Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp710650ybh;
        Tue, 10 Mar 2020 06:56:14 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vsyWiiDLnIdY/oUXoFDEx67ZzackC42b9WVq1NpibBPN8j9JcTNk/saNP+3sNgLFhYoMaO7
X-Received: by 2002:a05:6808:f:: with SMTP id u15mr1191989oic.124.1583848574622;
        Tue, 10 Mar 2020 06:56:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1583848574; cv=none;
        d=google.com; s=arc-20160816;
        b=RjO6JabCAxtM/o7tTIZh5NsGpKKmP3eMIimu5a9seYGVeWhJeK8y9yKCUpGW6tNGn3
         TYoxrPHjHeRWpIwg09hsXKesonVsdlhScJXeTMbyLKueeQ0al4qv5XHu1XwfHCxAaPBq
         TpGgCykuMQWiQxcZ1JFG8ZFn4ZMpZN9lOAR52V8OwD2pk258yGH3PjWlmBB3Y2Lx/6YY
         NEC7NHM9WjMpaX4leqgeZm/4z0tZ/sXJJJNC2OsEiFZav+Fhz9Yd5bZMkiu9f7K6en8c
         Vso0Vf14qo9ffW5uCFurYqSuXAf1NlCCcrnLfNV45iB9qoAdAZGVqMIUlVMuqsqFPD2K
         7EPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=Chf+Hs5pxwr4sOUzbcriyNuDzMQLunwnRS2Tf0H5Kuc=;
        b=BftIUYLEE22bi6cOQiyWNPzD6r4SE/FWVV0N9vhkSegvL8zt6mgNnIzCnG/HNWOBzS
         KpRzes8KLF2Loj5cfajU/aESCstIh6qPcaArzn6iobnucvjIoe+Zz+t+9168B7RE/HxT
         fGZnuyOiJPHc+3ZHHVedf63UwfR8gESB30VI4vRimLmM/dG9wor4wE9S+qaL4e2Or6hp
         TsDXPf/pZX84jxMqYP+2PGn8qokiqG7gDye/UA/6CvNTcQW/ezn2UnZb2RoLqQLhWs8r
         ILHhIC+EMqaGRDnlQC8TFN0GuCD4OVMP4FtaKo8YpEdDevoI9g84O1VWCs76s2Ii0zxj
         GKqw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m15si7595377otq.324.2020.03.10.06.56.02;
        Tue, 10 Mar 2020 06:56:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726643AbgCJNwd (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 10 Mar 2020 09:52:33 -0400
Received: from foss.arm.com ([217.140.110.172]:37482 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726390AbgCJNwd (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 10 Mar 2020 09:52:33 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5D9E130E;
        Tue, 10 Mar 2020 06:52:32 -0700 (PDT)
Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 26C433F6CF;
        Tue, 10 Mar 2020 06:52:31 -0700 (PDT)
Date:   Tue, 10 Mar 2020 13:52:24 +0000
From:   Mark Rutland <mark.rutland@arm.com>
To:     "Paul E. McKenney" <paulmck@kernel.org>
Cc:     David Laight <David.Laight@ACULAB.COM>,
        'Chris Wilson' <chris@chris-wilson.co.uk>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "intel-gfx@lists.freedesktop.org" <intel-gfx@lists.freedesktop.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Randy Dunlap <rdunlap@infradead.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>, elver@google.com
Subject: Re: [PATCH] list: Prevent compiler reloads inside 'safe' list
 iteration
Message-ID: <20200310135224.GA54660@lakrids.cambridge.arm.com>
References: <20200310092119.14965-1-chris@chris-wilson.co.uk>
 <2e936d8fd2c445beb08e6dd3ee1f3891@AcuMS.aculab.com>
 <158384100886.16414.15741589015363013386@build.alporthouse.com>
 <723d527a4ad349b78bf11d52eba97c0e@AcuMS.aculab.com>
 <20200310125031.GY2935@paulmck-ThinkPad-P72>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200310125031.GY2935@paulmck-ThinkPad-P72>
User-Agent: Mutt/1.11.1+11 (2f07cb52) (2018-12-01)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 10, 2020 at 05:50:31AM -0700, Paul E. McKenney wrote:
> On Tue, Mar 10, 2020 at 12:23:34PM +0000, David Laight wrote:
> > From: Chris Wilson
> > > Sent: 10 March 2020 11:50
> > > 
> > > Quoting David Laight (2020-03-10 11:36:41)
> > > > From: Chris Wilson
> > > > > Sent: 10 March 2020 09:21
> > > > > Instruct the compiler to read the next element in the list iteration
> > > > > once, and that it is not allowed to reload the value from the stale
> > > > > element later. This is important as during the course of the safe
> > > > > iteration, the stale element may be poisoned (unbeknownst to the
> > > > > compiler).
> > > >
> > > > Eh?
> > > > I thought any function call will stop the compiler being allowed
> > > > to reload the value.
> > > > The 'safe' loop iterators are only 'safe' against called
> > > > code removing the current item from the list.
> > > >
> > > > > This helps prevent kcsan warnings over 'unsafe' conduct in releasing the
> > > > > list elements during list_for_each_entry_safe() and friends.
> > > >
> > > > Sounds like kcsan is buggy ????
> 
> Adding Marco on CC for his thoughts.
> 
> > > The warning kcsan gave made sense (a strange case where the emptying the
> > > list from inside the safe iterator would allow that list to be taken
> > > under a global mutex and have one extra request added to it. The
> > > list_for_each_entry_safe() should be ok in this scenario, so long as the
> > > next element is read before this element is dropped, and the compiler is
> > > instructed not to reload the element.
> > 
> > Normally the loop iteration code has to hold the mutex.
> > I guess it can be released inside the loop provided no other
> > code can ever delete entries.
> > 
> > > kcsan is a little more insistent on having that annotation :)
> > > 
> > > In this instance I would say it was a false positive from kcsan, but I
> > > can see why it would complain and suspect that given a sufficiently
> > > aggressive compiler, we may be caught out by a late reload of the next
> > > element.
> > 
> > If you have:
> > 	for (; p; p = next) {
> > 		next = p->next;
> > 		external_function_call(void);
> > 	}
> > the compiler must assume that the function call
> > can change 'p->next' and read it before the call.
> 
> That "must assume" is a statement of current compiler technology.
> Given the progress over the past forty years, I would not expect this
> restriction to hold forever. 

FWIW, this is exactly the sort of assumption that link time optimization
is likely to render invalid going forward, and LTO is starting to be
used today (e.g. to enable SW CFI stuff with clang).

Given that, I don't think that core kernel primitives can rely on this
assumption.

Thanks,
Mark.