From: Herbert Xu <herbert@gondor.apana.org.au>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Will Deacon <will@kernel.org>, Tejun Heo <tj@kernel.org>,
marcan@marcan.st, peterz@infradead.org, jirislaby@kernel.org,
maz@kernel.org, mark.rutland@arm.com, boqun.feng@gmail.com,
catalin.marinas@arm.com, oneukum@suse.com,
roman.penyaev@profitbricks.com, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] workqueue: Fix memory ordering race in queue_work*()
Date: Wed, 17 Aug 2022 13:05:50 +0800 [thread overview]
Message-ID: <Yvx3LpyqWwZ0Mawc@gondor.apana.org.au> (raw)
In-Reply-To: <CAHk-=wgqvApXmXxk42eZK1u5T60aRWnBMeJOs7JwP-+qqLq6zQ@mail.gmail.com>
On Tue, Aug 16, 2022 at 09:41:52AM -0700, Linus Torvalds wrote:
.
> So I htink the code problem is easy, I think the real problem here has
> always been bad documentation, and it would be really good to clarify
> that.
>
> Comments?
The problem is that test_and_set_bit has been unambiguously
documented to have memory barriers since 2005:
commit 3085f02b869d980c5588f3e8fb136b0b465a2759
Author: David S. Miller <davem@nuts.davemloft.net>
Date: Fri Feb 4 23:39:15 2005 -0800
[DOC]: Add asm/atomic.h asm/bitops.h implementation specification.
And this is what it says:
+ int test_and_set_bit(unsigned long nr, volatils unsigned long *addr);
+ int test_and_clear_bit(unsigned long nr, volatils unsigned long *addr);
+ int test_and_change_bit(unsigned long nr, volatils unsigned long *addr);
...snip...
+These routines, like the atomic_t counter operations returning values,
+require explicit memory barrier semantics around their execution. All
+memory operations before the atomic bit operation call must be made
+visible globally before the atomic bit operation is made visible.
+Likewise, the atomic bit operation must be visible globally before any
+subsequent memory operation is made visible. For example:
+
+ obj->dead = 1;
+ if (test_and_set_bit(0, &obj->flags))
+ /* ... */;
+ obj->killed = 1;
This file wasn't removed until 16/11/2020 by f0400a77ebdc.
In that time people who wrote code using test_and_set_bit could have
legitimately relied on the memory barrier as documented. Changing
this restrospectively is dangerous.
I'm fine with introducing new primitives that have different
properties, and then converting the existing users of test_and_set_bit
over on a case-by-case basis.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
WARNING: multiple messages have this Message-ID (diff)
From: Herbert Xu <herbert@gondor.apana.org.au>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Will Deacon <will@kernel.org>, Tejun Heo <tj@kernel.org>,
marcan@marcan.st, peterz@infradead.org, jirislaby@kernel.org,
maz@kernel.org, mark.rutland@arm.com, boqun.feng@gmail.com,
catalin.marinas@arm.com, oneukum@suse.com,
roman.penyaev@profitbricks.com, asahi@lists.linux.dev,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] workqueue: Fix memory ordering race in queue_work*()
Date: Wed, 17 Aug 2022 13:05:50 +0800 [thread overview]
Message-ID: <Yvx3LpyqWwZ0Mawc@gondor.apana.org.au> (raw)
In-Reply-To: <CAHk-=wgqvApXmXxk42eZK1u5T60aRWnBMeJOs7JwP-+qqLq6zQ@mail.gmail.com>
On Tue, Aug 16, 2022 at 09:41:52AM -0700, Linus Torvalds wrote:
.
> So I htink the code problem is easy, I think the real problem here has
> always been bad documentation, and it would be really good to clarify
> that.
>
> Comments?
The problem is that test_and_set_bit has been unambiguously
documented to have memory barriers since 2005:
commit 3085f02b869d980c5588f3e8fb136b0b465a2759
Author: David S. Miller <davem@nuts.davemloft.net>
Date: Fri Feb 4 23:39:15 2005 -0800
[DOC]: Add asm/atomic.h asm/bitops.h implementation specification.
