| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Sep 2010 14:28:32 +0200
From: Arnd Bergmann <arnd@...db.de>
To: paulmck@...ux.vnet.ibm.com
Cc: Kulikov Vasiliy <segooon@...il.com>,
kernel-janitors@...r.kernel.org, Neil Brown <neilb@...e.de>,
Jens Axboe <jaxboe@...ionio.com>, linux-raid@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] md: do not use ++ in rcu_dereference() argument
On Tuesday 14 September 2010, Paul E. McKenney wrote:
> The current version of the __rcu_access_pointer(),
> __rcu_dereference_check(), and __rcu_dereference_protected() macros
> evaluate their "p" argument three times, not counting typeof()s. This is
> bad news if that argument contains a side effect. This commit therefore
> evaluates this argument only once in normal kernel builds. However, the
> straightforward approach defeats sparse's RCU-pointer checking, so this
> commit also adds a KBUILD_CHECKSRC symbol defined when running a checker.
> Therefore, when this new KBUILD_CHECKSRC symbol is defined, the additional
> pair of evaluations of the "p" argument are performed in order to permit
> sparse to detect misuse of RCU-protected pointers.
In general, I don't like the idea much because that means we're passing
semantically different code into sparse and gcc. Of course if my other
patch doesn't work, we might need to do it after all.
> diff --git a/Makefile b/Makefile
> index f3bdff8..1c4984d 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -330,7 +330,7 @@ PERL = perl
> CHECK = sparse
>
> CHECKFLAGS := -D__linux__ -Dlinux -D__STDC__ -Dunix -D__unix__ \
> - -Wbitwise -Wno-return-void $(CF)
> + -Wbitwise -Wno-return-void -DKBUILD_CHECKSRC $(CF)
> CFLAGS_MODULE =
> AFLAGS_MODULE =
> LDFLAGS_MODULE =
sparse already define __CHECKER__ itself, no need to define another symbol.
> +#ifdef KBUILD_CHECKSRC
> +#define rcu_dereference_sparse(p, space) \
> + ((void)(((typeof(*p) space *)p) == p))
> +#else /* #ifdef KBUILD_CHECKSRC */
> +#define rcu_dereference_sparse(p, space)
> +#endif /* #else #ifdef KBUILD_CHECKSRC */
Did you see a problem with my macro?
#define rcu_dereference_sparse(p, space) \
((void)(((typeof(*p) space *)NULL) == ((typeof(p))NULL)))
I think this should warn in all the cases we want it to, but have no side-effects.
> #define __rcu_access_pointer(p, space) \
> ({ \
> typeof(*p) *_________p1 = (typeof(*p)*__force )ACCESS_ONCE(p); \
> - (void) (((typeof (*p) space *)p) == p); \
> + rcu_dereference_sparse(p, space); \
> ((typeof(*p) __force __kernel *)(_________p1)); \
> })
> #define __rcu_dereference_check(p, c, space) \
> ({ \
> typeof(*p) *_________p1 = (typeof(*p)*__force )ACCESS_ONCE(p); \
> rcu_lockdep_assert(c); \
> - (void) (((typeof (*p) space *)p) == p); \
> + rcu_dereference_sparse(p, space); \
> smp_read_barrier_depends(); \
> ((typeof(*p) __force __kernel *)(_________p1)); \
> })
> #define __rcu_dereference_protected(p, c, space) \
> ({ \
> rcu_lockdep_assert(c); \
> - (void) (((typeof (*p) space *)p) == p); \
> + rcu_dereference_sparse(p, space); \
> ((typeof(*p) __force __kernel *)(p)); \
> })
>
This part might be useful in any case, to better document what the cast and
compare does, and to prevent the three users from diverging.
>diff --git a/kernel/rcutorture.c b/kernel/rcutorture.c
>index 439ddab..adb09cb 100644
>--- a/kernel/rcutorture.c
>+++ b/kernel/rcutorture.c
This didn't seem to belong here.
Arnd
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists