lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANpmjNNX072Uz+XCOuXwF6u8dHHkv+Wv=mN4mtV34AUS7E3Ozw@mail.gmail.com>
Date: Fri, 7 Feb 2025 19:24:31 +0100
From: Marco Elver <elver@...gle.com>
To: Bart Van Assche <bvanassche@....org>
Cc: Peter Zijlstra <peterz@...radead.org>, Will Deacon <will@...nel.org>, 
	Christoph Hellwig <hch@....de>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	Nick Desaulniers <ndesaulniers@...gle.com>, Nathan Chancellor <nathan@...nel.org>, Kees Cook <kees@...nel.org>, 
	Jann Horn <jannh@...gle.com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RFC 00/33] Compile-time thread-safety checking

On Fri, 7 Feb 2025 at 18:46, Bart Van Assche <bvanassche@....org> wrote:
>
> On 2/7/25 1:08 AM, Peter Zijlstra wrote:
> > On Fri, Feb 07, 2025 at 10:05:47AM +0100, Marco Elver wrote:
> >> Yes, you can add multiple guarded_by. But it's just going to enforce
> >> that you need to hold both locks before you access the member. If you
> >> want the rules to be more complex, the best way to express that is with
> >> some helpers. E.g. something like this (tested on top my series)
> >
> > Oh gawd, this is going to be a pain, isn't it :/
>
> The Clang thread-safety annotations are used widely so behavior of
> existing attributes must be preserved. I propose to introduce new
> thread-safety attributes when useful to annotate kernel code.

Agreed - we can't change the existing semantics, but if absolutely
necessary we could think about extensions (which I already started for
something else: https://github.com/llvm/llvm-project/pull/123063)

> As an
> example, the Clang try_acquire_capability function attribute does not
> support functions that return pointers although this is a common pattern
> in the Linux kernel. I think that introducing a new function attribute
> to support functions that return pointers is a better solution than
> trying to annotate such functions with any of the existing Clang
> thread-safety attributes.

try_acquire_capability / __cond_acquires(cond, capability) is happy
with pointer-returning functions when using int-literals for "cond"
i.e. 0 or 1 (Clang's documentation says it only wants bool, but that's
wrong). I just tested this on a pointer-returning function, and it
works.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