Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp648931ybh;
        Tue, 10 Mar 2020 05:51:18 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vt8U9kymrB/RRNN+Qdk2LYcsMuSUqlX1Tt/Ih5jeO0dmNTx3A1zkA4seL7NqQ9o9+2sncKk
X-Received: by 2002:aca:3f54:: with SMTP id m81mr1007032oia.167.1583844678045;
        Tue, 10 Mar 2020 05:51:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583844678; cv=none;
        d=google.com; s=arc-20160816;
        b=gRcyYyQZ60hCcw8ZE5vyzKiS7V2qtmuRhdNSF7NYi+GjC3sEWVgzkbbkkZb5iJqjs+
         xo/0DfCWjrez21tjYkqyz5TEjUi/VMtUABdVsDkRP9guVvWElRVAzdHUVd2l6x+5o0BF
         rvZtdo8PqcxPrdY47IW+PMOYyW7KSUvvPJvE73HVypiZ0tgYgHJoxoXKh09eeEJ3vmLS
         5SysBlclo6scZ28Zyg3EHFHr7p34gy1MSilwJhzBfOHWF+Simz1Vi6mGmZkH98PR5O84
         4FSAWFIs/LvmTKEoE+DoV/JoA6N8UgSHB/Q7esj/m3wtc7MeSNeGbohZ+EMLpnPQPecI
         gCcw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:date:user-agent:message-id:cc:from
         :subject:to:references:in-reply-to:content-transfer-encoding
         :mime-version;
        bh=cu6a8/dqjC60OBMlVjjVfVL7GqqndDD7/5HalVDvb0M=;
        b=zg5fKaoNpKp/zrnu5TqHvSJG3Y5oonNGvFGwjpLUjp1jpxubp+4RySpD+XT3h9Xn3V
         kWX0KGK5s83+naa9/njjA3jNAWMzhi7ZSanZnonI1A23t8rCH1V/bvH3t5S5nk9uelWn
         oV9ziVrYQNxD35Dem4n9YpDOz0rFfAj4WZKrPmvdsHQIQHI56Je/NoFdvXeeRb8f8EeV
         +vvPxhSTUoi4BwIXxd6nmJQLw1yFQa1wGbmA83qoCsYe4DjWI0Tz8iRLGPvhebkwmgjQ
         2UI5BJYcfNYUcNCzPJiCxzxCwj1l3GmgxsiuIXT7QZxPW1SGT1KvJO0FDWEYCuHb5ZDj
         2owA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w22si5236395oih.103.2020.03.10.05.51.06;
        Tue, 10 Mar 2020 05:51:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728575AbgCJMuR convert rfc822-to-8bit (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 10 Mar 2020 08:50:17 -0400
Received: from mail.fireflyinternet.com ([109.228.58.192]:51478 "EHLO
        fireflyinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1728558AbgCJMuN (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Mar 2020 08:50:13 -0400
X-Default-Received-SPF: pass (skip=forwardok (res=PASS)) x-ip-name=78.156.65.138;
Received: from localhost (unverified [78.156.65.138]) 
        by fireflyinternet.com (Firefly Internet (M1)) with ESMTP (TLS) id 20508636-1500050 
        for multiple; Tue, 10 Mar 2020 12:50:09 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8BIT
In-Reply-To: <723d527a4ad349b78bf11d52eba97c0e@AcuMS.aculab.com>
References: <20200310092119.14965-1-chris@chris-wilson.co.uk> <2e936d8fd2c445beb08e6dd3ee1f3891@AcuMS.aculab.com> <158384100886.16414.15741589015363013386@build.alporthouse.com> <723d527a4ad349b78bf11d52eba97c0e@AcuMS.aculab.com>
To:     "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        David Laight <David.Laight@ACULAB.COM>
Subject: RE: [PATCH] list: Prevent compiler reloads inside 'safe' list iteration
From:   Chris Wilson <chris@chris-wilson.co.uk>
Cc:     "intel-gfx@lists.freedesktop.org" <intel-gfx@lists.freedesktop.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        "Paul E. McKenney" <paulmck@kernel.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>
Message-ID: <158384460847.16414.11779622376668751989@build.alporthouse.com>
User-Agent: alot/0.8.1
Date:   Tue, 10 Mar 2020 12:50:08 +0000
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Quoting David Laight (2020-03-10 12:23:34)
> From: Chris Wilson
> > Sent: 10 March 2020 11:50
> > 
> > Quoting David Laight (2020-03-10 11:36:41)
> > > From: Chris Wilson
> > > > Sent: 10 March 2020 09:21
> > > > Instruct the compiler to read the next element in the list iteration
> > > > once, and that it is not allowed to reload the value from the stale
> > > > element later. This is important as during the course of the safe
> > > > iteration, the stale element may be poisoned (unbeknownst to the
> > > > compiler).
> > >
> > > Eh?
> > > I thought any function call will stop the compiler being allowed
> > > to reload the value.
> > > The 'safe' loop iterators are only 'safe' against called
> > > code removing the current item from the list.
> > >
> > > > This helps prevent kcsan warnings over 'unsafe' conduct in releasing the
> > > > list elements during list_for_each_entry_safe() and friends.
> > >
> > > Sounds like kcsan is buggy ????
> > 
> > The warning kcsan gave made sense (a strange case where the emptying the
> > list from inside the safe iterator would allow that list to be taken
> > under a global mutex and have one extra request added to it. The
> > list_for_each_entry_safe() should be ok in this scenario, so long as the
> > next element is read before this element is dropped, and the compiler is
> > instructed not to reload the element.
> 
> Normally the loop iteration code has to hold the mutex.
> I guess it can be released inside the loop provided no other
> code can ever delete entries.
> 
> > kcsan is a little more insistent on having that annotation :)
> > 
> > In this instance I would say it was a false positive from kcsan, but I
> > can see why it would complain and suspect that given a sufficiently
> > aggressive compiler, we may be caught out by a late reload of the next
> > element.
> 
> If you have:
>         for (; p; p = next) {
>                 next = p->next;
>                 external_function_call(void);
>         }
> the compiler must assume that the function call
> can change 'p->next' and read it before the call.
> 
> Is this a list with strange locking rules?

Yes.

> The only deletes are from within the loop.

All deletes are within the mutex.

> Adds and deletes are locked.

There's just one special case where after the very last element of all
lists for an engine is removed, a global mutex is taken and one new
element is added to one of the lists to track powering off the engine.

> The list traversal isn't locked.

There's rcu traversal of the list as well.
 
> I suspect kcsan bleats because it doesn't assume the compiler
> will use a single instruction/memory operation to read p->next.
> That is just stupid.

kcsan is looking for a write to a pointer after a read that is not in
the same locking chain. While I have satisfied lockdep that I am not
insane, I'm worrying in case kcsan has a valid objection to the
potential data race in the safe list iterator.
-Chris