Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3793449ybv; Mon, 10 Feb 2020 06:31:52 -0800 (PST) X-Google-Smtp-Source: APXvYqyQKi8U/dtKLpu0y4z4bizpqMeOJWJ0d9faIZ0b6JejT0+yCy25yEMVlibQiVsX3kj04J9/ X-Received: by 2002:a9d:6b84:: with SMTP id b4mr1321302otq.190.1581345111896; Mon, 10 Feb 2020 06:31:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581345111; cv=none; d=google.com; s=arc-20160816; b=u0yNpJZC9cInB9e3B8hNKYFvjRCkakqpCiEQvr5CbUOVQs3MIAKFEBlSYo7GXflcLx BsG+1YDuVJw6KNhD0ff9wZJdUTfskGeC5ohq828sjGngVsQlO2wANT5Q3xLc8m2r0rde Q8r1ng5qeBTn/8XvfD2s/Z0xqOwuyGLvhFxQRApxPBXQni79L1tcLYAoTPdEhn2E02/g GF7v1kxNN8i51hLQEo8LUv8qpxoYLQFvYdDyg9cWPK6ENVS7AEByCoZsMGMWmiZ9+QMH X/zKZtjqFbGsOM+Ex7DFQfBVEeMr66DolonDI267lFr5Wm2D+zYOdci20FF13Ft1dIt1 hVBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=qcAgZw/ui3CLohL6PVMtRlohm+XOB+CMbaeiCefL8Tw=; b=RX0hBcmH60WxCb8DBAecXtKxNAVzAKHxRlxregHt/p/hUbuPnKNsqK0czm79C8tVBO xPf98bfPNmd5B9z94P9/gq7MM2nRFt718hy4pPC7eMt1Lj6yFGzSBz4kAQUEBAQjk7rY 4/to4423P3rcykYjinwiK5W66EjtQeY38STCa5dqOQbDmQRCaUaucW71cuLbxlyUpnp5 1ZtCyKAtR9mzsB/PM2ZEZ/GpvfhJQCQWuJQDofr9Cr5xPtIrGgSmG/QIOX9HUcIQ/4sf NC8vYzOJzMk4NET1n4C8UuhY83jaKqrjvhKkKXVIkAAQ4lg9KkS06rK0iZM+E6XP/b6P hKUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b="XXf5//gt"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a4si244591otq.98.2020.02.10.06.31.39; Mon, 10 Feb 2020 06:31:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b="XXf5//gt"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728342AbgBJObQ (ORCPT + 99 others); Mon, 10 Feb 2020 09:31:16 -0500 Received: from mail-qk1-f196.google.com ([209.85.222.196]:43258 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727120AbgBJObQ (ORCPT ); Mon, 10 Feb 2020 09:31:16 -0500 Received: by mail-qk1-f196.google.com with SMTP id p7so1684601qkh.10 for ; Mon, 10 Feb 2020 06:31:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=qcAgZw/ui3CLohL6PVMtRlohm+XOB+CMbaeiCefL8Tw=; b=XXf5//gtn9ah4o1Dg3ynTtJvV9QlT9wOauHez+XKzTaZBmpDuv7nb/+Aq5XchwD5qp Cb5yGuRptx8TFxSSM0Ke++M0aRlmnhjBMX+wqCZ/mZuLeA8oRDwx2PAFYW2zQJnbGTYh orbTORk0adPsno9WyR3BbkHdALwJc7sln8jqXZjh6wO+pd1G5KXUO5rqHVcwUbU7B7eu BxYvkPhwwXewl/+rCl6Z34+jl1nTUAIaPHS3WZzLKXy4KmKB0J7Bg/fuTVl2WA/ovjRi VIIcKSKU4+e6S+E5MD1jRpQERWH34lyO4oJMdxrBREzLi4r5aVCzQPTa5MgFRiQNn8Gm NCjQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=qcAgZw/ui3CLohL6PVMtRlohm+XOB+CMbaeiCefL8Tw=; b=qaT1Z3TAINFm0onMEw1zzJhaPXHODR7esQLdT6hdqfEY0MXmEKPlJ3qNzyZmmjabxs BoPoZhN02JFmWfdw0GiDHA0Uv/C0g86PVsvh3Tp4L6h/bF2fbmCuxGqlAUifsDoEocaF 9lqc3DI9xZv2ZXPof5e2Uxu1cRn50PnMEnPqMikLm0i5w/tPqDysGY0yMV1qPwiQCAnR d8YLLREGhsJGLJXCrkZ/W1dDLMfNEhibUjLJ8wYJOt09FInXUnB6WgfddRVQda7ioVb8 YN6BLTRk/CcWH8XPa9pzwkFfHRai3r75Nz32ey7rHOySEUdnXNkTp2kBiAHuDLZTOcYl q3Ew== X-Gm-Message-State: APjAAAVNqawDebMX5b3orK+tEOcy/XsshRYNVPGJDTRkgTmZKSpprgVd 5zqoKBfA73HWojiDCkCAsCfKOQ== X-Received: by 2002:a37:270b:: with SMTP id n11mr1631942qkn.26.1581345074983; Mon, 10 Feb 2020 06:31:14 -0800 (PST) Received: from dhcp-41-57.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r12sm200397qkm.94.2020.02.10.06.31.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 10 Feb 2020 06:31:14 -0800 (PST) Message-ID: <1581345072.7365.30.camel@lca.pw> Subject: Re: [PATCH] mm: fix a data race in put_page() From: Qian Cai To: Marco Elver Cc: John Hubbard , Jan Kara , David Hildenbrand , Andrew Morton , ira.weiny@intel.com, Dan Williams , Linux Memory Management List , Linux Kernel Mailing List , "Paul E. McKenney" , kasan-dev Date: Mon, 10 Feb 2020 09:31:12 -0500 In-Reply-To: References: <26B88005-28E6-4A09-B3A7-DC982DABE679@lca.pw> <1581341769.7365.25.camel@lca.pw> <1581342954.7365.27.camel@lca.pw> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.22.6 (3.22.6-10.el7) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2020-02-10 at 15:12 +0100, Marco Elver wrote: > On Mon, 10 Feb 2020 at 14:55, Qian Cai wrote: > > > > On Mon, 2020-02-10 at 14:38 +0100, Marco Elver wrote: > > > On Mon, 10 Feb 2020 at 14:36, Qian Cai wrote: > > > > > > > > On Mon, 2020-02-10 at 13:58 +0100, Marco Elver wrote: > > > > > On Mon, 10 Feb 2020 at 13:16, Qian Cai wrote: > > > > > > > > > > > > > > > > > > > > > > > > > On Feb 10, 2020, at 2:48 AM, Marco Elver wrote: > > > > > > > > > > > > > > Here is an alternative: > > > > > > > > > > > > > > Let's say KCSAN gives you this: > > > > > > > /* ... Assert that the bits set in mask are not