Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1848899ybp; Fri, 11 Oct 2019 22:51:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqwvoFB8iTAnQcy21xp5R+jcxY5J+M1ap9q9X+uGsmwdkpcq4P3qUoGw91szB+/qCu4XkZWo X-Received: by 2002:a17:906:7094:: with SMTP id b20mr18029027ejk.134.1570859485749; Fri, 11 Oct 2019 22:51:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570859485; cv=none; d=google.com; s=arc-20160816; b=V7bONZxFziNAxb/R8I+Vr4rBh/h6WlNkK1cD0mk9C5IBFhjGiSUCVAL+UWQ4fxOseu p5eizupH+O6VZ4rDyh+rq4GwWcIumCRjz8jZEVNhta9NZKrAL+vYJkjVVzACwfZn+zVI J+j2qe+63IKPbrDR6Sn6t0EcKERLoLBsCouIoiHM2ffkIcvcDNcZZViEbdv0yjBnCiDS 1yeosPqmkX9C41MGSuXcdouFxDjhbgk+BYfy8SbPophAoGAVa1mLFoLZ0jTajRgr9Aup HMHixvD61iJnBdecChfAB+08vYT1/sIkU/+3W/tLgavZYTgqQCWddqJZF/DsNp8NWkzT HpVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=X+Dp2Msw+zGO1kDMu4jE580sA1PjlZN5XJYLh8U2Vi4=; b=vLYQvtS4uyPW3/eMrAvUWgB/HCGuYLFEIzRWkkzs3axf2xOcQglonC/Y6/yzbSOZaH 4g+7PC9Qs+5q6lYkipzVhyPv1QnLKQ3hbQGrlCXa/YFmxVEHVua19Hx+slZcseFH7Gr9 m3M2QKoxmDgfOHwZZ3WlT6mgmsDLZNKzRudGZST1N51WQyDXApj/LbKzrgGjYZbS8YTV mBQ3AnwobC+ZT8w797fSkvrwFnJafv4OCWheR/W0HK6KKeMNBPFgIt9DU8KSUnhY50xO uKTFYHgNVal0IWS/K0te+SFFJw9eeXlbeRzyJq5n1u+tnpxhbTBNNVbmm8OUWe3IgXUv Vlig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@colorfullife-com.20150623.gappssmtp.com header.s=20150623 header.b=DhDsHvNR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id bo22si6742072ejb.369.2019.10.11.22.50.34; Fri, 11 Oct 2019 22:51:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@colorfullife-com.20150623.gappssmtp.com header.s=20150623 header.b=DhDsHvNR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728782AbfJLFuO (ORCPT + 99 others); Sat, 12 Oct 2019 01:50:14 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:40676 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728089AbfJLFuO (ORCPT ); Sat, 12 Oct 2019 01:50:14 -0400 Received: by mail-wr1-f67.google.com with SMTP id h4so14018481wrv.7 for ; Fri, 11 Oct 2019 22:50:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=colorfullife-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=X+Dp2Msw+zGO1kDMu4jE580sA1PjlZN5XJYLh8U2Vi4=; b=DhDsHvNRlbkaecGFtWzUBf5/wcJvtxTPGvuM0X7rmKUoiJ1h84srevrfOYz+/GFQDZ tIH/+5IijAE0bf6FVqPqwaGzBWl2pW6xZSFvL7uWcXFAVmV+qjHOAX5a4LITWfo5sLj0 LT6Odm9H5kNqG+kbjc/10xyblTGsAdwdXceRqtNT7ou4LMYjUN6DHEOUXOUikAdK+NWA GRj1Ul6SwamBnMwvLq1rx1QWl+gZxI2FzCVDAZPu/pPRCTEExxpImLh4DgEiA+Dodk7c mET1It8SFVucxhUWmRF8qmDM6Ka+GCchQPLjHpLuEwJTypJGV+tiqOMocX81lbDSa5IQ dIyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=X+Dp2Msw+zGO1kDMu4jE580sA1PjlZN5XJYLh8U2Vi4=; b=N7VGEcJ0H6WSyK0YZk3V+jSxfkrhYt3yuDci+2AtPbRp2sorFOjlvQwUOJewveloii mafFzuhw/vt2JBMKBKfv1RZcQOHMCqcmF1i7nJGeopsntPnuzSgf2DdUZYGRCu1Cbt40 Nyh+dCk2zqOBJ+lzzadDW88i+vGu0zze2IihlPDLH5Jt211eijj96eXkBZZ9PjPqxVZv Lc5recx8BwnwpSoL2aVviluV2RGol8HtuwohbtaDLx7zfp/ankC4y1yCSUdcyiVuoQER s6sxxGIiLew1wogDM2QPy3mn7q9HEESb6K6h4fuXzOBgzdFrNjc4Pe4tGy0EzmqrQZoQ a3OA== X-Gm-Message-State: APjAAAVNGWvN/kecgxdzVQeoBvw/qqEaKUFIMiBLNjmAgkQy+kBZE6r8 wC2CPvOfoYhvoOsvf8BdTg37rm9nPRflCg== X-Received: by 2002:adf:9403:: with SMTP id 3mr17220276wrq.281.1570859411594; Fri, 11 Oct 2019 22:50:11 -0700 (PDT) Received: from linux.fritz.box (p200300D9973AD600F159A589C745B52A.dip0.t-ipconnect.de. [2003:d9:973a:d600:f159:a589:c745:b52a]) by smtp.googlemail.com with ESMTPSA id z4sm9344955wrh.93.2019.10.11.22.50.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Oct 2019 22:50:11 -0700 (PDT) From: Manfred Spraul To: LKML , Davidlohr Bueso , Waiman Long Cc: 1vier1@web.de, Andrew Morton , Peter Zijlstra , Jonathan Corbet , Manfred Spraul Subject: [PATCH 3/6] ipc/mqueue.c: Update/document memory barriers Date: Sat, 12 Oct 2019 07:49:55 +0200 Message-Id: <20191012054958.3624-4-manfred@colorfullife.