Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp5013960ybb;
        Tue, 24 Mar 2020 09:21:46 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vta1Uu1oEn8galh/r4UKHqQUIUfhTBYKVRHCYIUFZsEjomOtNUViMp5np86EMzkvK7Yg86t
X-Received: by 2002:a05:6808:2c7:: with SMTP id a7mr4041739oid.149.1585066906545;
        Tue, 24 Mar 2020 09:21:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585066906; cv=none;
        d=google.com; s=arc-20160816;
        b=enUZImIVERyB1dP1hgZAqPu6VdvZa6LlYvzDttf95bi1jL3N+p9Uzn9Cr4WbkQLVxS
         bCCW64MRMroR28nldgnru+4hDGMXkSFAqnnp3wn56QzukLRDNC2GIC/M5s54fQ1zTe7c
         4LIlFM2VPnZeyvpzuC5xd0cgEOh8zelnIK9uwJQfoYLf8wRjEGzruHiRV1TBKXvN7EyE
         j0zWexUntL2KCZnBrSArrcAfIkoPnBJQBx1Vcqswk607fMk3kB42z6eqWh1ef8q2QLLw
         Q0kq6916eVvBT4Lx9q+O8hWaqjMdLpdGbd9G+U+t8N/MrNBxkGA8Fl0b/CuTQB9SMf+R
         nQDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=WetC+OTmoa1F/pStOSsShJDamwm3VA4jd3O6GhechcE=;
        b=JtPNSq7YkLGJ+S8XS7N/2nhc+wVn35u2uIJp8ryZZZKgzabFRX3wktb561YUYErbv+
         69rH8RKE7eIHhoJlFlljr0es9Qpv/WK2Be6795KRH9SvD8ZVgiKc1k+P0hVOCjvKX1YD
         HdbleprB1+hH9OYnt0LwJIUv1w2HJcO95/OPdilnHm064d4ozWCO4lU8UFg7mHodF3ae
         BYdIF5+7wycni4D2LDMGny4FQ3mL9ELs0xUF6fBvGWmfHbmPL+0WbF0JiP5/2Ia0kxwO
         7vs3pvQrOtrLfS+iapxoznnRWyNJnXEoqglmPZl7TSwf5nX4o6vJxd/URBZeiA+XjbNj
         oJbg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=FTjWpNCM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e11si8917906oie.254.2020.03.24.09.21.32;
        Tue, 24 Mar 2020 09:21:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=FTjWpNCM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727733AbgCXQVP (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Tue, 24 Mar 2020 12:21:15 -0400
Received: from mail-lj1-f194.google.com ([209.85.208.194]:40660 "EHLO
        mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727444AbgCXQVO (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Mar 2020 12:21:14 -0400
Received: by mail-lj1-f194.google.com with SMTP id 19so19211631ljj.7
        for <linux-kernel@vger.kernel.org>; Tue, 24 Mar 2020 09:21:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=WetC+OTmoa1F/pStOSsShJDamwm3VA4jd3O6GhechcE=;
        b=FTjWpNCMWZ7J/cDwT7gbDhaA/pRp8gQKYkbFQhUW5wQAwOKIkaV9G2GVjhPz9xJ4tA
         Kqzf5dD0Bajzl9EAEO4f6whv4NX8eA/FfzF5DTYIsBFQs32Vo06qDD+4aYIPP+wZumbj
         BtfvrTbCVZZ1N4vPaWdLH7zdwuQkpdZ2yntOgDeJv4/KlxlFSrsd1tKdM1mWD0oZXN5/
         gIw5KlVo84WVEfvqL8mbjG/xa9GwOOgQg1D5gcT+KIEZq5KG+lUn+BMBhtz1F+dLdXy+
         0asjvCtYt2SJ8j7qH3/9ytFMTBFOVcN6qjyKRejvO1oBZzfl9y+G6DEm/7UXe6gOUMMf
         lYMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=WetC+OTmoa1F/pStOSsShJDamwm3VA4jd3O6GhechcE=;
        b=JIKNZdE1dcYWxPLKGdO+KoiauqLm6ekyR427KNhstNG3G7t6xZug0/Cygk9WwJghpx
         RNG8QLaiBFNcsdBRqaNaSuv1gAMFZJIc8uIdmt2SWn1tWF0IOoI+yWARTt7q73rWIecO
         VcNQeHFgTx9ShMO1tcuP6sog8PbOexo2gcEYZBgmjF72bZVR6Kz/5dCPETkSdqkhssUo
         ma8dkapArXajtf1dDcHb2yy/wGnDHuM2uPwtkw+qnLIf4ego/ZEtqW/5o8aF8jjBzXqb
         nmkT27KVwYn9OjZh7ZzXi0ZC5qetjCuYr+CqId5w5zOBFATrNzbHM8xD4Q7cM0spFn0m
         qVPw==
X-Gm-Message-State: ANhLgQ19NU9umixVHFZdgx7BMKDii94O2SwijLtQxbatfUzPU3jIZveQ
        /i+Ruf13h5Q0FFkrmLvkqaOHjOO17+TGwaMLSCMDhA==
X-Received: by 2002:a2e:89c1:: with SMTP id c1mr16656055ljk.215.1585066872395;
 Tue, 24 Mar 2020 09:21:12 -0700 (PDT)
MIME-Version: 1.0
References: <20200324153643.15527-1-will@kernel.org> <20200324153643.15527-4-will@kernel.org>
In-Reply-To: <20200324153643.15527-4-will@kernel.org>
From:   Jann Horn <jannh@google.com>
Date:   Tue, 24 Mar 2020 17:20:45 +0100
Message-ID: <CAG48ez1yTbbXn__Kf0csf8=LCFL+0hR0EyHNZsryN8p=SsLp5Q@mail.gmail.com>
Subject: Re: [RFC PATCH 03/21] list: Annotate lockless list primitives with data_race()
To:     Will Deacon <will@kernel.org>
Cc:     kernel list <linux-kernel@vger.kernel.org>,
        Eric Dumazet <edumazet@google.com>,
        Kees Cook <keescook@chromium.org>,
        Maddie Stone <maddiestone@google.com>,
        Marco Elver <elver@google.com>,
        "Paul E . McKenney" <paulmck@kernel.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        kernel-team <kernel-team@android.com>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 24, 2020 at 4:37 PM Will Deacon <will@kernel.org> wrote:
> Some list predicates can be used locklessly even with the non-RCU list
> implementations, since they effectively boil down to a test against
> NULL. For example, checking whether or not a list is empty is safe even
> in the presence of a concurrent, tearing write to the list head pointer.
> Similarly, checking whether or not an hlist node has been hashed is safe
> as well.
>
> Annotate these lockless list predicates with data_race() and READ_ONCE()
> so that KCSAN and the compiler are aware of what's going on. The writer
> side can then avoid having to use WRITE_ONCE() in the non-RCU
> implementation.
[...]
>  static inline int list_empty(const struct list_head *head)
>  {
> -       return READ_ONCE(head->next) == head;
> +       return data_race(READ_ONCE(head->next) == head);
>  }
[...]
>  static inline int hlist_unhashed(const struct hlist_node *h)
>  {
> -       return !READ_ONCE(h->pprev);
> +       return data_race(!READ_ONCE(h->pprev));
>  }

This is probably valid in practice for hlist_unhashed(), which
compares with NULL, as long as the most significant byte of all kernel
pointers is non-zero; but I think list_empty() could realistically
return false positives in the presence of a concurrent tearing store?
This could break the following code pattern:

/* optimistic lockless check */
if (!list_empty(&some_list)) {
  /* slowpath */
  mutex_lock(&some_mutex);
  list_for_each(tmp, &some_list) {
    ...
  }
  mutex_unlock(&some_mutex);
}

(I'm not sure whether patterns like this appear commonly though.)