Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp4523897ybp;
        Mon, 14 Oct 2019 06:06:59 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzCssHhYNMcOPLzHWfGnAqsb7mNTCQCGdvjWKIIhZ15//kPWQQVT0wykzwbNKZaWILpySEi
X-Received: by 2002:aa7:cfd4:: with SMTP id r20mr27800607edy.268.1571058419668;
        Mon, 14 Oct 2019 06:06:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571058419; cv=none;
        d=google.com; s=arc-20160816;
        b=Ys3u0FlFbv96hNmerGGVFSXkcVYxZlljx/r1BEBgOCoPkGiFblBsub8HlX/4vbjUbL
         GenSAJsjXkt2o88HBLzC4wnnjFZbyHXThBjdev8K8uknhqPP6zjRa3v7CxUtAharN+jO
         WFeoAqXwoJTIDrIzEVmkqHGh41v9Vi4mHEP7Db9Ev7cw1r3r4INqMFc12Pr4HtN/5cup
         7kEZfAF+WtUatYlJv1dfiBJGFayGemBxGl9cR3Zt/v9ioYCz9vKMBCiP4y/PBlm61j3j
         pzQRbd9KeRvDEdJKWolfzjbNP4ooRR19TN2tGUYuE4plHoftC1+0k5BHXmFpGcjGMLSB
         teqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=nYZzMOWo5U02mAyXOr7p02iwmu148eoTzwjxG/FDO3s=;
        b=iF/Dbyt8rFl4fpHJvmVHbm2EQr3NLSGkG9Vg4C6quab/uClqkP1k/707+Le7VvAiwv
         D5wqp7vFeL0CuXDkLb3tTjkKNLrEoje6ckD2r6JCBHczV4EryvT9HnMCL0PmyduxYvNt
         Lkq3xJibKJSoagjHXDFUv/3v3T4AyG46EZLOlvjG+UOIPpk9VYDJk4UDjwDREijjUNjw
         snjE0XcAtOB/y4zrh3jown6Al6JwdD/OZi9bex6K57fs/m9iscGW61Mi7tFhH9p0Fet7
         kkMb2QsFJ+w/gfYV7wyWkOEceEtQpf4bUhjavE6EMjpjKOvQRJjf6FrVRGO4hJRByuem
         0/UA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=PWct1W3w;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o32si12364106edc.306.2019.10.14.06.06.36;
        Mon, 14 Oct 2019 06:06:59 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=PWct1W3w;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731725AbfJNM7Y (ORCPT <rfc822;jekfish0@gmail.com> + 99 others);
        Mon, 14 Oct 2019 08:59:24 -0400
Received: from merlin.infradead.org ([205.233.59.134]:56724 "EHLO
        merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730102AbfJNM7Y (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Oct 2019 08:59:24 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version:
        References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
        Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:
        List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
         bh=nYZzMOWo5U02mAyXOr7p02iwmu148eoTzwjxG/FDO3s=; b=PWct1W3w0TghcRBnhM90SUTun
        v3LagxB7rjb9DCB5iJr71NmQb9YShqHhpXni4vTOG3tcpPnuljX8dH913o6ElAWUsQnzJU0xcZufy
        F1n+2Yi4Gak23LPEXSAJ8rNQLZPv0bYLy7qbBX7ruSNTnxAPNU+GPaIBWrF5LoLgJat/7gVlQ/+Af
        7eWkzirnCFtdMz7qEkcr7szuOuSmemDcjJyQkg7n+3DRwZk/wcBiqNHvO+4V0RAyQ9a1wx3BmTAs9
        3FrIxy+pz0yyJkmJ/BEielsCttbVqJ+rANwNq+sya0nugJb53uADqt71wrtm61ogl0TcVc1ggCNpR
        E0ADpQ6Jw==;
Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=noisy.programming.kicks-ass.net)
        by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux))
        id 1iJzwQ-0000Ua-Qj; Mon, 14 Oct 2019 12:59:15 +0000
Received: from hirez.programming.kicks-ass.net (hirez.programming.kicks-ass.net [192.168.1.225])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (Client did not present a certificate)
        by noisy.programming.kicks-ass.net (Postfix) with ESMTPS id 0CE00305E42;
        Mon, 14 Oct 2019 14:58:17 +0200 (CEST)
Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000)
        id EE6A82829A4C8; Mon, 14 Oct 2019 14:59:11 +0200 (CEST)
Date:   Mon, 14 Oct 2019 14:59:11 +0200
From:   Peter Zijlstra <peterz@infradead.org>
To:     Manfred Spraul <manfred@colorfullife.com>
Cc:     LKML <linux-kernel@vger.kernel.org>,
        Davidlohr Bueso <dave@stgolabs.net>,
        Waiman Long <longman@redhat.com>, 1vier1@web.de,
        Andrew Morton <akpm@linux-foundation.org>,
        Jonathan Corbet <corbet@lwn.net>
Subject: Re: [PATCH 3/6] ipc/mqueue.c: Update/document memory barriers
Message-ID: <20191014125911.GF2328@hirez.programming.kicks-ass.net>
References: <20191012054958.3624-1-manfred@colorfullife.com>
 <20191012054958.3624-4-manfred@colorfullife.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20191012054958.3624-4-manfred@colorfullife.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Oct 12, 2019 at 07:49:55AM +0200, Manfred Spraul wrote:

>  	for (;;) {
> +		/* memory barrier not required, we hold info->lock */
>  		__set_current_state(TASK_INTERRUPTIBLE);
>  
>  		spin_unlock(&info->lock);
>  		time = schedule_hrtimeout_range_clock(timeout, 0,
>  			HRTIMER_MODE_ABS, CLOCK_REALTIME);
>  
> +		if (READ_ONCE(ewp->state) == STATE_READY) {
> +			/*
> +			 * Pairs, together with READ_ONCE(), with
> +			 * the barrier in __pipelined_op().
> +			 */
> +			smp_acquire__after_ctrl_dep();
>  			retval = 0;
>  			goto out;
>  		}
>  		spin_lock(&info->lock);
> +
> +		/* we hold info->lock, so no memory barrier required */
> +		if (READ_ONCE(ewp->state) == STATE_READY) {
>  			retval = 0;
>  			goto out_unlock;
>  		}
> @@ -925,14 +933,12 @@ static inline void __pipelined_op(struct wake_q_head *wake_q,
>  	list_del(&this->list);
>  	wake_q_add(wake_q, this->task);
>  	/*
> +	 * The barrier is required to ensure that the refcount increase
> +	 * inside wake_q_add() is completed before the state is updated.

fails to explain *why* this is important.

> +	 *
> +	 * The barrier pairs with READ_ONCE()+smp_mb__after_ctrl_dep().
>  	 */
> +        smp_store_release(&this->state, STATE_READY);

You retained the whitespace damage.

And I'm terribly confused by this code, probably due to the lack of
'why' as per the above. What is this trying to do?

Are we worried about something like:

	A			B				C


				wq_sleep()
				  schedule_...();

								/* spuriuos wakeup */
								wake_up_process(B)

	wake_q_add(A)
	  if (cmpxchg()) // success

	->state = STATE_READY (reordered)

				  if (READ_ONCE() == STATE_READY)
				    goto out;

				exit();


	    get_task_struct() // UaF


Can we put the exact and full race in the comment please?