BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Ankur Arora" <ankur.a.arora@oracle.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v13 06/15] asm-generic: barrier: Add smp_cond_load_acquire_timeout()
Date: Thu, 02 Jul 2026 01:53:07 +0000	[thread overview]
Message-ID: <20260702015307.77A281F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260702013334.140905-7-ankur.a.arora@oracle.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] `smp_cond_load_acquire_timeout` fails to provide LOAD->STORE ordering on the timeout path, violating its documented ACQUIRE guarantees.
- [Medium] The macro `smp_cond_load_acquire_timeout` evaluates its `ptr` argument after declaring a local variable named `VAL`. If the caller's `ptr` argument contains the identifier `VAL`, it will bind to the uninitialized local variable instead of the caller's variable.
--

commit c2af0d66e1b775084dedb2d6b232b40a8a269de9
Author: Ankur Arora <ankur.a.arora@oracle.com>

asm-generic: barrier: Add smp_cond_load_acquire_timeout()

This commit adds the acquire variant of smp_cond_load_relaxed_timeout().
It reuses the relaxed variant and adds LOAD->LOAD ordering via
smp_acquire__after_ctrl_dep() to ensure ordering on the timeout path.

> diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h
> index ecdaddbbd7b64..ad3c73da3cb6d 100644
> --- a/include/asm-generic/barrier.h
> +++ b/include/asm-generic/barrier.h

[ ... ]

> @@ -352,6 +352,46 @@ do {									\
>  })
>  #endif
>  
> +/**
> + * smp_cond_load_acquire_timeout() - (Spin) wait for cond until a timeout
> + * expires. ACQUIRE ordering when @cond_expr is satisfied.
> + * @ptr: pointer to the variable to wait on.
> + * @cond_expr: boolean expression to wait for.
> + * @time_expr_ns: monotonic expression that evaluates to time in ns or,
> + *  on failure, returns a negative value.
> + * @timeout_ns: timeout value in ns
> + * (Both of the above are assumed to be compatible with s64.)
> + *
> + * Equivalent to using smp_cond_load_acquire() on the condition variable with
> + * a timeout.
> + */
> +#ifndef smp_cond_load_acquire_timeout
> +#define smp_cond_load_acquire_timeout(ptr, cond_expr,			\
> +				      time_expr_ns, timeout_ns)		\
> +({									\
> +	__unqual_scalar_typeof(*(ptr)) VAL;				\
> +	VAL = smp_cond_load_relaxed_timeout(ptr, cond_expr,		\
> +					     time_expr_ns,		\
> +					     timeout_ns);		\

[Severity: Medium]
Could this local VAL declaration cause macro shadowing if a caller passes an
expression for ptr that contains VAL (such as &locks[VAL])?

If this occurs, it might bind to the uninitialized local VAL variable instead
of the caller's variable, causing the loop to poll on an incorrect memory
address.

> +	/*								\
> +	 * We arrive here once the loop condition is hit, on timeout,	\
> +	 * or, if we hit both the timeout and the loop condition.	\
> +	 *								\
> +	 * The last case is low probability, but possible in the last	\
> +	 * iteration, especially on architectures with waiting		\
> +	 * cpu_poll_relax() implementations (ex. arm64).		\
> +	 * Now since the loop condition is not evaluated on timeout,	\
> +	 * we have a missed control dependency.				\
> +	 *								\
> +	 * So, force a re-evaluation of the control dependency to	\
> +	 * provide an ACQUIRE ordering for that case as well.		\
> +	 */								\
> +	if (cond_expr)							\
> +		smp_acquire__after_ctrl_dep();				\
> +	(typeof(*(ptr)))VAL;						\
> +})

[Severity: High]
Since control dependencies only order stores that are executed within the
body of the if-statement according to the memory model, is LOAD->STORE
ordering missing on the timeout path?

The caller's subsequent code executes outside of this if (cond_expr) block,
so could this allow critical section stores to be hoisted above the lock
acquisition read?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260702013334.140905-1-ankur.a.arora@oracle.com?part=6

  reply	other threads:[~2026-07-02  1:53 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02  1:33 [PATCH v13 00/15] barrier: Add smp_cond_load_{relaxed,acquire}_timeout() Ankur Arora
2026-07-02  1:33 ` [PATCH v13 01/15] asm-generic: barrier: Add smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02  1:46   ` sashiko-bot
2026-07-02  2:11   ` bot+bpf-ci
2026-07-02  1:33 ` [PATCH v13 02/15] arm64: barrier: Support smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02  1:50   ` sashiko-bot
2026-07-02  1:33 ` [PATCH v13 03/15] arm64/delay: move some constants out to a separate header Ankur Arora
2026-07-02  1:47   ` sashiko-bot
2026-07-02  1:33 ` [PATCH v13 04/15] arm64: support WFET in smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02  1:52   ` sashiko-bot
2026-07-02  1:33 ` [PATCH v13 05/15] arm64: rqspinlock: Remove private copy of smp_cond_load_acquire_timewait() Ankur Arora
2026-07-02  1:33 ` [PATCH v13 06/15] asm-generic: barrier: Add smp_cond_load_acquire_timeout() Ankur Arora
2026-07-02  1:53   ` sashiko-bot [this message]
2026-07-02  1:33 ` [PATCH v13 07/15] atomic: Add atomic_cond_read_*_timeout() Ankur Arora
2026-07-02  1:48   ` sashiko-bot
2026-07-02  1:33 ` [PATCH v13 08/15] locking/atomic: scripts: build atomic_long_cond_read_*_timeout() Ankur Arora
2026-07-02  1:33 ` [PATCH v13 09/15] bpf/rqspinlock: switch check_timeout() to a clock interface Ankur Arora
2026-07-02  1:33 ` [PATCH v13 10/15] bpf/rqspinlock: Use smp_cond_load_acquire_timeout() Ankur Arora
2026-07-02  1:33 ` [PATCH v13 11/15] sched: add need-resched timed wait interface Ankur Arora
2026-07-02  1:33 ` [PATCH v13 12/15] cpuidle/poll_state: Wait for need-resched via tif_need_resched_relaxed_wait() Ankur Arora
2026-07-02  1:33 ` [PATCH v13 13/15] arm64/delay: enable testing smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02  1:57   ` sashiko-bot
2026-07-02  1:33 ` [PATCH v13 14/15] barrier: add tests for smp_cond_load_*_timeout() Ankur Arora
2026-07-02  1:33 ` [PATCH v13 15/15] barrier: add clock tests for smp_cond_load_relaxed_timeout() Ankur Arora
2026-07-02  2:11   ` bot+bpf-ci

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702015307.77A281F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=ankur.a.arora@oracle.com \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox