Message ID | 20131012173734.GC20321@order.stressinduktion.org |
---|---|
State | Not Applicable, archived |
Delegated to: | David Miller |
Headers | show |
----- Original Message ----- > From: "Hannes Frederic Sowa" <hannes@stressinduktion.org> > To: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>, "Eric Dumazet" <eric.dumazet@gmail.com>, "Josh Triplett" > <josh@joshtriplett.org>, linux-kernel@vger.kernel.org, mingo@kernel.org, laijs@cn.fujitsu.com, dipankar@in.ibm.com, > akpm@linux-foundation.org, "mathieu desnoyers" <mathieu.desnoyers@efficios.com>, niv@us.ibm.com, tglx@linutronix.de, > peterz@infradead.org, rostedt@goodmis.org, dhowells@redhat.com, edumazet@google.com, darren@dvhart.com, > fweisbec@gmail.com, sbw@mit.edu, "David S. Miller" <davem@davemloft.net>, "Alexey Kuznetsov" <kuznet@ms2.inr.ac.ru>, > "James Morris" <jmorris@namei.org>, "Hideaki YOSHIFUJI" <yoshfuji@linux-ipv6.org>, "Patrick McHardy" > <kaber@trash.net>, netdev@vger.kernel.org > Sent: Saturday, October 12, 2013 1:37:34 PM > Subject: Re: [PATCH v2 tip/core/rcu 07/13] ipv6/ip6_tunnel: Apply rcu_access_pointer() to avoid sparse false positive > > On Sat, Oct 12, 2013 at 06:43:45PM +0200, Hannes Frederic Sowa wrote: > > Regarding the volatile access, I hope that the C11 memory model > > and enhancements to the compiler will some day provide a better > > way to express the semantics of what is tried to express here > > (__atomic_store_n/__atomic_load_n with the accompanied memory model, > > which could be even weaker to what a volatile access would enfore > > now and could guarantee atomic stores/loads). > > I just played around a bit more. Perhaps we could try to warn of silly > usages of ACCESS_ONCE(): > > --- a/include/linux/compiler.h > +++ b/include/linux/compiler.h > @@ -349,7 +349,11 @@ void ftrace_likely_update(struct ftrace_branch_data *f, > int val, int expect); > * use is to mediate communication between process-level code and irq/NMI > * handlers, all running on the same CPU. > */ > -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x)) > +#define ACCESS_ONCE(x) (*({ \ > + compiletime_assert(sizeof(typeof(x)) <= sizeof(typeof(&x)), \ > + "ACCESS_ONCE likely not atomic"); \ AFAIU, ACCESS_ONCE() is not meant to ensure atomicity of load/store, but rather merely ensures that the compiler will not merge nor refetch accesses. I don't think the assert check you propose is appropriate with respect to the ACCESS_ONCE() semantic. Thanks, Mathieu > + (volatile typeof(x) *)&(x); \ > +})) > > /* Ignore/forbid kprobes attach on very low level functions marked by this > attribute: */ > #ifdef CONFIG_KPROBES > >
On Sat, Oct 12, 2013 at 07:42:18PM +0000, Mathieu Desnoyers wrote: > ----- Original Message ----- > > On Sat, Oct 12, 2013 at 06:43:45PM +0200, Hannes Frederic Sowa wrote: > > > Regarding the volatile access, I hope that the C11 memory model > > > and enhancements to the compiler will some day provide a better > > > way to express the semantics of what is tried to express here > > > (__atomic_store_n/__atomic_load_n with the accompanied memory model, > > > which could be even weaker to what a volatile access would enfore > > > now and could guarantee atomic stores/loads). > > > > I just played around a bit more. Perhaps we could try to warn of silly > > usages of ACCESS_ONCE(): > > > > --- a/include/linux/compiler.h > > +++ b/include/linux/compiler.h > > @@ -349,7 +349,11 @@ void ftrace_likely_update(struct ftrace_branch_data *f, > > int val, int expect); > > * use is to mediate communication between process-level code and irq/NMI > > * handlers, all running on the same CPU. > > */ > > -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x)) > > +#define