lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260114093517.NIa6_vRS@linutronix.de>
Date: Wed, 14 Jan 2026 10:35:17 +0100
From: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
To: Peter Zijlstra <peterz@...radead.org>
Cc: kernel test robot <lkp@...el.com>, oe-kbuild-all@...ts.linux.dev,
	linux-kernel@...r.kernel.org, Marco Elver <elver@...gle.com>
Subject: Re: kernel/futex/core.c:505:38: sparse: sparse: cast removes address
 space '__user' of expression

On 2026-01-13 20:39:19 [+0100], Peter Zijlstra wrote:
> tip/locking/core removes all the sparse lock annotations in favour of
> clang-22 tcsan.

So this is what salvation looks like? With

diff --git a/kernel/futex/core.c b/kernel/futex/core.c
index cf7e610eac429..b9e6be1c30179 100644
--- a/kernel/futex/core.c
+++ b/kernel/futex/core.c
@@ -965,6 +965,7 @@ int futex_unqueue(struct futex_q *q)
 }
 
 void futex_q_lockptr_lock(struct futex_q *q)
+	__acquires(q->lock_ptr)
 {
 	spinlock_t *lock_ptr;
 
@@ -1443,12 +1444,15 @@ static void futex_cleanup(struct task_struct *tsk)
 void futex_exit_recursive(struct task_struct *tsk)
 {
 	/* If the state is FUTEX_STATE_EXITING then futex_exit_mutex is held */
-	if (tsk->futex_state == FUTEX_STATE_EXITING)
+	if (tsk->futex_state == FUTEX_STATE_EXITING) {
+		lockdep_assert_held(&tsk->futex_exit_mutex);
 		mutex_unlock(&tsk->futex_exit_mutex);
+	}
 	tsk->futex_state = FUTEX_STATE_DEAD;
 }
 
 static void futex_cleanup_begin(struct task_struct *tsk)
+	__acquires(&tsk->futex_exit_mutex)
 {
 	/*
 	 * Prevent various race issues against a concurrent incoming waiter
@@ -1475,6 +1479,7 @@ static void futex_cleanup_begin(struct task_struct *tsk)
 }
 
 static void futex_cleanup_end(struct task_struct *tsk, int state)
+	__releases(&tsk->futex_exit_mutex)
 {
 	/*
 	 * Lockless store. The only side effect is that an observer might
diff --git a/kernel/futex/futex.h b/kernel/futex/futex.h
index 30c2afa038890..423989ffa5e91 100644
--- a/kernel/futex/futex.h
+++ b/kernel/futex/futex.h
@@ -379,6 +379,7 @@ extern int fixup_pi_owner(u32 __user *uaddr, struct futex_q *q, int locked);
  */
 static inline void
 double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
+	__cond_acquires(true, &hb2->lock)
 {
 	if (hb1 > hb2)
 		swap(hb1, hb2);
@@ -391,9 +392,12 @@ double_lock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
 static inline void
 double_unlock_hb(struct futex_hash_bucket *hb1, struct futex_hash_bucket *hb2)
 {
+	lockdep_assert_held(&hb1->lock);
 	spin_unlock(&hb1->lock);
-	if (hb1 != hb2)
+	if (hb1 != hb2) {
+		lockdep_assert_held(&hb2->lock);
 		spin_unlock(&hb2->lock);
+	}
 }
 
 /* syscalls */
diff --git a/kernel/futex/pi.c b/kernel/futex/pi.c
index dacb2330f1fbc..e45ad40b59550 100644
--- a/kernel/futex/pi.c
+++ b/kernel/futex/pi.c
@@ -621,6 +621,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval,
 	u32 curval, newval;
 	int ret = 0;
 
+	lockdep_assert_held(&pi_state->pi_mutex.wait_lock);
 	new_owner = top_waiter->task;
 
 	/*

I managed to pass core.c But then started looking at pi.c I run into
this:

| kernel/futex/pi.c:706:7: error: expecting raw_spinlock 'q->pi_state->pi_mutex.wait_lock' to be held at start of each loop
|      [-Werror,-Wthread-safety-analysis]
|  706 |         if (!argowner) {
|      |              ^
| kernel/futex/pi.c:811:2: note: raw_spinlock acquired here
|  811 |         raw_spin_lock_irq(&pi_state->pi_mutex.wait_lock);
|      |         ^
| include/linux/spinlock.h:275:34: note: expanded from macro 'raw_spin_lock_irq'
|  275 | #define raw_spin_lock_irq(lock)         _raw_spin_lock_irq(lock)
|      |                                         ^
| kernel/futex/pi.c:792:2: error: releasing raw_spinlock 'q->pi_state->pi_mutex.wait_lock' that was not held
|      [-Werror,-Wthread-safety-analysis]
|  792 |         raw_spin_unlock_irq(&pi_state->pi_mutex.wait_lock);

it can be told from the context that waitlock is held at start of each
loop. It is just that unlock+lock combo after handle_err: that breaks
llvm.
cond_acquires() works and lockdep_assert_held() is taken into account
which is an improvement over sparse. For futex_cleanup_begin()/_end() it
seems to lose the context for futex_exit_mutex but this is all local…

Sebastian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