From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02D7BC43603 for ; Mon, 16 Dec 2019 10:28:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CD16D20725 for ; Mon, 16 Dec 2019 10:28:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576492095; bh=aJNODjNlV3v54INi4VXe5H6gmqwl3DaOFDNd3U6oYJs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=0h5vjij90jGSWqtjK4IQZgrlrwe9R8NoMyflqBMlWCFS8RTjrqshHpLzjq/aEmDRq Eo0AXHZWRWLh2tlFAwsjcMjpRf8aXzQg29x0CdeqZqILWM93Bi2hT+/tsfNkyCu80s IDUgWUhDhNxrDxotwJaVmrpgUQ2c5FXhpY2Di878= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727483AbfLPK2P (ORCPT ); Mon, 16 Dec 2019 05:28:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:47144 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727099AbfLPK2M (ORCPT ); Mon, 16 Dec 2019 05:28:12 -0500 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A7CFD206CB; Mon, 16 Dec 2019 10:28:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576492091; bh=aJNODjNlV3v54INi4VXe5H6gmqwl3DaOFDNd3U6oYJs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PQl9UUy06Hwnhc+WgyHD0YW0DQzVIQ3siJt9h2AJUf2ItnavgPY6wHx2lPr17QIQn pWJIbXf9wTMoC3M3VQX7GFymirkp4wWHUq5YB2bZkO1uOlk9b2v98++N2Cjd8ShJBl a4tkOdQpyWd0Yqop+KfyrtBhCC5RfjzevBWWVcHs= Date: Mon, 16 Dec 2019 10:28:06 +0000 From: Will Deacon To: Arnd Bergmann Cc: Linus Torvalds , Peter Zijlstra , Michael Ellerman , Daniel Axtens , Linux Kernel Mailing List , linuxppc-dev , Christophe Leroy , linux-arch , Mark Rutland , Segher Boessenkool , Christian Borntraeger Subject: Re: READ_ONCE() + STACKPROTECTOR_STRONG == :/ (was Re: [GIT PULL] Please pull powerpc/linux.git powerpc-5.5-2 tag (topic/kasan-bitops)) Message-ID: <20191213144359.GA3826@willie-the-truck> References: <875zimp0ay.fsf@mpe.ellerman.id.au> <20191212080105.GV2844@hirez.programming.kicks-ass.net> <20191212100756.GA11317@willie-the-truck> <20191212104610.GW2827@hirez.programming.kicks-ass.net> <20191212180634.GA19020@willie-the-truck> <20191212193401.GB19020@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 13, 2019 at 02:17:08PM +0100, Arnd Bergmann wrote: > On Thu, Dec 12, 2019 at 9:50 PM Linus Torvalds > wrote: > > On Thu, Dec 12, 2019 at 11:34 AM Will Deacon wrote: > > > The root of my concern in all of this, and what started me looking at it in > > > the first place, is the interaction with 'typeof()'. Inheriting 'volatile' > > > for a pointer means that local variables in macros declared using typeof() > > > suddenly start generating *hideous* code, particularly when pointless stack > > > spills get stackprotector all excited. > > > > Yeah, removing volatile can be a bit annoying. > > > > For the particular case of the bitops, though, it's not an issue. > > Since you know the type there, you can just cast it. > > > > And if we had the rule that READ_ONCE() was an arithmetic type, you could do > > > > typeof(0+(*p)) __var; > > > > since you might as well get the integer promotion anyway (on the > > non-volatile result). > > > > But that doesn't work with structures or unions, of course. > > > > I'm not entirely sure we have READ_ONCE() with a struct. I do know we > > have it with 64-bit entities on 32-bit machines, but that's ok with > > the "0+" trick. > > I'll have my randconfig builder look for instances, so far I found one, > see below. My feeling is that it would be better to enforce at least > the size being a 1/2/4/8, to avoid cases where someone thinks > the access is atomic, but it falls back on a memcpy. I've been using something similar built on compiletime_assert_atomic_type() and I spotted another instance in the xdp code (xskq_validate_desc()) which tries to READ_ONCE() on a 128-bit descriptor, although a /very/ quick read of the code suggests that this probably can't be concurrently modified if the ring indexes are synchronised properly. However, enabling this for 32-bit ARM is total carnage; as Linus mentioned, a whole bunch of code appears to be relying on atomic 64-bit access of READ_ONCE(); the perf ring buffer, io_uring, the scheduler, pm_runtime, cpuidle, ... :( Unfortunately, at least some of these *do* look like bugs, but I can't see how we can fix them, not least because the first two are user ABI afaict. It may also be that in practice we get 2x32-bit stores, and that works out fine when storing a 32-bit virtual address. I'm not sure what (if anything) the compiler guarantees in these cases. Will From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.3 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS, USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8CAF9C43603 for ; Mon, 16 Dec 2019 10:30:30 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 08283206CB for ; Mon, 16 Dec 2019 10:30:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=kernel.org header.i=@kernel.org header.b="PQl9UUy0" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 08283206CB Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from lists.