lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <25321527-3040-434D-80EC-82DFD17C710C@gmail.com>
Date:   Sat, 22 Jul 2023 05:25:02 +0800
From:   Alan Huang <mmpgouride@...il.com>
To:     Joel Fernandes <joel@...lfernandes.org>,
        "Paul E. McKenney" <paulmck@...nel.org>,
        Eric Dumazet <edumazet@...gle.com>, roman.gushchin@...ux.dev,
        "David.Laight@...lab.com" <David.Laight@...LAB.COM>
Cc:     linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        rcu@...r.kernel.org
Subject: Re: Question about the barrier() in hlist_nulls_for_each_entry_rcu()


> 2023年7月22日 上午4:40,Alan Huang <mmpgouride@...il.com> 写道:
> 
> 
>> 2023年7月22日 上午4:08,Alan Huang <mmpgouride@...il.com> 写道:
>> 
>> 
>>> 2023年7月21日 下午11:21,Joel Fernandes <joel@...lfernandes.org> 写道:
>>> 
>>> On 7/21/23 10:27, Alan Huang wrote:
>>>>> 2023年7月21日 20:54,Joel Fernandes <joel@...lfernandes.org> 写道:
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Jul 20, 2023, at 4:00 PM, Alan Huang <mmpgouride@...il.com> wrote:
>>>>>> 
>>>>>> 
>>>>>>> 2023年7月21日 03:22,Eric Dumazet <edumazet@...gle.com> 写道:
>>>>>>> 
>>>>>>>> On Thu, Jul 20, 2023 at 8:54 PM Alan Huang <mmpgouride@...il.com> wrote:
>>>>>>>> 
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> I noticed a commit c87a124a5d5e(“net: force a reload of first item in hlist_nulls_for_each_entry_rcu”)
>>>>>>>> and a related discussion [1].
>>>>>>>> 
>>>>>>>> After reading the whole discussion, it seems like that ptr->field was cached by gcc even with the deprecated
>>>>>>>> ACCESS_ONCE(), so my question is:
>>>>>>>> 
>>>>>>>>    Is that a compiler bug? If so, has this bug been fixed today, ten years later?
>>>>>>>> 
>>>>>>>>    What about READ_ONCE(ptr->field)?
>>>>>>> 
>>>>>>> Make sure sparse is happy.
>>>>>> 
>>>>>> It caused a problem without barrier(), and the deprecated ACCESS_ONCE() didn’t help:
>>>>>> 
>>>>>> https://lore.kernel.org/all/519D19DA.50400@yandex-team.ru/
>>>>>> 
>>>>>> So, my real question is: With READ_ONCE(ptr->field), are there still some unusual cases where gcc
>>>>>> decides not to reload ptr->field?
>>>>> 
>>>>> I am a bit doubtful there will be strong (any?) interest in replacing the barrier() with READ_ONCE() without any tangible reason, regardless of whether a gcc issue was fixed.
>>>>> 
>>>>> But hey, if you want to float the idea…
>>>> We already had the READ_ONCE() in rcu_deference_raw().
>>>> The barrier() here makes me think we need write code like below:
>>>> 	
>>>> 	READ_ONCE(head->first);
>>>> 	barrier();
>>>> 	READ_ONCE(head->first);
>>>> With READ_ONCE (or the deprecated ACCESS_ONCE),
>>>> I don’t think a compiler should cache the value of head->first.
>>> 
>>> 
>>> Right, it shouldn't need to cache. To Eric's point it might be risky to remove the barrier() and someone needs to explain that issue first (or IMO there needs to be another tangible reason like performance etc). Anyway, FWIW I wrote a simple program and I am not seeing the head->first cached with the pattern you shared above:
>>> 
>>> #include <stdlib.h>
>>> 
>>> #define READ_ONCE(x) (*(volatile typeof(x) *)&(x))
>>> #define barrier() __asm__ __volatile__("": : :"memory")
>>> 
>>> typedef struct list_head {
>>>  int first;
>>>  struct list_head *next;
>>> } list_head;
>>> 
>>> int main() {
>>>  list_head *head = (list_head *)malloc(sizeof(list_head));
>>>  head->first = 1;
>>>  head->next = 0;
>>> 
>>>  READ_ONCE(head->first);
>>>  barrier();
>>>  READ_ONCE(head->first);
>>> 
>>>  free(head);
>>>  return 0;
>>> }
>>> 
>>> On ARM 32-bit, 64-bit and x86_64, with -Os and then another experiment with -O2 on new gcc versions.
>> 
>> Well, when I change the code as below:
>> 
>> #include <stdlib.h>
>> 
>> #define READ_ONCE(x) (*(volatile typeof(x) *)&(x))
>> #define barrier() __asm__ __volatile__("": : :"memory")
>> 
>> typedef struct list_head {
>>  struct list_head *next;
>>  int first;					// difference here
>> } list_head;
>> 
>> int main() {
>>  list_head *head = (list_head *)malloc(sizeof(list_head));
>>  head->first = 1;
>>  head->next = 0;
>> 
>>  READ_ONCE(head->first);
>>  READ_ONCE(head->first);
>> 
>>  free(head);
>>  return 0;
>> }
>> 
>> GCC 8, GCC 10, GCC 11 generate the following code (with -O2):
>> 
>> main:
>>       subq    $8, %rsp
>>       movl    $16, %edi
>>       call    malloc
>>       movl    $1, 8(%rax)
>>       movq    %rax, %rdi
>>       call    free
>>       xorl    %eax, %eax
>>       addq    $8, %rsp
>>       ret
>> 
>> 
>> The READ_ONCE has been optimized away. The difference in the source code is that I put ->first to the second member.
>> 
>> That means, GCC 8, 10, 11 have the bug!
>> 
>> 
> 
> Found a related discussion:
> 
> 	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102714

And this:

	https://gcc.gnu.org/bugzilla/show_bug.cgi?id=47409

So, the compiler had the bug ten years ago.

> 
> Looks like GCC 10, 11 have been backported, not sure whether GCC 8 has been backported.
> 
> So, I have the following questions:
> 
> Given that some people might not update their GCC, do they need to be notified?
> 
> Do we need to CC Linus?
> 
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