Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3479828ybb; Tue, 31 Mar 2020 06:12:38 -0700 (PDT) X-Google-Smtp-Source: ADFU+vslDsdKjXCIo21s4JFyXMKq84J2SPmAWXKtRFTk7Pg6Pzgp7NpIeprIwVC20D1Dfi6VJLoj X-Received: by 2002:a4a:d746:: with SMTP id h6mr13069498oot.21.1585660358828; Tue, 31 Mar 2020 06:12:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585660358; cv=none; d=google.com; s=arc-20160816; b=qxcyueBUcnSH77xmi8KIDM/rjuUI+4m4FkGYGpNGDR8p3CN598r/atAi+6OBV6VWT8 YDWQCiQf7a0aEjWnY9bpopQDD/lCRfDA7aPgyKiyNJNBIfvLZWme7JmS7xpydtdpkkMi qutbGVWRsR7KXrzFHrOcgPHb9I0mGTv/mOMh0Ms2LktA4jJvNhc+OJlgLtPJeS5V1N+J dZ39umCd1a/fpKOjkhrAiVVKBO+NXeMpx2/uPeY00C4xmpSJTFNzQoDGPOyv0O3O8x0N bEVaxwO0CWSjJhxv9bT3YdvR8WwxOUfd/IgmKsb+fgmRlA3/l+YUP8xp/F5UxyhLw4Zi ntPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=S2TlDKMCLvxfl/8YsMqawQy6YK+psiNPGqz83w1GhMo=; b=lkyx+Toei9yArh5fzRKvUUCFr7RooA0ZnG69QFWRIGa06jkPC/L1sghIwK7B+EVPH/ M/nSj3yYdBB/lmiCpvbqiiRePkKUPJ2tKWJIuwZC/QNKRf8MvjWOtZlQmQq9XHZpCUTH sY5IJHoBV4Sgv62ASMbQRxx7o4N8rdT/uNWg60MZfZTqPuAZLG8miv+B476O5QrUVAxP 5d3NuD5ZYTUfjW65zNF8BbF4Ly1j5xs4APMefSvoXepxRZwgtjr7ufFuZ1UMslOY253l Vy7mQa5dMR6BC/GE64mGNf7BY4VQR+MqeeS9Kw2RgIvRNBWk7GFLBnUEkn7ZyZ2bZroc hIig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Z4uoSLgM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v2si7821725oov.20.2020.03.31.06.12.26; Tue, 31 Mar 2020 06:12:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Z4uoSLgM; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730818AbgCaNKJ (ORCPT + 99 others); Tue, 31 Mar 2020 09:10:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:39362 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730473AbgCaNKJ (ORCPT ); Tue, 31 Mar 2020 09:10:09 -0400 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DA38C206F5; Tue, 31 Mar 2020 13:10:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585660208; bh=ts/jwCIfi83GogPG5jQKnlmOLa3e5lymvLi0SUUKZxQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Z4uoSLgMdWSrhvR+cLyS50YXcM/8YIApUCCqSAdaLXZzv6keHgUATjrrGX6OC9ohA 9LHEth9UJklbVgScbX297IS6DdvFPQKRNqNXOepFq61AnlIWxmHQMyFJ1WfYr9XJXI Z1sAyxQN20CP8gTCBEE6NiK+BURMf7PGrqIaP+mc= Date: Tue, 31 Mar 2020 14:10:03 +0100 From: Will Deacon To: Marco Elver Cc: LKML , Eric Dumazet , Jann Horn , Kees Cook , Maddie Stone , "Paul E . McKenney" , Peter Zijlstra , Thomas Gleixner , kernel-team@android.com, kernel-hardening@lists.openwall.com Subject: Re: [RFC PATCH 03/21] list: Annotate lockless list primitives with data_race() Message-ID: <20200331131002.GA30975@willie-the-truck> References: <20200324153643.15527-1-will@kernel.org> <20200324153643.15527-4-will@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 24, 2020 at 05:23:30PM +0100, Marco Elver wrote: > On Tue, 24 Mar 2020 at 16:37, Will Deacon wrote: > > Some list predicates can be used locklessly even with the non-RCU list > > implementations, since they effectively boil down to a test against > > NULL. For example, checking whether or not a list is empty is safe even > > in the presence of a concurrent, tearing write to the list head pointer. > > Similarly, checking whether or not an hlist node has been hashed is safe > > as well. > > > > Annotate these lockless list predicates with data_race() and READ_ONCE() > > so that KCSAN and the compiler are aware of what's going on. The writer > > side can then avoid having to use WRITE_ONCE() in the non-RCU > > implementation. > > > > Cc: Paul E. McKenney > > Cc: Peter Zijlstra > > Cc: Marco Elver > > Signed-off-by: Will Deacon > > --- > > include/linux/list.h | 10 +++++----- > > include/linux/list_bl.h | 5 +++-- > > include/linux/list_nulls.h | 6 +++--- > > include/linux/llist.h | 2 +- > > 4 files changed, 12 insertions(+), 11 deletions(-) > > > > diff --git a/include/linux/list.h b/include/linux/list.h > > index 4fed5a0f9b77..4d9f5f9ed1a8 100644 > > --- a/include/linux/list.h > > +++ b/include/linux/list.h > > @@ -279,7 +279,7 @@ static inline int list_is_last(const struct list_head *list, > > */ > > static inline int list_empty(const struct list_head *head) > > { > > - return READ_ONCE(head->next) == head; > > + return data_race(READ_ONCE(head->next) == head); > > Double-marking should never be necessary, at least if you want to make > KCSAN happy. From what I gather there is an unmarked write somewhere, > correct? In that case, KCSAN will still complain because if it sees a > race between this read and the other write, then at least one is still > plain (the write). Ok, then I should drop the data_race() annotation and stick to READ_ONCE(), I think (but see below). > Then, my suggestion would be to mark the write with data_race() and > just leave this as a READ_ONCE(). Having a data_race() somewhere only > makes KCSAN stop reporting the race if the paired access is also > marked (be it with data_race() or _ONCE, etc.). The problem with taking that approach is that it ends up much of the list implementation annotated with either WRITE_ONCE() or data_race(), meaning that concurrent, racy list operations will no longer be reported by KCSAN. I think that's a pretty big deal and I'm strongly against annotating the internals of library code such as this because it means that buggy callers will largely go undetected. The situation we have here is that some calls, e.g. hlist_empty() are safe even in the presence of a racy write and I'd like to suppress KCSAN reports without annotating the writes at all. > Alternatively, if marking the write is impossible, you can surround > the access with kcsan_disable_current()/kcsan_enable_current(). Or, as > a last resort, just leaving as-is is fine too, because KCSAN's default > config (still) has KCSAN_ASSUME_PLAIN_WRITES_ATOMIC selected. Hmm, I suppose some bright spark will want to change the default at the some point though, no? ;) I'll look at using kcsan_disable_current()/kcsan_enable_current(), thanks. Will