[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20211005162915.GT880162@paulmck-ThinkPad-P17-Gen-1>
Date: Tue, 5 Oct 2021 09:29:15 -0700
From: "Paul E. McKenney" <paulmck@...nel.org>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc: rostedt <rostedt@...dmis.org>,
linux-kernel <linux-kernel@...r.kernel.org>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Josh Triplett <josh@...htriplett.org>,
Lai Jiangshan <jiangshanlai@...il.com>,
"Joel Fernandes, Google" <joel@...lfernandes.org>,
Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Florian Westphal <fw@...len.de>,
"David S. Miller" <davem@...emloft.net>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
Jakub Kicinski <kuba@...nel.org>, rcu <rcu@...r.kernel.org>,
netfilter-devel <netfilter-devel@...r.kernel.org>,
coreteam <coreteam@...filter.org>,
netdev <netdev@...r.kernel.org>
Subject: Re: [RFC][PATCH] rcu: Use typeof(p) instead of typeof(*p) *
On Tue, Oct 05, 2021 at 12:15:04PM -0400, Mathieu Desnoyers wrote:
> ----- On Oct 5, 2021, at 11:58 AM, rostedt rostedt@...dmis.org wrote:
>
> > On Tue, 5 Oct 2021 11:15:12 -0400 (EDT)
> > Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:
> >
> >> ----- On Oct 5, 2021, at 9:47 AM, rostedt rostedt@...dmis.org wrote:
> >> [...]
> >> > #define rcu_dereference_raw(p) \
> >> > ({ \
> >> > /* Dependency order vs. p above. */ \
> >> > typeof(p) ________p1 = READ_ONCE(p); \
> >> > - ((typeof(*p) __force __kernel *)(________p1)); \
> >> > + ((typeof(p) __force __kernel)(________p1)); \
> >> > })
> >>
> >> AFAIU doing so removes validation that @p is indeed a pointer, so a user might
> >> mistakenly
> >> try to use rcu_dereference() on an integer, and get away with it. I'm not sure
> >> we want to
> >> loosen this check. I wonder if there might be another way to achieve the same
> >> check without
> >> requiring the structure to be declared, e.g. with __builtin_types_compatible_p ?
> >
> > Is that really an issue? Because you would be assigning it to an integer.
> >
> >
> > x = rcu_dereference_raw(y);
> >
> > And that just makes 'x' a copy of 'y' and not really a reference to it, thus
> > if you don't have a pointer, it's just a fancy READ_ONCE(y).
>
> See Documentation/RCU/arrayRCU.rst:
>
> "It might be tempting to consider use
> of RCU to instead protect the index into an array, however, this use
> case is **not** supported. The problem with RCU-protected indexes into
> arrays is that compilers can play way too many optimization games with
> integers, which means that the rules governing handling of these indexes
> are far more trouble than they are worth. If RCU-protected indexes into
> arrays prove to be particularly valuable (which they have not thus far),
> explicit cooperation from the compiler will be required to permit them
> to be safely used."
>
> So AFAIU validation that rcu_dereference receives a pointer as parameter
> is done on purpose.
What Mathieu said!
On the other hand, I am starting to believe that explicit cooperation
from compilers might actually be forthcoming in my lifetime, so there
might well be that...
Thanx, Paul
Powered by blists - more mailing lists