From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S934823AbcCOMWk (ORCPT <rfc822;w@1wt.eu>);
	Tue, 15 Mar 2016 08:22:40 -0400
Received: from casper.infradead.org ([85.118.1.10]:53787 "EHLO
	casper.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932357AbcCOMVl (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 15 Mar 2016 08:21:41 -0400
Date: Tue, 15 Mar 2016 12:59:20 +0100
From: Peter Zijlstra <peterz@infradead.org>
To: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        =?iso-8859-1?Q?Fr=E9d=E9ric?= Weisbecker <fweisbec@gmail.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH] atomic: Fix bugs in 'fetch_or()' and rename it to
 'xchg_or()'
Message-ID: <20160315115920.GW6344@twins.programming.kicks-ass.net>
References: <20160314123200.GA15971@gmail.com>
 <CA+55aFyqG0xriTOus7wu527rdYHeLX3Qidt9ZzggL+MsR=_iQQ@mail.gmail.com>
 <20160315093245.GA7943@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160315093245.GA7943@gmail.com>
User-Agent: Mutt/1.5.21 (2012-12-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Mar 15, 2016 at 10:32:45AM +0100, Ingo Molnar wrote:
> +#ifndef xchg_or
> +# define xchg_or(ptr, mask)						\
> +({									\
> +	typeof(ptr)  __ptr  = (ptr);					\
> +	typeof(mask) __mask = (mask);					\
> +									\
> +	typeof(*(__ptr)) __old, __val = *__ptr;				\
> +									\
>  	for (;;) {							\
> +		__old = cmpxchg(__ptr, __val, __val | __mask);		\
>  		if (__old == __val)					\
>  			break;						\
>  		__val = __old;						\
>  	}								\
> +									\
>  	__old;								\
>  })

As reported by you this explodes, and it obvious from the generated asm
why:

     48e1: 89 c2                 mov    %eax,%edx
     48e3: 41 89 d0              mov    %edx,%r8d
     48e6: 31 c9                 xor    %ecx,%ecx
     48e8: 89 d0                 mov    %edx,%eax
     48ea: 41 83 c8 08           or     $0x8,%r8d
     48ee: f0 44 0f b1 01        lock cmpxchg %r8d,(%rcx)
     48f3: 39 c2                 cmp    %eax,%edx
     48f5: 75 ea                 jne    48e1 <resched_curr+0x31>

That's an unconditional NULL deref.

What happens is that __ptr from xchg_or() aliasses with __ptr from
cmpxchg() and weird stuff happens.

If you do: s/__ptr/_ptr/ or similar on the xchg_or() code it all works
again.