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 47byGB4ys2zDqRZ for ; Mon, 16 Dec 2019 21:30:26 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=kernel.org (client-ip=198.145.29.99; helo=mail.kernel.org; envelope-from=will@kernel.org; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: lists.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="PQl9UUy0"; dkim-atps=neutral Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 47byCf45xBzDqNG for ; Mon, 16 Dec 2019 21:28:14 +1100 (AEDT) Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A7CFD206CB; Mon, 16 Dec 2019 10:28:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1576492091; bh=aJNODjNlV3v54INi4VXe5H6gmqwl3DaOFDNd3U6oYJs=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=PQl9UUy06Hwnhc+WgyHD0YW0DQzVIQ3siJt9h2AJUf2ItnavgPY6wHx2lPr17QIQn pWJIbXf9wTMoC3M3VQX7GFymirkp4wWHUq5YB2bZkO1uOlk9b2v98++N2Cjd8ShJBl a4tkOdQpyWd0Yqop+KfyrtBhCC5RfjzevBWWVcHs= Date: Mon, 16 Dec 2019 10:28:06 +0000 From: Will Deacon To: Arnd Bergmann Subject: Re: READ_ONCE() + STACKPROTECTOR_STRONG == :/ (was Re: [GIT PULL] Please pull powerpc/linux.git powerpc-5.5-2 tag (topic/kasan-bitops)) Message-ID: <20191213144359.GA3826@willie-the-truck> References: <875zimp0ay.fsf@mpe.ellerman.id.au> <20191212080105.GV2844@hirez.programming.kicks-ass.net> <20191212100756.GA11317@willie-the-truck> <20191212104610.GW2827@hirez.programming.kicks-ass.net> <20191212180634.GA19020@willie-the-truck> <20191212193401.GB19020@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-arch , Christian Borntraeger , Peter Zijlstra , Linux Kernel Mailing List , Linus Torvalds , Mark Rutland , linuxppc-dev , Daniel Axtens Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Fri, Dec 13, 2019 at 02:17:08PM +0100, Arnd Bergmann wrote: > On Thu, Dec 12, 2019 at 9:50 PM Linus Torvalds > wrote: > > On Thu, Dec 12, 2019 at 11:34 AM Will Deacon wrote: > > > The root of my concern in all of this, and what started me looking at it in > > > the first place, is the interaction with 'typeof()'. Inheriting 'volatile' > > > for a pointer means that local variables in macros declared using typeof() > > > suddenly start generating *hideous* code, particularly when pointless stack > > > spills get stackprotector all excited. > > > > Yeah, removing volatile can be a bit annoying. > > > > For the particular case of the bitops, though, it's not an issue. > > Since you know the type there, you can just cast it. > > > > And if we had the rule that READ_ONCE() was an arithmetic type, you could do > > > > typeof(0+(*p)) __var; > > > > since you might as well get the integer promotion anyway (on the > > non-volatile result). > > > > But that doesn't work with structures or unions, of course. > > > > I'm not entirely sure we have READ_ONCE() with a struct. I do know we > > have it with 64-bit entities on 32-bit machines, but that's ok with > > the "0+" trick. > > I'll have my randconfig builder look for instances, so far I found one, > see below. My feeling is that it would be better to enforce at least > the size being a 1/2/4/8, to avoid cases where someone thinks > the access is atomic, but it falls back on a memcpy. I've been using something similar built on compiletime_assert_atomic_type() and I spotted another instance in the xdp code (xskq_validate_desc()) which tries to READ_ONCE() on a 128-bit descriptor, although a /very/ quick read of the code suggests that this probably can't be concurrently modified if the ring indexes are synchronised properly. However, enabling this for 32-bit ARM is total carnage; as Linus mentioned, a whole bunch of code appears to be relying on atomic 64-bit access of READ_ONCE(); the perf ring buffer, io_uring, the scheduler, pm_runtime, cpuidle, ... :( Unfortunately, at least some of these *do* look like bugs, but I can't see how we can fix them, not least because the first two are user ABI afaict. It may also be that in practice we get 2x32-bit stores, and that works out fine when storing a 32-bit virtual address. I'm not sure what (if anything) the compiler guarantees in these cases. Will