From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>,
Peter Zijlstra <peterz@infradead.org>,
linux-kernel@vger.kernel.org, mingo@elte.hu,
laijs@cn.fujitsu.com, dipankar@in.ibm.com,
akpm@linux-foundation.org, josh@joshtriplett.org,
dvhltc@us.ibm.com, niv@us.ibm.com, tglx@linutronix.de,
rostedt@goodmis.org, Valdis.Kletnieks@vt.edu,
dhowells@redhat.com, eric.dumazet@gmail.com,
Arnd Bergmann <arnd@relay.de.ibm.com>,
Arnd Bergmann <arnd@arndb.de>
Subject: Re: [PATCH RFC tip/core/rcu 23/23] vhost: add __rcu annotations
Date: Tue, 18 May 2010 08:07:41 -0700 [thread overview]
Message-ID: <20100518150741.GF2302@linux.vnet.ibm.com> (raw)
In-Reply-To: <20100518142557.GA29457@redhat.com>
On Tue, May 18, 2010 at 05:25:57PM +0300, Michael S. Tsirkin wrote:
> On Tue, May 18, 2010 at 07:20:08AM -0700, Paul E. McKenney wrote:
> > On Mon, May 17, 2010 at 09:35:28PM -0400, Mathieu Desnoyers wrote:
> > > * Paul E. McKenney (paulmck@linux.vnet.ibm.com) wrote:
> > > > On Mon, May 17, 2010 at 07:40:25PM -0400, Mathieu Desnoyers wrote:
> > > > > * Paul E. McKenney (paulmck@linux.vnet.ibm.com) wrote:
> > > > > > On Mon, May 17, 2010 at 06:00:25PM -0400, Mathieu Desnoyers wrote:
> >
> > [ . . . ]
> >
> > > > > > But perhaps we should be simply treating this as a use-after-free
> > > > > > problem, so that RCU is not directly involved. Isn't that the standard
> > > > > > use of debugobjects anyway?
> > > > >
> > > > > OK so we could tie "rcu_dereference" do debugobjects, and free would be
> > > > > a standard free. Yes, I think it could be done. It looks a bit like the
> > > > > memory allocation debugging code. If we know that a certain
> > > > > rcu_dereference always access dynamically allocated memory, we could
> > > > > probably add some checks there based on the memory allocator debug
> > > > > objects.
> > > >
> > > > We probably need vhost to add code at the end of the relevant RCU
> > > > read-side critical section checking that the pointers returned by
> > > > any rcu_dereference() calls still point to valid memory. Don't get
> > > > me wrong, your approach could find bugs in which someone forgot to
> > > > remove the RCU-protected structure from a public list, but it could
> > > > not detect failure to wait a grace period between the time of removal
> > > > and the time of freeing.
> > >
> > > Good point too. So something like a new rcu_unreference() (or feel free
> > > to find any better name) ;) that would be compiled out normally, but
> > > would call into debugobjects might do the trick. We would have to add
> > > these annotations to match every rcu_dereference() though, might means a
> > > lot of new lines of code. On the plus side, that looks like a good audit
> > > of RCU read-side use. ;)
> >
> > My first thought is that we have added quite a bit of RCU consistency
> > check code in the past few months, so we should see what bugs they find
> > and what bugs escape. It is all too easy to create consistency check
> > code that is more trouble than it is worth.
>
> Right. Do the patches that started this discussion catch anything BTW?
All three approaches have found some bugs.
> > But in the meantime, let's see what would be required to check for
> > failures to insert grace-period delays:
> >
> > o There would need to be something like rcu_unreference(),
> > rcu_no_more_readers() or some such after the grace period.
> > The update side would then become something like the following:
> >
> > oldp = rcu_dereference_protected(gp, &mylock);
> > rcu_assign_pointer(gp, newp);
> > synchronize_rcu();
> > rcu_no_more_readers(oldp);
> > kfree(oldp);
> >
> > o There would need to be something to check all of the pointers
> > traversed in the read-side critical sections:
> >
> > rcu_read_lock();
> > ...
> > p1 = rcu_dereference(gp1->field1);
> > ...
> > p2 = rcu_dereference(gp2->field2);
> > ...
> >
> > rcu_validate(p1);
> > rcu_validate(p2);
> > rcu_read_unlock();
> >
>
> what does rcu_validate do?
It checks to make sure that the pointer still points to something valid.
