lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e276263f-2bc5-450e-9a35-e805ad8f277b@acm.org>
Date: Mon, 10 Feb 2025 10:09:55 -0800
From: Bart Van Assche <bvanassche@....org>
To: Marco Elver <elver@...gle.com>
Cc: "Paul E. McKenney" <paulmck@...nel.org>,
 Alexander Potapenko <glider@...gle.com>, Bill Wendling <morbo@...gle.com>,
 Boqun Feng <boqun.feng@...il.com>, Dmitry Vyukov <dvyukov@...gle.com>,
 Frederic Weisbecker <frederic@...nel.org>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Ingo Molnar <mingo@...nel.org>, Jann Horn <jannh@...gle.com>,
 Joel Fernandes <joel@...lfernandes.org>, Jonathan Corbet <corbet@....net>,
 Josh Triplett <josh@...htriplett.org>, Justin Stitt
 <justinstitt@...gle.com>, Kees Cook <kees@...nel.org>,
 Mark Rutland <mark.rutland@....com>,
 Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
 Miguel Ojeda <ojeda@...nel.org>, Nathan Chancellor <nathan@...nel.org>,
 Neeraj Upadhyay <neeraj.upadhyay@...nel.org>,
 Nick Desaulniers <ndesaulniers@...gle.com>,
 Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>,
 Thomas Gleixner <tglx@...utronix.de>, Uladzislau Rezki <urezki@...il.com>,
 Waiman Long <longman@...hat.com>, Will Deacon <will@...nel.org>,
 kasan-dev@...glegroups.com, linux-kernel@...r.kernel.org,
 llvm@...ts.linux.dev, rcu@...r.kernel.org, linux-crypto@...r.kernel.org
Subject: Re: [PATCH RFC 08/24] lockdep: Annotate lockdep assertions for
 capability analysis

On 2/6/25 10:10 AM, Marco Elver wrote:
> diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
> index 67964dc4db95..5cea929b2219 100644
> --- a/include/linux/lockdep.h
> +++ b/include/linux/lockdep.h
> @@ -282,16 +282,16 @@ extern void lock_unpin_lock(struct lockdep_map *lock, struct pin_cookie);
>   	do { WARN_ON_ONCE(debug_locks && !(cond)); } while (0)
>   
>   #define lockdep_assert_held(l)		\
> -	lockdep_assert(lockdep_is_held(l) != LOCK_STATE_NOT_HELD)
> +	do { lockdep_assert(lockdep_is_held(l) != LOCK_STATE_NOT_HELD); __assert_cap(l); } while (0)
>   
>   #define lockdep_assert_not_held(l)	\
>   	lockdep_assert(lockdep_is_held(l) != LOCK_STATE_HELD)
>   
>   #define lockdep_assert_held_write(l)	\
> -	lockdep_assert(lockdep_is_held_type(l, 0))
> +	do { lockdep_assert(lockdep_is_held_type(l, 0)); __assert_cap(l); } while (0)
>   
>   #define lockdep_assert_held_read(l)	\
> -	lockdep_assert(lockdep_is_held_type(l, 1))
> +	do { lockdep_assert(lockdep_is_held_type(l, 1)); __assert_shared_cap(l); } while (0)

These changes look wrong to me. The current behavior of
lockdep_assert_held(lock) is that it issues a kernel warning at
runtime if `lock` is not held when a lockdep_assert_held()
statement is executed. __assert_cap(lock) tells the compiler to
*ignore* the absence of __must_hold(lock). I think this is wrong.
The compiler should complain if a __must_hold(lock) annotation is
missing. While sparse does not support interprocedural analysis for
lock contexts, the Clang thread-safety checker supports this. If
function declarations are annotated with __must_hold(lock), Clang will
complain if the caller does not hold `lock`.

In other words, the above changes disable a useful compile-time check.
I think that useful compile-time checks should not be disabled.

Bart.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