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20191012054958.3624-1-manfred@colorfullife.com> References: <20191012054958.3624-1-manfred@colorfullife.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Update and document memory barriers for mqueue.c: - ewp->state is read without any locks, thus READ_ONCE is required. - add smp_aquire__after_ctrl_dep() after the READ_ONCE, we need acquire semantics if the value is STATE_READY. - add an explicit memory barrier to __pipelined_op(), the refcount must have been increased before the updated state becomes visible - document why __set_current_state() may be used: Reading task->state cannot happen before the wake_q_add() call, which happens while holding info->lock. Thus the spin_unlock() is the RELEASE, and the spin_lock() is the ACQUIRE. For completeness: there is also a 3 CPU szenario, if the to be woken up task is already on another wake_q. Then: - CPU1: spin_unlock() of the task that goes to sleep is the RELEASE - CPU2: the spin_lock() of the waker is the ACQUIRE - CPU2: smp_mb__before_atomic inside wake_q_add() is the RELEASE - CPU3: smp_mb__after_spinlock() inside try_to_wake_up() is the ACQUIRE Signed-off-by: Manfred Spraul Cc: Waiman Long Cc: Davidlohr Bueso --- ipc/mqueue.c | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/ipc/mqueue.c b/ipc/mqueue.c index be48c0ba92f7..b80574822f0a 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -646,18 +646,26 @@ static int wq_sleep(struct mqueue_inode_info *info, int sr, wq_add(info, sr, ewp); for (;;) { + /* memory barrier not required, we hold info->lock */ __set_current_state(TASK_INTERRUPTIBLE); spin_unlock(&info->lock); time = schedule_hrtimeout_range_clock(timeout, 0, HRTIMER_MODE_ABS, CLOCK_REALTIME); - if (ewp->state == STATE_READY) { + if (READ_ONCE(ewp->state) == STATE_READY) { + /* + * Pairs, together with READ_ONCE(), with + * the barrier in __pipelined_op(). + */ + smp_acquire__after_ctrl_dep(); retval = 0; goto out; } spin_lock(&info->lock); - if (ewp->state == STATE_READY) { + + /* we hold info->lock, so no memory barrier required */ + if (READ_ONCE(ewp->state) == STATE_READY) { retval = 0; goto out_unlock; } @@ -925,14 +933,12 @@ static inline void __pipelined_op(struct wake_q_head *wake_q, list_del(&this->list); wake_q_add(wake_q, this->task); /* - * Rely on the implicit cmpxchg barrier from wake_q_add such - * that we can ensure that updating receiver->state is the last - * write operation: As once set, the receiver can continue, - * and if we don't have the reference count from the wake_q, - * yet, at that point we can later have a use-after-free - * condition and bogus wakeup. + * The barrier is required to ensure that the refcount increase + * inside wake_q_add() is completed before the state is updated. + * + * The barrier pairs with READ_ONCE()+smp_mb__after_ctrl_dep(). */ - this->state = STATE_READY; + smp_store_release(&this->state, STATE_READY); } /* pipelined_send() - send a message directly to the task waiting in @@ -1049,7 +1055,9 @@ static int do_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr, } else { wait.task = current; wait.msg = (void *) msg_ptr; - wait.state = STATE_NONE; + + /* memory barrier not required, we hold info->lock */ + WRITE_ONCE(wait.state, STATE_NONE); ret = wq_sleep(info, SEND, timeout, &wait); /* * wq_sleep must be called with info->lock held, and @@ -1152,7 +1160,9 @@ static int do_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr, ret = -EAGAIN; } else { wait.task = current; - wait.state = STATE_NONE; + + /* memory barrier not required, we hold info->lock */ + WRITE_ONCE(wait.state, STATE_NONE); ret = wq_sleep(info, RECV, timeout, &wait); msg_ptr = wait.msg; } -- 2.21.0