> > One thing that bothers me about this is that we are forcing the developer
> > to do a lot of extra typing. For example, rcu_no_more_readers() is in
> > a truth-and-beauty sense redundant with kfree() -- why type both?
>
> With kfree, yes. We could stick rcu_no_more_readers in kfree I guess?
But why not just use the existing debugobjects? You can just use
something like this:
debug_check_no_obj_freed(p1, sizeof(*p1));
in place of:
rcu_validate(p1);
Of course, if you are using your own custom allocator, you will need
to put the allocation/free checks in, same as slab and the others
currently do.
Thanx, Paul
> > The
> > same could be said about rcu_validate() and rcu_read_unlock(), but nested
> > RCU read-side critical sections make this difficult.
> > Or am I misunderstanding what you are suggesting?
> >
> > Thanx, Paul
next prev parent reply other threads:[~2010-05-18 15:07 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-12 21:33 [PATCH tip/core/rcu 0/23] infrastructure for sparse checks for RCU usage Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 01/23] rcu: add an rcu_dereference_index_check() Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 02/23] rcu: add __rcu API for later sparse checking Paul E. McKenney
2010-05-13 20:53 ` Matt Helsley
2010-05-13 21:48 ` Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 03/23] vfs: add fs.h to define struct file Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 04/23] net: Make accesses to ->br_port safe for sparse RCU Paul E. McKenney
2010-05-12 21:44 ` Stephen Hemminger
2010-05-12 22:35 ` Paul E. McKenney
2010-05-13 1:33 ` Stephen Hemminger
2010-05-13 2:00 ` Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 05/23] mce: convert to rcu_dereference_index_check() Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 06/23] rcu: define __rcu address space modifier for sparse Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 07/23] rculist: avoid __rcu annotations Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 08/23] cgroups: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 09/23] credentials: rcu annotation Paul E. McKenney
2010-05-13 10:04 ` David Howells
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 10/23] keys: __rcu annotations Paul E. McKenney
2010-05-13 10:05 ` David Howells
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 11/23] nfs: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 12/23] net: __rcu annotations for drivers Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 13/23] perf_event: __rcu annotations Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 14/23] notifiers: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 15/23] radix-tree: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 16/23] idr: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 17/23] input: " Paul E. McKenney
2010-05-13 7:40 ` Dmitry Torokhov
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 18/23] net/netfilter: " Paul E. McKenney
2010-05-13 13:21 ` Patrick McHardy
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 19/23] kvm: add " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 20/23] kernel: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 21/23] net: " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 22/23] kvm: more " Paul E. McKenney
2010-05-12 21:33 ` [PATCH RFC tip/core/rcu 23/23] vhost: add " Paul E. McKenney
2010-05-12 21:48 ` Michael S. Tsirkin
2010-05-12 23:00 ` Paul E. McKenney
2010-05-13 3:53 ` Michael S. Tsirkin
2010-05-13 4:49 ` Paul E. McKenney
2010-05-13 4:50 ` Michael S. Tsirkin
2010-05-13 19:55 ` Paul E. McKenney
2010-05-13 13:07 ` Peter Zijlstra
2010-05-13 15:23 ` Paul E. McKenney
2010-05-17 20:33 ` Michael S. Tsirkin
2010-05-17 21:06 ` Paul E. McKenney
2010-05-17 22:00 ` Mathieu Desnoyers
2010-05-17 23:05 ` Paul E. McKenney
2010-05-17 23:08 ` Michael S. Tsirkin
2010-05-17 23:40 ` Mathieu Desnoyers
2010-05-18 0:34 ` Paul E. McKenney
2010-05-18 1:35 ` Mathieu Desnoyers
2010-05-18 14:20 ` Paul E. McKenney
2010-05-18 14:25 ` Michael S. Tsirkin
2010-05-18 15:07 ` Paul E. McKenney [this message]
2010-05-18 14:47 ` Mathieu Desnoyers
2010-05-18 15:11 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100518150741.GF2302@linux.vnet.ibm.com \
--to=paulmck@linux.vnet.ibm.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=arnd@relay.de.ibm.com \
--cc=dhowells@redhat.com \
--cc=dipankar@in.ibm.com \
--cc=dvhltc@us.ibm.com \
--cc=eric.dumazet@gmail.com \
--cc=josh@joshtriplett.org \
--cc=laijs@cn.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@polymtl.ca \
--cc=mingo@elte.hu \
--cc=mst@redhat.com \
--cc=niv@us.ibm.com \
--cc=peterz@infradead.org \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.