From: Peter Hurley <peter@hurleysoftware.com>
To: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Huang Ying <ying.huang@intel.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Andi Kleen <ak@linux.intel.com>,
"David S. Miller" <davem@davemloft.net>,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: Possible ABA in use of llist.h llist_del_first() in tty_buffer and ib_rdma
Date: Thu, 31 Mar 2016 06:58:51 -0700 [thread overview]
Message-ID: <56FD2D1B.2010208@hurleysoftware.com> (raw)
In-Reply-To: <1934237589.41303.1459417221186.JavaMail.zimbra@efficios.com>
Hi Mathieu,
On 03/31/2016 02:40 AM, Mathieu Desnoyers wrote:
> CCing LKML.
>
> ----- On Mar 31, 2016, at 5:39 AM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote:
>
>> Hi,
>>
>> Code review (really: grepping the Linux kernel for
>> llist_del_first) leads me to notice two possible ABA issues.
>> The first one is in drivers/tty/tty_buffer.c, and is due to
>> its use of llist_del_all and llist_del_first without locking
>> since commit 809850b7a5 "tty: Use lockless flip buffer free list".
>>
>> Unfortunately, it appears to do so without respecting the
>> locking requirements associated with llist_del_first.
>>
>> Quoting llist.h:
>>
>> " * If there are multiple producers and one consumer, llist_add can be
>> * used in producers and llist_del_all or llist_del_first can be used
>> * in the consumer.
The use of llist_del_all in tty_buffer_free_all() is not concurrent with
any other use of the free list; the comments for tty_buffer_free_all() even
note the special condition.
Only the llist_del_first() and llist_add() usage are concurrent, and fwiw,
that usage is single-producer/single-consumer.
Regards,
Peter Hurley
>> * This can be summarized as follow:
>> *
>> * | add | del_first | del_all
>> * add | - | - | -
>> * del_first | | L | L
>> * del_all | | | -
>> *
>> * Where "-" stands for no lock is needed, while "L" stands for lock
>> * is needed.
>> "
>>
>> As soon as a llist_del_first() is used, then both llist_del_first()
>> and llist_del_all() need to be protected by a lock, thus preventing
>> ABA in llist_del_first().
>>
>> An alternative to locking would be to only use llist_del_all() and
>> never llist_del_first().
>>
>> I'm also noticing a similar concurrent use of llist_del_first() and
>> llist_del_all() in commit 1bc144b625 "net, rds, Replace xlist in net/rds/xlist.h
>> with llist".
>> The locking surrounding their use (especially in rds_ib_reuse_mr)
>> don't appear clearly documented there. Perhaps there was a preexisting
>> issue with the xlist.h use too ?
>>
>> Thanks,
>>
>> Mathieu
>>
>> --
>> Mathieu Desnoyers
>> EfficiOS Inc.
>> http://www.efficios.com
>
next prev parent reply other threads:[~2016-03-31 13:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <513177315.41302.1459417186529.JavaMail.zimbra@efficios.com>
2016-03-31 9:40 ` Possible ABA in use of llist.h llist_del_first() in tty_buffer and ib_rdma Mathieu Desnoyers
2016-03-31 13:58 ` Peter Hurley [this message]
2016-04-01 21:32 ` Mathieu Desnoyers
2016-04-01 23:50 ` Peter Hurley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56FD2D1B.2010208@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=ak@linux.intel.com \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=ying.huang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.