Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp502222pxb; Mon, 7 Feb 2022 17:07:10 -0800 (PST) X-Google-Smtp-Source: ABdhPJzFc6dAf9B5kFW9UNw676aMtJbuNh2yGbIhZxaAopcOcgO24+6OL+DBa1XuVIjZAG4p+d/z X-Received: by 2002:a17:907:8316:: with SMTP id mq22mr1786938ejc.46.1644282430717; Mon, 07 Feb 2022 17:07:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644282430; cv=none; d=google.com; s=arc-20160816; b=fk/W3PZPhPhR09Qp4F6z+yXTwCv8apSRV5t8rssWdFBQgfxORj3qo7C1z0uQa60DF5 VMQ7eg6NQLt3mdfbXpPU2xB4m5rhsJyOV8z90Hv8INB9LC899+4gIamUGqK195XCUzAn 8qiKmU129+2UAiBtOs8GP6jFTQ5bGdBF+o8jfpuJY+A1mFOnmOssem3FvOdKDx55pWYw lLnh+0GrXREJEeQB9PeR2MqNgKoXmDliJmjQ3/y8hINRAFZ05z0ZP3Uky2vCFVznxcWD EDKUrB+FnHmc+j0l102QJKR1bxzJnjNOllpf203m36MMbPoUAgGL3ctGQl5ZMwSdGZI3 JipQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=yRS0jwicXufc7zZ+ZjLAedvo4qD1/VIqyE355apXrv8=; b=pJk/LDQ6ssBF9DTOY6Gjtx3e0tejb4SmpKzTpStEjXzW75GaMJVbeeoWCgGEMRqKVP qkxtKpFL4H/EFm4P7TuSvkDMhHIMcWQXIGl6THpu1ynxdHPll3aBV7c2No8idc4w3N8f wb4qgqvb+RB5hnI1SMxEHNXeDWAYvt2UWIA3ZV9agEE9tk3sN822vEDnaQL7X54SNG21 SP6c/ydS2fDSHc3OFSQhoH+DAePQTcVYZB3cojt+1XGBBsZ4/4qkklNXU5hY1HtJMWBb Me15VpF6JzCRcI8YGgiTB75L6vXdH4Mta8UJjsM12EniKZgKcbi1Y27iDgt/6FVATIw8 eJmQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bbWNLUnN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q10si9278640edd.174.2022.02.07.17.06.46; Mon, 07 Feb 2022 17:07:10 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=bbWNLUnN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1358990AbiBGP3w (ORCPT + 99 others); Mon, 7 Feb 2022 10:29:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39746 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1443868AbiBGPQI (ORCPT ); Mon, 7 Feb 2022 10:16:08 -0500 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 55C03C03E96D for ; Mon, 7 Feb 2022 07:15:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1644246945; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=yRS0jwicXufc7zZ+ZjLAedvo4qD1/VIqyE355apXrv8=; b=bbWNLUnN/+aOIdXG1SWJgPcKTauFo5YCyt0aZdXi18iyjqUN1UhkmHfmTQaP0x2CK7jF+b zKV2Dm+6l+IYzapCGXW8mvWFNJY+A1Uugg08ApcuXvcoDJR8Y4IXq3YV+LVAL0k4CeIlAM fsWErq2OjR6SnSU+UjabzclbZh74L3o= Received: from mail-yb1-f198.google.com (mail-yb1-f198.google.com [209.85.219.198]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-631-neyFT63nOFSBzSrThIra2Q-1; Mon, 07 Feb 2022 10:15:44 -0500 X-MC-Unique: neyFT63nOFSBzSrThIra2Q-1 Received: by mail-yb1-f198.google.com with SMTP id y4-20020a5b0f44000000b00611862e546dso28936959ybr.7 for ; Mon, 07 Feb 2022 07:15:44 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=yRS0jwicXufc7zZ+ZjLAedvo4qD1/VIqyE355apXrv8=; b=moJpIyCz1nySaZkEp7fbRGrsgsXyG0TFOmAs9VibSvIYrT/adAvJVpyliKXRszZCYg zFNbtxPk92pblZrDAhv1zN6EnRzSh4mAVzB6paV4VIuyNtAquyDPMAG9PELdYMGHom5a e1P5awx6fqRWJ9wOGgscZeQpTIJNz82a6rMJdmCrCOBH0wpxQPMjqKTuxeVS7zi5vCaf YQfMZbh4VxtXlKbg3NMUxMFV+f9w666GyN9lszJigKk7/eF9CMbHMLBzj1sIiwWmVy27 ZwOMriFg81kGX+96cvFX3QUiNG8woOH+uRJld/md2q2CymsoAWfR7Vc1vN7LDKr0eaBN 2d6Q== X-Gm-Message-State: AOAM530BGCgNGSUSlgxs5B6VUX3Ux4++ky2XK2eGiu+h4IWCKIddIReB zuOGifyFHsZhrI5RUgBHo+dhrwoSBJT3PqZOnYL1BPdU/+YAx+SQ5ZSLOjLjQUU929PyVSWobda 3JhhzAD7NLn15fjy87NRxXE2Dud8RZWNX8Wex63Ql X-Received: by 2002:a25:eb06:: with SMTP id d6mr154240ybs.318.1644246943914; Mon, 07 Feb 2022 07:15:43 -0800 (PST) X-Received: by 2002:a25:eb06:: with SMTP id d6mr154219ybs.318.1644246943702; Mon, 07 Feb 2022 07:15:43 -0800 (PST) MIME-Version: 1.0 From: Ondrej Mosnacek Date: Mon, 7 Feb 2022 16:15:27 +0100 Message-ID: Subject: Semantics vs. usage of mutex_is_locked() To: Peter Zijlstra , Ingo Molnar , Will Deacon , Waiman Long Cc: Linux kernel mailing list , SElinux list Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, (This is addressed mainly to the kernel/locking/ maintainers.) In security/selinux/ima.c, we have two functions for which we want to assert the expected locking status of a mutex. In the first function we expect the caller to obtain the lock, so we have `WARN_ON(!mutex_is_locked(&state->policy_mutex));` there. The second one, on the contrary, takes the lock on its own, so there is an inverse assert (that the caller hasn't already taken the lock) - `WARN_ON(mutex_is_locked(&state->policy_mutex));`. Recently, I got a report that the second WARN_ON() got triggered, while there was no function in the call chain that could have taken the lock. Looking into it, I realized that mutex_is_locked() actually doesn't check what we assumed ("Are we holding the lock?"), but instead answers the question "Is any task holding the lock?". So in theory it can happen that the second WARN_ON() gets hit randomly in an otherwise correct code simply because some other task happens to be holding the mutex. Similarly, the first assert might not catch all cases where taking the mutex was forgotten, because another task may be holding it, making the assert pass. Grepping the whole tree for mutex_is_locked finds about 300 uses, the vast majority of which are variations of the warn-if-mutex-not-locked-by-us pattern. Then there are a handful of cases where the usage of mutex_is_locked() seems correct and a few cases of the inverse warn-if-mutex-already-locked-by-us pattern. It seems like introducing a new helper with the "is the mutex locked by current task?" semantics would be fairly straightforward, however fixing all the mutex_is_locked() misuses would be a rather big and noisy patch(set). That said, would it be okay if I send patches that introduce a new helper and only fix misuses that can lead to wrong behavior when the code is correct (e.g. can yield a false positive WARNING/BUG) and documentation? That should be a reasonably small set of changes, yet should take care of the most important issues. If anyone cares enough for the rest, they can always send further patches. Also, any opinions on the name of the new helper? Perhaps mutex_is_held()? Or mutex_is_locked_by_current()? Thanks, -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.