ACCESS_ONCE(x) (*({ \ > > + compiletime_assert(sizeof(typeof(x)) <= sizeof(typeof(&x)), \ > > + "ACCESS_ONCE likely not atomic"); \ > > AFAIU, ACCESS_ONCE() is not meant to ensure atomicity of load/store, > but rather merely ensures that the compiler will not merge nor refetch > accesses. I don't think the assert check you propose is appropriate with > respect to the ACCESS_ONCE() semantic. I am with Mathieu on this one, at least unless there is some set of actual bugs already in the kernel that these length checks would find. /me wonders about structs of size 3, 5, 6, and 7... Thanx, Paul > Thanks, > > Mathieu > > > + (volatile typeof(x) *)&(x); \ > > +})) > > > > /* Ignore/forbid kprobes attach on very low level functions marked by this > > attribute: */ > > #ifdef CONFIG_KPROBES > > > > > > -- > Mathieu Desnoyers > EfficiOS Inc. > http://www.efficios.com > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Oct 13, 2013 at 04:14:39AM -0700, Paul E. McKenney wrote: > On Sat, Oct 12, 2013 at 07:42:18PM +0000, Mathieu Desnoyers wrote: > > ----- Original Message ----- > > > On Sat, Oct 12, 2013 at 06:43:45PM +0200, Hannes Frederic Sowa wrote: > > > > Regarding the volatile access, I hope that the C11 memory model > > > > and enhancements to the compiler will some day provide a better > > > > way to express the semantics of what is tried to express here > > > > (__atomic_store_n/__atomic_load_n with the accompanied memory model, > > > > which could be even weaker to what a volatile access would enfore > > > > now and could guarantee atomic stores/loads). > > > > > > I just played around a bit more. Perhaps we could try to warn of silly > > > usages of ACCESS_ONCE(): > > > > > > --- a/include/linux/compiler.h > > > +++ b/include/linux/compiler.h > > > @@ -349,7 +349,11 @@ void ftrace_likely_update(struct ftrace_branch_data *f, > > > int val, int expect); > > > * use is to mediate communication between process-level code and irq/NMI > > > * handlers, all running on the same CPU. > > > */ > > > -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x)) > > > +#define ACCESS_ONCE(x) (*({ \ > > > + compiletime_assert(sizeof(typeof(x)) <= sizeof(typeof(&x)), \ > > > + "ACCESS_ONCE likely not atomic"); \ > > > > AFAIU, ACCESS_ONCE() is not meant to ensure atomicity of load/store, > > but rather merely ensures that the compiler will not merge nor refetch > > accesses. I don't think the assert check you propose is appropriate with > > respect to the ACCESS_ONCE() semantic. > > I am with Mathieu on this one, at least unless there is some set of actual > bugs already in the kernel that these length checks would find. I guess my wording of "ACCESS_ONCE likely not atomic" was misplaced. Something like volatile access to memory larger than the processor register size is probably not what you intended. Use atomics or proper locking. ;) And maybe that is not even correct. > /me wonders about structs of size 3, 5, 6, and 7... Checked a x86_64 allyesconfig build with sizes above pointer size and odd parity and nothing broke. Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -349,7 +349,11 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect); * use is to mediate communication between process-level code and irq/NMI * handlers, all running on the same CPU. */ -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x)) +#define ACCESS_ONCE(x) (*({ \ + compiletime_assert(sizeof(typeof(x)) <= sizeof(typeof(&x)), \ + "ACCESS_ONCE likely not atomic"); \ + (volatile typeof(x) *)&(x); \ +})) /* Ignore/forbid kprobes attach on very low level functions marked by this attribute: */ #ifdef CONFIG_KPROBES