And this is what it says:
+ int test_and_set_bit(unsigned long nr, volatils unsigned long *addr);
+ int test_and_clear_bit(unsigned long nr, volatils unsigned long *addr);
+ int test_and_change_bit(unsigned long nr, volatils unsigned long *addr);
...snip...
+These routines, like the atomic_t counter operations returning values,
+require explicit memory barrier semantics around their execution. All
+memory operations before the atomic bit operation call must be made
+visible globally before the atomic bit operation is made visible.
+Likewise, the atomic bit operation must be visible globally before any
+subsequent memory operation is made visible. For example:
+
+ obj->dead = 1;
+ if (test_and_set_bit(0, &obj->flags))
+ /* ... */;
+ obj->killed = 1;
This file wasn't removed until 16/11/2020 by f0400a77ebdc.
In that time people who wrote code using test_and_set_bit could have
legitimately relied on the memory barrier as documented. Changing
this restrospectively is dangerous.
I'm fine with introducing new primitives that have different
properties, and then converting the existing users of test_and_set_bit
over on a case-by-case basis.
Cheers,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2022-08-17 5:06 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-15 17:58 [PATCH] workqueue: Fix memory ordering race in queue_work*() Hector Martin
2022-08-15 17:58 ` Hector Martin
2022-08-15 19:10 ` Tejun Heo
2022-08-15 19:10 ` Tejun Heo
2022-08-16 4:15 ` Herbert Xu
2022-08-16 4:15 ` Herbert Xu
2022-08-16 5:27 ` Linus Torvalds
2022-08-16 5:27 ` Linus Torvalds
2022-08-16 5:36 ` Hector Martin
2022-08-16 5:36 ` Hector Martin
2022-08-16 5:52 ` Linus Torvalds
2022-08-16 5:52 ` Linus Torvalds
2022-08-16 6:28 ` Hector Martin
2022-08-16 6:28 ` Hector Martin
2022-08-16 7:48 ` Herbert Xu
2022-08-16 7:48 ` Herbert Xu
2022-08-16 8:01 ` Hector Martin
2022-08-16 8:01 ` Hector Martin
2022-08-16 5:48 ` Herbert Xu
2022-08-16 5:48 ` Herbert Xu
2022-08-16 6:03 ` Linus Torvalds
2022-08-16 6:03 ` Linus Torvalds
2022-08-16 13:41 ` Will Deacon
2022-08-16 13:41 ` Will Deacon
2022-08-16 14:55 ` Boqun Feng
2022-08-16 14:55 ` Boqun Feng
2022-08-16 16:22 ` Hector Martin
2022-08-16 16:22 ` Hector Martin
2022-08-16 16:43 ` Boqun Feng
2022-08-16 16:43 ` Boqun Feng
2022-08-16 16:58 ` Linus Torvalds
2022-08-16 16:58 ` Linus Torvalds
2022-08-16 16:41 ` Linus Torvalds
2022-08-16 16:41 ` Linus Torvalds
2022-08-17 5:05 ` Herbert Xu [this message]
2022-08-17 5:05 ` Herbert Xu
2022-08-16 17:01 ` Tejun Heo
2022-08-16 17:01 ` Tejun Heo
2022-08-16 16:26 ` Tejun Heo
2022-08-16 16:26 ` Tejun Heo
2022-08-16 17:21 ` Hector Martin
2022-08-16 17:21 ` Hector Martin
2022-08-16 4:14 ` Herbert Xu
2022-08-16 4:14 ` Herbert Xu
2022-08-16 5:37 ` Hector Martin
2022-08-16 5:37 ` Hector Martin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yvx3LpyqWwZ0Mawc@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=asahi@lists.linux.dev \
--cc=boqun.feng@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=jirislaby@kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marcan@marcan.st \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=oneukum@suse.com \
--cc=peterz@infradead.org \
--cc=roman.penyaev@profitbricks.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.