written > > > > > > > concurrently; they may still be read concurrently. > > > > > > > The access that immediately follows is assumed to access those > > > > > > > bits and safe w.r.t. data races. > > > > > > > > > > > > > > For example, this may be used when certain bits of @flags may > > > > > > > only be modified when holding the appropriate lock, > > > > > > > but other bits may still be modified locklessly. > > > > > > > ... > > > > > > > */ > > > > > > > #define ASSERT_EXCLUSIVE_BITS(flags, mask) .... > > > > > > > > > > > > > > Then we can write page_zonenum as follows: > > > > > > > > > > > > > > static inline enum zone_type page_zonenum(const struct page *page) > > > > > > > { > > > > > > > + ASSERT_EXCLUSIVE_BITS(page->flags, ZONES_MASK << ZONES_PGSHIFT); > > > > > > > return (page->flags >> ZONES_PGSHIFT) & ZONES_MASK; > > > > > > > } > > > > > > > > > > > > > > This will accomplish the following: > > > > > > > 1. The current code is not touched, and we do not have to verify that > > > > > > > the change is correct without KCSAN. > > > > > > > 2. We're not introducing a bunch of special macros to read bits in various ways. > > > > > > > 3. KCSAN will assume that the access is safe, and no data race report > > > > > > > is generated. > > > > > > > 4. If somebody modifies ZONES bits concurrently, KCSAN will tell you > > > > > > > about the race. > > > > > > > 5. We're documenting the code. > > > > > > > > > > > > > > Anything I missed? > > > > > > > > > > > > I don’t know. Having to write the same line twice does not feel me any better than data_race() with commenting occasionally. > > > > > > > > > > Point 4 above: While data_race() will ignore cause KCSAN to not report > > > > > the data race, now you might be missing a real bug: if somebody > > > > > concurrently modifies the bits accessed, you want to know about it! > > > > > Either way, it's up to you to add the ASSERT_EXCLUSIVE_BITS, but just > > > > > remember that if you decide to silence it with data_race(), you need > > > > > to be sure there are no concurrent writers to those bits. > > > > > > > > Right, in this case, there is no concurrent writers to those bits, so I'll add a > > > > comment should be sufficient. However, I'll keep ASSERT_EXCLUSIVE_BITS() in mind > > > > for other places. > > > > > > Right now there are no concurrent writers to those bits. But somebody > > > might introduce a bug that will write them, even though they shouldn't > > > have. With ASSERT_EXCLUSIVE_BITS() you can catch that. Once I have the > > > patches for this out, I would consider adding it here for this reason. > > > > Surely, we could add many of those to catch theoretical issues. I can think of > > more like ASSERT_HARMLESS_COUNTERS() because the worry about one day someone > > might change the code to use counters from printing out information to making > > important MM heuristic decisions. Then, we might end up with those too many > > macros situation again. The list goes on, ASSERT_COMPARE_ZERO_NOLOOP(), > > ASSERT_SINGLE_BIT() etc. > > I'm sorry, but the above don't assert any quantifiable properties in the code. > > What we want is to be able to catch bugs that violate the *current* > properties of the code *today*. A very real property of the code > *today* is that nobody should modify zonenum without taking a lock. If > you mark the access here, there is no tool that can help you. I'm > trying to change that. > > The fact that we have bits that can be modified locklessly and some > that can't is an inconvenience, but can be solved. > > Makes sense? OK, go ahead adding it if you really feel like. I'd hope this is not the Pandora's box where people will eventually find more way to assert quantifiable properties in the code only to address theoretical issues... > > Thanks, > -- Marco > > > On the other hand, maybe to take a more pragmatic approach that if there are > > strong evidences that developers could easily make mistakes in a certain place, > > then we could add a new macro, so the next time Joe developer wants to a new > > macro, he/she has to provide the same strong justifications? > > > > > > > > > > > > > > > There is no way to automatically infer all over the kernel which bits > > > > > we care about, and the most reliable is to be explicit about it. I > > > > > don't see a problem with it per se. > > > > > > > > > > Thanks, > > > > > -- Marco