Re: [PATCH] mm: fix a data race in put_page()

[Qian Cai <cai@lca.pw>]

> On Feb 6, 2020, at 7:27 PM, John Hubbard <jhubbard@nvidia.com> wrote:
> 
> On 2/6/20 4:18 PM, Qian Cai wrote:
>>> On Feb 6, 2020, at 6:34 PM, John Hubbard <jhubbard@nvidia.com> wrote:
>>> On 2/6/20 7:23 AM, Qian Cai wrote:
>>>>> On Feb 6, 2020, at 9:55 AM, Jan Kara <jack@suse.cz> wrote:
>>>>> I don't think the problem is real. The question is how to make KCSAN happy
>>>>> in a way that doesn't silence other possibly useful things it can find and
>>>>> also which makes it most obvious to the reader what's going on... IMHO
>>>>> using READ_ONCE() fulfills these targets nicely - it is free
>>>>> performance-wise in this case, it silences the checker without impacting
>>>>> other races on page->flags, its kind of obvious we don't want the load torn
>>>>> in this case so it makes sense to the reader (although a comment may be
>>>>> nice).
>>>> 
>>>> Actually, use the data_race() macro there fulfilling the same purpose too, i.e, silence the splat here but still keep searching for other races.
>>>> 
>>> 
>>> Yes, but both READ_ONCE() and data_race() would be saying untrue things about this code,
>>> and that somewhat offends my sense of perfection... :)
>>> 
>>> * READ_ONCE(): this field need not be restricted to being read only once, so the
>>> name is immediately wrong. We're using side effects of READ_ONCE().
>>> 
>>> * data_race(): there is no race on the N bits worth of page zone number data. There
>>> is only a perceived race, due to tools that look at word-level granularity.
>>> 
>>> I'd propose one or both of the following:
>>> 
>>> a) Hope that Marco (I've fixed the typo in his name. --jh) has an idea to enhance KCSAN so as to support this model of
>>>  access, and/or
>> 
>> A similar thing was brought up before, i.e., anything compared to zero is immune to load-tearing
>> issues, but it is rather difficult to implement it in the compiler, so it was settled to use data_race(),
>> 
>> https://lore.kernel.org/lkml/CANpmjNN8J1oWtLPHTgCwbbtTuU_Js-8HD=cozW5cYkm8h-GTBg@mail.gmail.com/#r
>> 
> 
> 
> Thanks for that link to the previous discussion, good context.
> 
> 
>>> 
>>> b) Add a new, better-named macro to indicate what's going on. Initial bikeshed-able
>>>  candidates:
>>> 
>>> 	READ_RO_BITS()
>>> 	READ_IMMUTABLE_BITS()
>>> 	...etc...
>>> 
>> 
>> Actually, Linus might hate those kinds of complication rather than a simple data_race() macro,
>> 
>> https://lore.kernel.org/linux-fsdevel/CAHk-=wg5CkOEF8DTez1Qu0XTEFw_oHhxN98bDnFqbY7HL5AB2g@mail.gmail.com/
>> 
> 
> Another good link. However, my macros above haven't been proposed yet, and I'm perfectly 
> comfortable proposing something that Linus *might* (or might not!) hate. No point in 
> guessing about it, IMHO.
> 
> If you want, I'll be happy to put on my flame suit and post a patchset proposing 
> READ_IMMUTABLE_BITS() (or a better-named thing, if someone has another name idea).  :)
> 

BTW, the current comment said (note, it is called “access” which in this case it does read the whole word
rather than those 3 bits, even though it is only those bits are of interested for us),

/*
 * data_race(): macro to document that accesses in an expression may conflict with
 * other concurrent accesses resulting in data races, but the resulting
 * behaviour is deemed safe regardless.
 *
 * This macro *does not* affect normal code generation, but is a hint to tooling
 * that data races here should be ignored.
 */

Macro might have more to say.