From: Boqun Feng <boqun.feng@gmail.com>
To: Eric Dumazet <edumazet@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>,
Breno Leitao <leitao@debian.org>, Ingo Molnar <mingo@redhat.com>,
Will Deacon <will@kernel.org>, Waiman Long <longman@redhat.com>,
aeh@meta.com, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, jhs@mojatatu.com, kernel-team@meta.com,
Erik Lundgren <elundgren@meta.com>,
"Paul E. McKenney" <paulmck@kernel.org>
Subject: Re: [PATCH] lockdep: Speed up lockdep_unregister_key() with expedited RCU synchronization
Date: Mon, 24 Mar 2025 12:21:07 -0700 [thread overview]
Message-ID: <67e1b0a6.050a0220.91d85.6caf@mx.google.com> (raw)
In-Reply-To: <CANn89iKykrnUVUsqML7dqMuHx6OuGnKWg-xRUV4ch4vGJtUTeg@mail.gmail.com>
On Mon, Mar 24, 2025 at 01:23:50PM +0100, Eric Dumazet wrote:
[...]
> > > ---
> > > kernel/locking/lockdep.c | 6 ++++--
> > > 1 file changed, 4 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
> > > index 4470680f02269..a79030ac36dd4 100644
> > > --- a/kernel/locking/lockdep.c
> > > +++ b/kernel/locking/lockdep.c
> > > @@ -6595,8 +6595,10 @@ void lockdep_unregister_key(struct lock_class_key *key)
> > > if (need_callback)
> > > call_rcu(&delayed_free.rcu_head, free_zapped_rcu);
> > >
> > > - /* Wait until is_dynamic_key() has finished accessing k->hash_entry. */
> > > - synchronize_rcu();
I feel a bit confusing even for the old comment, normally I would expect
the caller of lockdep_unregister_key() should guarantee the key has been
unpublished, in other words, there is no way a lockdep_unregister_key()
could race with a register_lock_class()/lockdep_init_map_type(). The
synchronize_rcu() is not needed then.
Let's say someone breaks my assumption above, then when doing a
register_lock_class() with a key about to be unregister, I cannot see
anything stops the following:
CPU 0 CPU 1
===== =====
register_lock_class():
...
} else if (... && !is_dynamic_key(lock->key)) {
// ->key is not unregistered yet, so this branch is not
// taken.
return NULL;
}
lockdep_unregister_key(..);
// key unregister, can be free
// any time.
key = lock->key->subkeys + subclass; // BOOM! UAF.
So either we don't need the synchronize_rcu() here or the
synchronize_rcu() doesn't help at all. Am I missing something subtle
here?
Regards,
Boqun
> > > + /* Wait until is_dynamic_key() has finished accessing k->hash_entry.
> > > + * This needs to be quick, since it is called in critical sections
> > > + */
> > > + synchronize_rcu_expedited();
> > > }
> > > EXPORT_SYMBOL_GPL(lockdep_unregister_key);
> >
> > So I fundamentally despise synchronize_rcu_expedited(), also your
> > comment style is broken.
> >
> > Why can't qdisc call this outside of the lock?
>
> Good luck with that, and anyway the time to call it 256 times would
> still hurt Breno use case.
>
> My suggestion was to change lockdep_unregister_key() contract, and use
> kfree_rcu() there
>
> > I think we should redesign lockdep_unregister_key() to work on a separately
> > allocated piece of memory,
> > then use kfree_rcu() in it.
> >
> > Ie not embed a "struct lock_class_key" in the struct Qdisc, but a pointer to
> >
> > struct ... {
> > struct lock_class_key key;
> > struct rcu_head rcu;
> > }
>
> More work because it requires changing all lockdep_unregister_key() users.
next prev parent reply other threads:[~2025-03-24 19:21 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-21 9:30 [PATCH] lockdep: Speed up lockdep_unregister_key() with expedited RCU synchronization Breno Leitao
2025-03-21 10:37 ` Eric Dumazet
2025-03-21 14:22 ` Breno Leitao
2025-03-24 12:12 ` Peter Zijlstra
2025-03-24 12:23 ` Eric Dumazet
2025-03-24 12:24 ` Eric Dumazet
2025-03-24 19:21 ` Boqun Feng [this message]
2025-03-24 19:30 ` Boqun Feng
2025-03-25 0:47 ` Boqun Feng
2025-03-25 1:56 ` Waiman Long
2025-03-25 3:41 ` Boqun Feng
[not found] ` <934d794b-7ebc-422c-b4fe-3e658a2e5e7a@redhat.com>
2025-03-25 14:57 ` Waiman Long
2025-03-25 18:45 ` Boqun Feng
2025-03-25 19:23 ` Waiman Long
2025-03-25 19:42 ` Boqun Feng
2025-03-25 23:20 ` Waiman Long
2025-03-26 5:25 ` Boqun Feng
[not found] ` <df237702-55c3-466b-b51e-f3fe46ae03ba@redhat.com>
2025-03-26 16:40 ` Waiman Long
2025-03-26 16:47 ` Boqun Feng
2025-03-26 17:02 ` Waiman Long
2025-03-26 17:10 ` Paul E. McKenney
2025-03-26 18:42 ` Boqun Feng
2025-03-26 21:37 ` Paul E. McKenney
2025-03-31 16:48 ` Breno Leitao
2025-03-31 17:34 ` Boqun Feng
2025-03-31 17:26 ` Boqun Feng
2025-03-31 17:33 ` Waiman Long
2025-03-31 18:33 ` Paul E. McKenney
2025-03-31 18:57 ` Waiman Long
2025-03-31 21:21 ` Boqun Feng
2025-03-31 21:47 ` Waiman Long
2025-03-31 17:42 ` Eric Dumazet
2025-07-09 10:00 ` Breno Leitao
2025-07-09 13:57 ` Waiman Long
2025-07-09 14:57 ` Boqun Feng
2025-07-19 17:40 ` [tip: locking/core] " tip-bot2 for Breno Leitao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=67e1b0a6.050a0220.91d85.6caf@mx.google.com \
--to=boqun.feng@gmail.com \
--cc=aeh@meta.com \
--cc=edumazet@google.com \
--cc=elundgren@meta.com \
--cc=jhs@mojatatu.com \
--cc=kernel-team@meta.com \
--cc=leitao@debian.org \
--cc=linux-kernel@vger.kernel.org \
--cc=longman@redhat.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.