnRDV4NBDMc76LD63OC5K/4M2eo
         Fmbuqfg2zvYF3bamsGoB+k6rxrChLKzqxuYshBG/iqJTTYZaaV3sb7wJVBwPRPfla0/l
         NcGQd2X+g4sap4B6VPbIkpwPIizbIjd7VcHjYT1eLQuqR2c6I/B6nMYnulfcv50QDho5
         OuYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=GNUmS3fm5kvns7vkyhsLV8h+Z+0Nd3pvWVg0RmEbXm8=;
        b=AbaHmN95nsA0WUdOOoSVwRa6bvzuROG6TZGjV7zsvvtqjhHHOUK0NJznRY1/JHc1AQ
         2clthmGDEz7UtE7qvjbiVqmDtUPJf3wkASwNFrrSylkSIkc7QaMXXNXU/Omqfb7CZEtU
         JKrYUngyc/RXnGj3dVYutMgD8fJ6r5MTtchiczXixO2/7j0JU/Kbaf4sPGSuoRJ/eFjI
         WXz2JcgubEUiIyFdUWsPW19lyUxPztSEXAZIUKQ7Fp3m4LjQm4AIzRRCgBfR5xBZFfbS
         vOYhYoATdiw3Wp5+87c2hSZ3xkCshTeUBr/tO092X2PDuTS9A5EW+2wxlZ85icitEUc7
         aRcw==
X-Gm-Message-State: AElRT7GBym11ggYiW9V3oSiQ5RgFk/XVe/c7tl6a960HIYwLcmMOvIZh
        2XJ3AIhpaEWp+mpbiBHMDNMIJW11AAfWAqGpXph6NPnd
X-Received: by 10.202.9.19 with SMTP id 19mr3361420oij.152.1520787539787; Sun,
 11 Mar 2018 09:58:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.151.230 with HTTP; Sun, 11 Mar 2018 09:58:59 -0700 (PDT)
From:   =?UTF-8?B?54Sm5pmT5Yas?= <milestonejxd@gmail.com>
Date:   Mon, 12 Mar 2018 00:58:59 +0800
Message-ID: <CAJDTihxS9SiYohtgfdXpZc-=Z7vdUP7U9+ShPfK+9C-82SxsBg@mail.gmail.com>
Subject: resend, finish_wait with list_empty_careful maybe fragile or buggy
To:     linux-kernel@vger.kernel.org
Cc:     mingo@elte.hu
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Sorry, this is a resend because the previous one was messed
up by my editor and hard to be read.

void finish_wait(
struct wait_queue_head *wq_head,
struct wait_queue_entry *wq_entry)
{
       ....
->    if (!list_empty_careful(&wq_entry->entry)) {
->        spin_lock_irqsave(&wq_head->lock, flags);
->        list_del_init(&wq_entry->entry);
->        spin_unlock_irqrestore(&wq_head->lock, flags);
->    }
}

After careful look into the stop/wakeup code, I found
the above code fragile or even buggy. This code was
introduced at least 14 years ago and seems fragile or
buggy now after years of study on SMP synchronization
by us.

I understand this code are being used a lot and no bug
seems to emerge. But, as I'll explain, it depends on a lot
of unreliable implementation details.

Firstly,

static inline int list_empty_careful(const struct list_head *head)
{
    struct list_head *next = head->next;
    return (next == head) && (next == head->prev);
}

note that the read of head->next & head->prev is not
protected by READ_ONCE. So the read is free to be
optimized out entirely. Luckily, this optimization is hard
for compilers now, since all other accesses are out of
finish_wait. And still, GCC won't spit aligned accesses
into multiple instructions so it is atomic so far.

Secondly,

if ( ! list_empty_careful(&wq_entry->entry) ) {
     <remove entry with spinning-lock>
}
<ends stack frame of the function calling finish_wait>
<overwrites wq_entry with another frame>

and

__wake_up_common()   -->
<read wq_entry->func>  -->
<read wq_entry->flags>  -->
autoremove_wake_function()  -->
<remove wq_entry->entry from wait queue>  -->

are not properly ordered for SMP so that  <read wq_entry->flags>
may be reordered after <remove wq_entry->entry from wait queue>
since no dependency or memory barrier forbids it. This may cause
<overwrites wq_entry with another frame> on one CPU takes place
before <read wq_entry->flags> on another CPU and cause
<read wq_entry->flags> to return bad value.

This behavior is not reported may thank to:
- quite a few code is using autoremove_wake_function
- CPU pipeline is not as deep as to make this emerge

Best regards,
Patrick Trol