lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100225170653.GA5715@linux.vnet.ibm.com>
Date:	Thu, 25 Feb 2010 09:06:53 -0800
From:	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
To:	Arnd Bergmann <arnd@...db.de>
Cc:	Alexey Dobriyan <adobriyan@...il.com>,
	Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
	linux-kernel@...r.kernel.org, mingo@...e.hu, laijs@...fujitsu.com,
	dipankar@...ibm.com, akpm@...ux-foundation.org,
	josh@...htriplett.org, dvhltc@...ibm.com, niv@...ibm.com,
	tglx@...utronix.de, peterz@...radead.org, rostedt@...dmis.org,
	Valdis.Kletnieks@...edu, dhowells@...hat.com
Subject: Re: [PATCH 07/10] module: __rcu annotations

On Wed, Feb 24, 2010 at 03:59:58PM -0800, Paul E. McKenney wrote:
> On Thu, Feb 25, 2010 at 12:07:47AM +0100, Arnd Bergmann wrote:
> > On Wednesday 24 February 2010 23:17:49 Paul E. McKenney wrote:
> > > > Ok, this is a significant limitation of the list rcu annotation
> > > > then, it's not possible to pass the same list into list_for_each_entry
> > > > and list_for_each_entry_rcu with the way I changed the rcu list
> > > > definition. I would be possible to do a __list_for_each_entry_rcu
> > > > macro that takes an rcu_list_head but does not actually use
> > > > rcu_dereference, but I'm not sure if that's good enough.
> > > 
> > > Hmmm...  If the __rcu annotation was visible at runtime, it would be
> > > easy provide an annotated version of list_for_each_entry_rcu() that
> > > checks for module_mutex being held under lockdep.
> > 
> > Well, if we keep the struct rcu_list_head and make it mandatory for
> > rcu protected lists, it could be defined as
> > 
> > struct rcu_list_head {
> > 	struct list_head head;
> > #ifdef CONFIG_PROVE_RCU
> > 	bool (*check)(void);
> > #endif
> > };
> > 
> > #ifdef CONFIG_PROVE_RCU
> > #define RCU_LIST_HEAD_INIT_CHECK(__head, __check) \
> > 	{ .head = LIST_HEAD_INIT((__head).head), .check = (__check) }
> > #else
> > #define RCU_LIST_HEAD_INIT_CHECK(__list,__check) {.head = LIST_HEAD_INIT((__head).head) }
> > #endif
> > 
> > #define RCU_LIST_HEAD_INIT(head) RCU_LIST_HEAD_INIT_CHECK(head,&rcu_read_lock_held)
> > #define RCU_LIST_HEAD_INIT_BH(head) RCU_LIST_HEAD_INIT_CHECK(head,&rcu_read_lock_bh_held)
> > 
> > #define list_entry_rcu_check(ptr, type, member, check) \
> >         container_of(rcu_dereference_check((void __rcu __force *)(ptr), check), type, member)
> > 
> > #define list_for_each_entry_rcu(pos, __head, member) \
> >         for (pos = list_entry_rcu_check((__head)->head.next, typeof(*pos), \
> > 					 member, (__head)->check); \
> >                 prefetch(pos->member.next), &pos->member != (head); \
> >                 pos = list_entry_rcu_check(pos->member.next, typeof(*pos), \
> > 					 member, (__head)->check)))
> > 
> > That would let us check all the heads for correct usage, and at the same
> > time avoid having to annotate all the list entries.
> 
> Cool!!!
> 
> The nice thing about this is that we don't end up with the API explosion
> for the RCU list primitives.  However, it does require that a given
> rcu_list_head have a single synchronization-design rule for all uses.
> Of course, if there were multiple rules, one could construct a check
> that was simply the union of all the rules, but that would miss some
> types of errors.
> 
> Of course, if this became a problem, there could be an argument to the
> ->check function that the normal list_for_each_entry_rcu() defaults to
> "no effect".
> 
> Or is there a better way to handle this?

One approach would be to use your original sparse-based approach, but
use an rcu_deference_const(ptr,lockdep_condition) for cases when the
value cannot change, for example, when the update-side lock is held.
This should eliminate most of the false positives, in particular,
eliminate the need for otherwise-useless rcu_read_lock()s  -- and also
for the compiler constraints in the normal rcu_dereference().

Your pointer-to-function idea could be a really cool way to handle the
tree algorithms that can be protected either by RCU or by locking.
The tree nodes could have the pointer to check function, and the
current rcu_dereference_raw() calls could be replaced by an invocation
of rcu_dereference_check() that calls the check function.  A check
function for an RCU-protected tree would use "rcu_read_lock_held() ||
lockdep_is_held(&update_side_lock)", while a lock-protected tree would
just use "lockdep_is_held(&update_side_lock)".

Thoughts?

							Thanx, Paul
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