Received: by 10.213.65.16 with SMTP id m16csp116489imf;
        Sun, 11 Mar 2018 18:53:22 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtEGai3irGsu2dCVepSoEWTJbbQ07nDAG5wSWPBbfPNQa4kjZhvxBeRmpOs5R8qTxOC9dOD
X-Received: by 10.99.123.86 with SMTP id k22mr5221386pgn.228.1520819602863;
        Sun, 11 Mar 2018 18:53:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520819602; cv=none;
        d=google.com; s=arc-20160816;
        b=Hpvi83Oxce1rukLJy2zgn6oAJCsKAndx6mspsjMl0kSAS5iVy2IMTsHzsZ4fo3ezFB
         S30on6cFP1JHotm46ZIHcabY17HmeiXhS75WCJyyFrJV0C+H7/uH6EPjfIgZ3ydB8AGx
         KCt/u1sUO8jzdppDTF4ntsiemfgrCztHemsMBcjuwd9FYxzW/xApL5Q7FgztwNnnXNHB
         ZKbantn/8yQumlB4pW8id5VnkxI4UhZEBBD/DWDP0e6M357/hR08i5mVEzXRidO6Enll
         2hClOhomoRHEawCQ/dHUgoWNFX5wFB/nvLUS1RnPEaDfRiDUrptKh8ngjVMEN/7GS87g
         QTuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=VoFCWQfpoKOuF0aEudTXyMyu3FaqGzA3KZzeY/TOvzc=;
        b=E2tKnwsGqUpqknfllrB6f03TjCiwdbNrprkhZmC0zYO33PLwNtdn/VaUujK8Ua7N1K
         ek/NTWqYARAEJx60eOsAPxEOkeZBMbKoI4GY2w/HoWAkkUHoa8/hQbc9DyiRL2zOy16v
         ub6jldnAcnEtVWFSHuyRpuAS1lfsJh5/qMkq3OLwG3RQroV05sMnhFQSDGHl2k5HSJPO
         nwgfksPbCSd3g9ZS/PYb7HximnwkgeoD5ehlwNlVWgWssSMG6eG+U6jeek3mzYsjoDkx
         SdJ8ORIvFhG/S/4lON9reTp6VL+cfHuPbXMqQzC/DQzt/KnyP17Ocnzxc5J0zm+AhBaP
         F55Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=EoKk2xQa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d126si4288478pgc.385.2018.03.11.18.53.08;
        Sun, 11 Mar 2018 18:53:22 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=EoKk2xQa;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932557AbeCLBwB (ORCPT <rfc822;hackukernel@gmail.com>
        + 99 others); Sun, 11 Mar 2018 21:52:01 -0400
Received: from mail-ot0-f195.google.com ([74.125.82.195]:44181 "EHLO
        mail-ot0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932532AbeCLBv7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 11 Mar 2018 21:51:59 -0400
Received: by mail-ot0-f195.google.com with SMTP id 79so13770237oth.11
        for <linux-kernel@vger.kernel.org>; Sun, 11 Mar 2018 18:51:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=VoFCWQfpoKOuF0aEudTXyMyu3FaqGzA3KZzeY/TOvzc=;
        b=EoKk2xQalpjeJ/FYfD3QOxtoRp+GnmMrhL0VOmtdfLMt53vp56mw20SVzTKDa1u8SR
         4ICiL5kw5rFpNwxL2EqcnO/XifOdhMDaEaO+q+r+yZIbQWxld0/FYrGbKTZlqUrdI8PQ
         9/CmXQxgs5fbNYZluUGrmd0OqE1BT898adPOb16RHXBSMbKFATbeJ+kGT6BERRBqckZe
         0mNY+/HqCEcA/qF0AzhliZtpuwrXrvLSkkb3tKriRvYR3fiS1+o3CuRiOWFk8TDBS+Ns
         +iOxo8O4mUd6ktKq+rz4HNnvKAVsGZcyFdUDKeToMgjrtHSs2kzrx//kxERC1wmI/qMJ
         DXpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=VoFCWQfpoKOuF0aEudTXyMyu3FaqGzA3KZzeY/TOvzc=;
        b=tG5jm8XBKbDUyp1k2FTFVBV5ruSRwsoILOqdpWVioE47fA654CZEqq2S5GKnV7j6SB
         MNtZbBCjQiZWX/RGSMiHbW/UgWh/OiXPxAMGgvbyzYBeqg2jh95Tw/NStCwws8Pdsf2v
         Fk9PCyv8U10YdrO4ySxDO6OAnGYVZCblo7/94R/AHzLlJ/NnA6e0of5Ox9E4o/Y7cq7E
         m+O+TI6LdUoeLZ4WgCkE5PeL5834pEeqx6/JlTx1aaiSi1pEtYYG5txgSgX7GVos4gkj
         eH1iR/mFkim4+p75IAwKYHmGt1+rUfksNqPirq7pcM5adHXN1WtGssKKbYJPRXOH4w1G
         SiXQ==
X-Gm-Message-State: AElRT7GwIhQJJ+gvkuwJ1HnfLWvFVutB2ycucA0vautvIuZSAYniotw+
        OqqrzDx2MMcJCCoZvLJbkXRPN+6P/Ygfu0MnT1weR6ZN
X-Received: by 10.157.113.15 with SMTP id n15mr4187347otj.137.1520819519236;
 Sun, 11 Mar 2018 18:51:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.151.230 with HTTP; Sun, 11 Mar 2018 18:51:58 -0700 (PDT)
In-Reply-To: <CAJDTihxS9SiYohtgfdXpZc-=Z7vdUP7U9+ShPfK+9C-82SxsBg@mail.gmail.com>
References: <CAJDTihxS9SiYohtgfdXpZc-=Z7vdUP7U9+ShPfK+9C-82SxsBg@mail.gmail.com>
From:   =?UTF-8?B?54Sm5pmT5Yas?= <milestonejxd@gmail.com>
Date:   Mon, 12 Mar 2018 09:51:58 +0800
Message-ID: <CAJDTihxfPo1enFDX-c=sboeG6t5b_avamvV7jz2k7LuMtZge1g@mail.gmail.com>
Subject: Re: resend, finish_wait with list_empty_careful maybe fragile or buggy
To:     linux-kernel@vger.kernel.org
Cc:     mingo@redhat.com, peterz@infradead.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

