From: Jiri Slaby <jirislaby@kernel.org>
To: Marco Elver <elver@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
Alexander Potapenko <glider@google.com>,
Arnd Bergmann <arnd@arndb.de>,
Bart Van Assche <bvanassche@acm.org>,
Bill Wendling <morbo@google.com>,
Boqun Feng <boqun.feng@gmail.com>,
Dmitry Vyukov <dvyukov@google.com>,
Eric Dumazet <edumazet@google.com>,
Frederic Weisbecker <frederic@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Ingo Molnar <mingo@kernel.org>, Jann Horn <jannh@google.com>,
Joel Fernandes <joel@joelfernandes.org>,
Jonathan Corbet <corbet@lwn.net>,
Josh Triplett <josh@joshtriplett.org>,
Justin Stitt <justinstitt@google.com>,
Kees Cook <kees@kernel.org>,
Kentaro Takeda <takedakn@nttdata.co.jp>,
Mark Rutland <mark.rutland@arm.com>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Neeraj Upadhyay <neeraj.upadhyay@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Steven Rostedt <rostedt@goodmis.org>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Thomas Gleixner <tglx@linutronix.de>,
Uladzislau Rezki <urezki@gmail.com>,
Waiman Long <longman@redhat.com>, Will Deacon <will@kernel.org>,
kasan-dev@googlegroups.com, linux-kernel@vger.kernel.org,
llvm@lists.linux.dev, rcu@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-serial@vger.kernel.org
Subject: Re: [PATCH v2 31/34] drivers/tty: Enable capability analysis for core files
Date: Wed, 5 Mar 2025 10:15:05 +0100 [thread overview]
Message-ID: <569186c5-8663-43df-a01c-d543f57ce5ca@kernel.org> (raw)
In-Reply-To: <20250304092417.2873893-32-elver@google.com>
On 04. 03. 25, 10:21, Marco Elver wrote:
> Enable capability analysis for drivers/tty/*.
>
> This demonstrates a larger conversion to use Clang's capability
> analysis. The benefit is additional static checking of locking rules,
> along with better documentation.
>
> Signed-off-by: Marco Elver <elver@google.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Jiri Slaby <jirislaby@kernel.org>
...
> --- a/drivers/tty/tty_buffer.c
> +++ b/drivers/tty/tty_buffer.c
> @@ -52,10 +52,8 @@
> */
> void tty_buffer_lock_exclusive(struct tty_port *port)
> {
> - struct tty_bufhead *buf = &port->buf;
> -
> - atomic_inc(&buf->priority);
> - mutex_lock(&buf->lock);
> + atomic_inc(&port->buf.priority);
> + mutex_lock(&port->buf.lock);
Here and:
> @@ -73,7 +71,7 @@ void tty_buffer_unlock_exclusive(struct tty_port *port)
> bool restart = buf->head->commit != buf->head->read;
>
> atomic_dec(&buf->priority);
> - mutex_unlock(&buf->lock);
> + mutex_unlock(&port->buf.lock);
here, this appears excessive. You are changing code to adapt to one kind
of static analysis. Adding function annotations is mostly fine, but
changing code is too much. We don't do that. Fix the analyzer instead.
> --- a/drivers/tty/tty_io.c
> +++ b/drivers/tty/tty_io.c
> @@ -167,6 +167,7 @@ static void release_tty(struct tty_struct *tty, int idx);
> * Locking: none. Must be called after tty is definitely unused
> */
> static void free_tty_struct(struct tty_struct *tty)
> + __capability_unsafe(/* destructor */)
> {
> tty_ldisc_deinit(tty);
> put_device(tty->dev);
> @@ -965,7 +966,7 @@ static ssize_t iterate_tty_write(struct tty_ldisc *ld, struct tty_struct *tty,
> ssize_t ret, written = 0;
>
> ret = tty_write_lock(tty, file->f_flags & O_NDELAY);
> - if (ret < 0)
> + if (ret)
This change is not documented.
> @@ -1154,7 +1155,7 @@ int tty_send_xchar(struct tty_struct *tty, u8 ch)
> return 0;
> }
>
> - if (tty_write_lock(tty, false) < 0)
> + if (tty_write_lock(tty, false))
And this one. And more times later.
> --- a/drivers/tty/tty_ldisc.c
> +++ b/drivers/tty/tty_ldisc.c
...
> +/*
> + * Note: Capability analysis does not like asymmetric interfaces (above types
> + * for ref and deref are tty_struct and tty_ldisc respectively -- which are
> + * dependent, but the compiler cannot figure that out); in this case, work
> + * around that with this helper which takes an unused @tty argument but tells
> + * the analysis which lock is released.
> + */
> +static inline void __tty_ldisc_deref(struct tty_struct *tty, struct tty_ldisc *ld)
> + __releases_shared(&tty->ldisc_sem)
> + __capability_unsafe(/* matches released with tty_ldisc_ref() */)
> +{
> + tty_ldisc_deref(ld);
> +}
You want to invert the __ prefix for these two. tty_ldisc_deref() should
be kept as the one to be called by everybody.
thanks,
--
js
suse labs
next prev parent reply other threads:[~2025-03-05 9:15 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-04 9:20 [PATCH v2 00/34] Compiler-Based Capability- and Locking-Analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 01/34] compiler_types: Move lock checking attributes to compiler-capability-analysis.h Marco Elver
2025-03-04 23:26 ` Bart Van Assche
2025-03-05 8:36 ` Dan Carpenter
2025-03-05 9:13 ` Marco Elver
2025-03-05 9:27 ` Dan Carpenter
2025-03-04 9:21 ` [PATCH v2 02/34] compiler-capability-analysis: Add infrastructure for Clang's capability analysis Marco Elver
2025-03-04 15:29 ` Peter Zijlstra
2025-03-04 16:05 ` Marco Elver
2025-03-04 9:21 ` [PATCH v2 03/34] compiler-capability-analysis: Add test stub Marco Elver
2025-03-04 23:52 ` Bart Van Assche
2025-03-05 0:03 ` Marco Elver
2025-03-04 9:21 ` [PATCH v2 04/34] Documentation: Add documentation for Compiler-Based Capability Analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 05/34] checkpatch: Warn about capability_unsafe() without comment Marco Elver
2025-03-04 9:21 ` [PATCH v2 06/34] cleanup: Basic compatibility with capability analysis Marco Elver
2025-03-04 12:55 ` Peter Zijlstra
2025-03-04 13:09 ` Marco Elver
2025-03-04 23:57 ` Bart Van Assche
2025-03-04 9:21 ` [PATCH v2 07/34] lockdep: Annotate lockdep assertions for " Marco Elver
2025-03-04 9:21 ` [PATCH v2 08/34] locking/rwlock, spinlock: Support Clang's " Marco Elver
2025-03-04 14:30 ` Peter Zijlstra
2025-03-04 9:21 ` [PATCH v2 09/34] compiler-capability-analysis: Change __cond_acquires to take return value Marco Elver
2025-03-04 9:21 ` [PATCH v2 10/34] locking/mutex: Support Clang's capability analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 11/34] locking/seqlock: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 12/34] bit_spinlock: Include missing <asm/processor.h> Marco Elver
2025-03-04 9:21 ` [PATCH v2 13/34] bit_spinlock: Support Clang's capability analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 14/34] rcu: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 15/34] srcu: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 16/34] kref: Add capability-analysis annotations Marco Elver
2025-03-04 9:21 ` [PATCH v2 17/34] locking/rwsem: Support Clang's capability analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 18/34] locking/local_lock: Include missing headers Marco Elver
2025-03-04 9:21 ` [PATCH v2 19/34] locking/local_lock: Support Clang's capability analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 20/34] locking/ww_mutex: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 21/34] debugfs: Make debugfs_cancellation a capability struct Marco Elver
2025-03-04 9:21 ` [PATCH v2 22/34] compiler-capability-analysis: Remove Sparse support Marco Elver
2025-03-04 9:21 ` [PATCH v2 23/34] compiler-capability-analysis: Remove __cond_lock() function-like helper Marco Elver
2025-03-04 23:25 ` Bart Van Assche
2025-03-04 9:21 ` [PATCH v2 24/34] compiler-capability-analysis: Introduce header suppressions Marco Elver
2025-03-04 9:21 ` [PATCH v2 25/34] compiler: Let data_race() imply disabled capability analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 26/34] kfence: Enable " Marco Elver
2025-03-04 9:21 ` [PATCH v2 27/34] kcov: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 28/34] stackdepot: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 29/34] rhashtable: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 30/34] printk: Move locking annotation to printk.c Marco Elver
2025-03-04 9:21 ` [PATCH v2 31/34] drivers/tty: Enable capability analysis for core files Marco Elver
2025-03-05 9:15 ` Jiri Slaby [this message]
2025-03-05 9:26 ` Marco Elver
2025-03-04 9:21 ` [PATCH v2 32/34] security/tomoyo: Enable capability analysis Marco Elver
2025-03-04 9:21 ` [PATCH v2 33/34] crypto: " Marco Elver
2025-03-04 9:21 ` [PATCH v2 34/34] MAINTAINERS: Add entry for Capability Analysis Marco Elver
2025-03-04 23:18 ` Bart Van Assche
2025-03-04 11:21 ` [PATCH v2 00/34] Compiler-Based Capability- and Locking-Analysis Peter Zijlstra
2025-03-04 11:43 ` Marco Elver
2025-03-05 11:20 ` Peter Zijlstra
2025-03-05 15:27 ` Bart Van Assche
2025-03-05 16:16 ` Peter Zijlstra
2025-08-06 13:36 ` Marco Elver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=569186c5-8663-43df-a01c-d543f57ce5ca@kernel.org \
--to=jirislaby@kernel.org \
--cc=arnd@arndb.de \
--cc=boqun.feng@gmail.com \
--cc=bvanassche@acm.org \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=elver@google.com \
--cc=frederic@kernel.org \
--cc=glider@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jannh@google.com \
--cc=joel@joelfernandes.org \
--cc=josh@joshtriplett.org \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=kees@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-serial@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=longman@redhat.com \
--cc=luc.vanoostenryck@gmail.com \
--cc=mark.rutland@arm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mingo@kernel.org \
--cc=morbo@google.com \
--cc=nathan@kernel.org \
--cc=neeraj.upadhyay@kernel.org \
--cc=ojeda@kernel.org \
--cc=paulmck@kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peterz@infradead.org \
--cc=rcu@vger.kernel.org \
--cc=rostedt@goodmis.org \
--cc=takedakn@nttdata.co.jp \
--cc=tglx@linutronix.de \
--cc=urezki@gmail.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).