lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240802145856.00002717@Huawei.com>
Date: Fri, 2 Aug 2024 14:58:56 +0100
From: Jonathan Cameron <Jonathan.Cameron@...wei.com>
To: Dan Williams <dan.j.williams@...el.com>
CC: <peterz@...radead.org>, <torvalds@...ux-foundation.org>, Bjorn Helgaas
	<bhelgaas@...gle.com>, Ira Weiny <ira.weiny@...el.com>, Jesse Brandeburg
	<jesse.brandeburg@...el.com>, Ilpo Järvinen
	<ilpo.jarvinen@...ux.intel.com>, Lukas Wunner <lukas@...ner.de>, "Jonathan
 Corbet" <corbet@....net>, <gregkh@...uxfoundation.org>,
	<linux-kernel@...r.kernel.org>, <linux-pci@...r.kernel.org>
Subject: Re: [PATCH v3] cleanup: Add usage and style documentation

On Fri, 29 Mar 2024 16:48:48 -0700
Dan Williams <dan.j.williams@...el.com> wrote:

> When proposing that PCI grow some new cleanup helpers for pci_dev_put()
> and pci_dev_{lock,unlock} [1], Bjorn had some fundamental questions
> about expectations and best practices. Upon reviewing an updated
> changelog with those details he recommended adding them to documentation
> in the header file itself.
> 
> Add that documentation and link it into the rendering for
> Documentation/core-api/.
> 
> Link: http://lore.kernel.org/r/20240104183218.GA1820872@bhelgaas [1]
> Cc: Bjorn Helgaas <bhelgaas@...gle.com>
> Cc: Ira Weiny <ira.weiny@...el.com>
> Cc: Jesse Brandeburg <jesse.brandeburg@...el.com>
> Cc: Ilpo Järvinen <ilpo.jarvinen@...ux.intel.com>
> Cc: Lukas Wunner <lukas@...ner.de>
> Cc: Peter Zijlstra <peterz@...radead.org>
> Cc: Jonathan Corbet <corbet@....net>
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@...wei.com>
> Signed-off-by: Dan Williams <dan.j.williams@...el.com>
> ---
> Changes since v2:
> * remove the unnecessary newlines around code examples further reducing
>   the visual interruption of RST metadata (Jon)
> * Fix a missing FILO=>LIFO conversion
> * Fix a bug in the example
> * Collect Jonathan's reviewed-by
> 
> Review has been quiet on this thread for a few days so I think is the
> final rev. Let me know if anything else to fix up.

Would be good to either get more review, or this applied.

Currently I'm pointing people at the email. Would much rather
point them at the upstream docs!

Jon, would you consider picking this up?
> 
>  Documentation/core-api/cleanup.rst |    8 ++
>  Documentation/core-api/index.rst   |    1 
>  include/linux/cleanup.h            |  136 ++++++++++++++++++++++++++++++++++++
>  3 files changed, 145 insertions(+)
>  create mode 100644 Documentation/core-api/cleanup.rst
> 
> diff --git a/Documentation/core-api/cleanup.rst b/Documentation/core-api/cleanup.rst
> new file mode 100644
> index 000000000000..527eb2f8ec6e
> --- /dev/null
> +++ b/Documentation/core-api/cleanup.rst
> @@ -0,0 +1,8 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +
> +===========================
> +Scope-based Cleanup Helpers
> +===========================
> +
> +.. kernel-doc:: include/linux/cleanup.h
> +   :doc: scope-based cleanup helpers
> diff --git a/Documentation/core-api/index.rst b/Documentation/core-api/index.rst
> index 7a3a08d81f11..2d2b3719567e 100644
> --- a/Documentation/core-api/index.rst
> +++ b/Documentation/core-api/index.rst
> @@ -35,6 +35,7 @@ Library functionality that is used throughout the kernel.
>  
>     kobject
>     kref
> +   cleanup
>     assoc_array
>     xarray
>     maple_tree
> diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h
> index c2d09bc4f976..5ffb2127e3ac 100644
> --- a/include/linux/cleanup.h
> +++ b/include/linux/cleanup.h
> @@ -4,6 +4,142 @@
>  
>  #include <linux/compiler.h>
>  
> +/**
> + * DOC: scope-based cleanup helpers
> + *
> + * The "goto error" pattern is notorious for introducing subtle resource
> + * leaks. It is tedious and error prone to add new resource acquisition
> + * constraints into code paths that already have several unwind
> + * conditions. The "cleanup" helpers enable the compiler to help with
> + * this tedium and can aid in maintaining LIFO (last in first out)
> + * unwind ordering to avoid unintentional leaks.
> + *
> + * As drivers make up the majority of the kernel code base, here is an
> + * example of using these helpers to clean up PCI drivers. The target of
> + * the cleanups are occasions where a goto is used to unwind a device
> + * reference (pci_dev_put()), or unlock the device (pci_dev_unlock())
> + * before returning.
> + *
> + * The DEFINE_FREE() macro can arrange for PCI device references to be
> + * dropped when the associated variable goes out of scope::
> + *
> + *	DEFINE_FREE(pci_dev_put, struct pci_dev *, if (_T) pci_dev_put(_T))
> + *	...
> + *	struct pci_dev *dev __free(pci_dev_put) =
> + *		pci_get_slot(parent, PCI_DEVFN(0, 0));
> + *
> + * The above will automatically call pci_dev_put() if @dev is non-NULL
> + * when @dev goes out of scope (automatic variable scope). If a function
> + * wants to invoke pci_dev_put() on error, but return @dev (i.e. without
> + * freeing it) on success, it can do::
> + *
> + *	return no_free_ptr(dev);
> + *
> + * ...or::
> + *
> + *	return_ptr(dev);
> + *
> + * The DEFINE_GUARD() macro can arrange for the PCI device lock to be
> + * dropped when the scope where guard() is invoked ends::
> + *
> + *	DEFINE_GUARD(pci_dev, struct pci_dev *, pci_dev_lock(_T), pci_dev_unlock(_T))
> + *	...
> + *	guard(pci_dev)(dev);
> + *
> + * The lifetime of the lock obtained by the guard() helper follows the
> + * scope of automatic variable declaration. Take the following example::
> + *
> + *	func(...)
> + *	{
> + *		if (...) {
> + *			...
> + *			guard(pci_dev)(dev); // pci_dev_lock() invoked here
> + *			...
> + *		} // <- implied pci_dev_unlock() triggered here
> + *	}
> + *
> + * Observe the lock is held for the remainder of the "if ()" block not
> + * the remainder of "func()".
> + *
> + * Now, when a function uses both __free() and guard(), or multiple
> + * instances of __free(), the LIFO order of variable definition order
> + * matters. GCC documentation says:
> + *
> + * "When multiple variables in the same scope have cleanup attributes,
> + * at exit from the scope their associated cleanup functions are run in
> + * reverse order of definition (last defined, first cleanup)."
> + *
> + * When the unwind order matters it requires that variables be defined
> + * mid-function scope rather than at the top of the file.  Take the
> + * following example and notice the bug highlighted by "!!"::
> + *
> + *	LIST_HEAD(list);
> + *	DEFINE_MUTEX(lock);
> + *
> + *	struct object {
> + *	        struct list_head node;
> + *	};
> + *
> + *	static struct object *alloc_add(void)
> + *	{
> + *	        struct object *obj;
> + *
> + *	        lockdep_assert_held(&lock);
> + *	        obj = kzalloc(sizeof(*obj), GFP_KERNEL);
> + *	        if (obj) {
> + *	                LIST_HEAD_INIT(&obj->node);
> + *	                list_add(obj->node, &list):
> + *	        }
> + *	        return obj;
> + *	}
> + *
> + *	static void remove_free(struct object *obj)
> + *	{
> + *	        lockdep_assert_held(&lock);
> + *	        list_del(&obj->node);
> + *	        kfree(obj);
> + *	}
> + *
> + *	DEFINE_FREE(remove_free, struct object *, if (_T) remove_free(_T))
> + *	static int init(void)
> + *	{
> + *	        struct object *obj __free(remove_free) = NULL;
> + *	        int err;
> + *
> + *	        guard(mutex)(&lock);
> + *	        obj = alloc_add();
> + *
> + *	        if (!obj)
> + *	                return -ENOMEM;
> + *
> + *	        err = other_init(obj);
> + *	        if (err)
> + *	                return err; // remove_free() called without the lock!!
> + *
> + *	        no_free_ptr(obj);
> + *	        return 0;
> + *	}
> + *
> + * That bug is fixed by changing init() to call guard() and define +
> + * initialize @obj in this order::
> + *
> + *	guard(mutex)(&lock);
> + *	struct object *obj __free(remove_free) = alloc_add();
> + *
> + * Given that the "__free(...) = NULL" pattern for variables defined at
> + * the top of the function poses this potential interdependency problem
> + * the recommendation is to always define and assign variables in one
> + * statement and not group variable definitions at the top of the
> + * function when __free() is used.
> + *
> + * Lastly, given that the benefit of cleanup helpers is removal of
> + * "goto", and that the "goto" statement can jump between scopes, the
> + * expectation is that usage of "goto" and cleanup helpers is never
> + * mixed in the same function. I.e. for a given routine, convert all
> + * resources that need a "goto" cleanup to scope-based cleanup, or
> + * convert none of them.
> + */
> +
>  /*
>   * DEFINE_FREE(name, type, free):
>   *	simple helper macro that defines the required wrapper for a __free()
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