> Sorry, this is a resend because the previous one was messed
> up by my editor and hard to be read.
>
> void finish_wait(
> struct wait_queue_head *wq_head,
> struct wait_queue_entry *wq_entry)
> {
>        ....
> ->    if (!list_empty_careful(&wq_entry->entry)) {
> ->        spin_lock_irqsave(&wq_head->lock, flags);
> ->        list_del_init(&wq_entry->entry);
> ->        spin_unlock_irqrestore(&wq_head->lock, flags);
> ->    }
> }
>
> After careful look into the stop/wakeup code, I found
> the above code fragile or even buggy. This code was
> introduced at least 14 years ago and seems fragile or
> buggy now after years of study on SMP synchronization
> by us.
>
> I understand this code are being used a lot and no bug
> seems to emerge. But, as I'll explain, it depends on a lot
> of unreliable implementation details.
>
> Firstly,
>
> static inline int list_empty_careful(const struct list_head *head)
> {
>     struct list_head *next = head->next;
>     return (next == head) && (next == head->prev);
> }
>
> note that the read of head->next & head->prev is not
> protected by READ_ONCE. So the read is free to be
> optimized out entirely. Luckily, this optimization is hard
> for compilers now, since all other accesses are out of
> finish_wait. And still, GCC won't spit aligned accesses
> into multiple instructions so it is atomic so far.
>
> Secondly,
>
> if ( ! list_empty_careful(&wq_entry->entry) ) {
>      <remove entry with spinning-lock>
> }
> <ends stack frame of the function calling finish_wait>
> <overwrites wq_entry with another frame>
>
> and
>
> __wake_up_common()   -->
> <read wq_entry->func>  -->
> <read wq_entry->flags>  -->
> autoremove_wake_function()  -->
> <remove wq_entry->entry from wait queue>  -->
>
> are not properly ordered for SMP so that  <read wq_entry->flags>
> may be reordered after <remove wq_entry->entry from wait queue>
> since no dependency or memory barrier forbids it. This may cause
> <overwrites wq_entry with another frame> on one CPU takes place
> before <read wq_entry->flags> on another CPU and cause
> <read wq_entry->flags> to return bad value.
>
> This behavior is not reported may thank to:
> - few code is using autoremove_wake_function
> - CPU pipeline is not as deep as to make this emerge
>

Hi, mingo, peterz

Would you please have a look at it if it won't waste you much time.
Thanks a lot.

CC scheduler maintainers

Best regards,
Patrick Trol