| Message ID | 20240812115945.484051-3-ubizjak@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | Enable strict percpu address space checks | expand |
On Mon, Aug 12, 2024 at 9:09 PM Nadav Amit <nadav.amit@gmail.com> wrote: > > > > On 12 Aug 2024, at 14:57, Uros Bizjak <ubizjak@gmail.com> wrote: > > Assorted fixes to prevent defconfig build failures when > > strict percpu address space checks will be enabled. > > > > These show effeciveness of strict percpu address space checks. > > [snip] > > > --- a/drivers/base/devres.c > > +++ b/drivers/base/devres.c > > @@ -1231,6 +1231,6 @@ void devm_free_percpu(struct device *dev, void __percpu *pdata) > > * devm_free_pages() does. > > */ > > WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, > > - (__force void *)pdata)); > > + (__force void *)(uintptr_t)pdata)); > > > > Since this pattern of casting appears multiple times (sometimes slightly > different), I think it would be best to give a name for this operation > and put it behind a macro. The macro would not be flexible enough to also cover const qualified (const void __percpu *)(const uintptr_t) casts, required in e.g. [1]. [1] https://lore.kernel.org/lkml/20240811161414.56744-1-ubizjak@gmail.com/ Also, some casts are decorated with __force. According to sparse documentation [2], there is no need to use __force when the destination type is uintptr_t or unsigned long, but sparse seems to not be consistent with this exception, leading to spurious warnings and fixes like the one in [3]. [2] https://sparse.docs.kernel.org/en/latest/annotations.html#address-space-name [3] https://lore.kernel.org/lkml/20240402175058.52649-1-ubizjak@gmail.com/ OTOH, in a full allyesconfig this pattern of casting appears maybe a dozen of times (which is a surprisingly small number). > This would allow both to audit the cases developers move data between > address-spaces, and also make them think whether what they do makes > sense. Looking through the fixes required for allyesconfig build, the remaining couple of casts are mostly required for ERR_PTR return with __percpu return type function, like: --cut here-- diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c index 6c2cb4e4f48d..d82fe78f0658 100644 --- a/kernel/events/hw_breakpoint.c +++ b/kernel/events/hw_breakpoint.c @@ -849,7 +849,7 @@ register_wide_hw_breakpoint(struct perf_event_attr *attr, cpu_events = alloc_percpu(typeof(*cpu_events)); if (!cpu_events) - return (void __percpu __force *)ERR_PTR(-ENOMEM); + return (void __percpu __force *)(uintptr_t)ERR_PTR(-ENOMEM); cpus_read_lock(); for_each_online_cpu(cpu) { @@ -868,7 +868,7 @@ register_wide_hw_breakpoint(struct perf_event_attr *attr, return cpu_events; unregister_wide_hw_breakpoint(cpu_events); - return (void __percpu __force *)ERR_PTR(err); + return (void __percpu __force *)(uintptr_t)ERR_PTR(err); } EXPORT_SYMBOL_GPL(register_wide_hw_breakpoint); --cut here-- While the casts are somehow ugly, I think that the number of different types (pcpu -> generic and generic -> pcpu casts with possible const qualifier and still needed __force sparse attribute) and low number of occurrences currently do not warrant a separate macro. Uros.
diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c index a817ed0724d1..f5d6ad351cc4 100644 --- a/arch/x86/kernel/head64.c +++ b/arch/x86/kernel/head64.c @@ -560,9 +560,10 @@ void early_setup_idt(void) void __head startup_64_setup_gdt_idt(void) { void *handler = NULL; + struct desc_struct *gdt = (struct desc_struct *)(uintptr_t)init_per_cpu_var(gdt_page.gdt); struct desc_ptr startup_gdt_descr = { - .address = (unsigned long)&RIP_REL_REF(init_per_cpu_var(gdt_page.gdt)), + .address = (unsigned long)&RIP_REL_REF(*gdt), .size = GDT_SIZE - 1, }; diff --git a/drivers/base/devres.c b/drivers/base/devres.c index a2ce0ead06a6..894f5a1e6d18 100644 --- a/drivers/base/devres.c +++ b/drivers/base/devres.c @@ -1231,6 +1231,6 @@ void devm_free_percpu(struct device *dev, void __percpu *pdata) * devm_free_pages() does. */ WARN_ON(devres_release(dev, devm_percpu_release, devm_percpu_match, - (__force void *)pdata)); + (__force void *)(uintptr_t)pdata)); } EXPORT_SYMBOL_GPL(devm_free_percpu); diff --git a/fs/aio.c b/fs/aio.c index 6066f64967b3..e8920178b50f 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -100,7 +100,7 @@ struct kioctx { unsigned long user_id; - struct __percpu kioctx_cpu *cpu; + struct kioctx_cpu __percpu *cpu; /* * For percpu reqs_available, number of slots we move to/from global diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h index d9e613803df1..f7e1158cbacf 100644 --- a/include/linux/cleanup.h +++ b/include/linux/cleanup.h @@ -154,7 +154,7 @@ static inline class_##_name##_t class_##_name##ext##_constructor(_init_args) \ #define DEFINE_GUARD(_name, _type, _lock, _unlock) \ DEFINE_CLASS(_name, _type, if (_T) { _unlock; }, ({ _lock; _T; }), _type _T); \ static inline void * class_##_name##_lock_ptr(class_##_name##_t *_T) \ - { return *_T; } + { return (void *)(uintptr_t)*_T; } #define DEFINE_GUARD_COND(_name, _ext, _condlock) \ EXTEND_CLASS(_name, _ext, \ @@ -211,7 +211,7 @@ static inline void class_##_name##_destructor(class_##_name##_t *_T) \ \ static inline void *class_##_name##_lock_ptr(class_##_name##_t *_T) \ { \ - return _T->lock; \ + return (void *)(uintptr_t)_T->lock; \ } diff --git a/include/linux/prandom.h b/include/linux/prandom.h index f7f1e5251c67..f2ed5b72b3d6 100644 --- a/include/linux/prandom.h +++ b/include/linux/prandom.h @@ -10,6 +10,7 @@ #include <linux/types.h> #include <linux/once.h> +#include <linux/percpu.h> #include <linux/random.h> struct rnd_state { diff --git a/kernel/events/hw_breakpoint.c b/kernel/events/hw_breakpoint.c index 6c2cb4e4f48d..d82fe78f0658 100644 --- a/kernel/events/hw_breakpoint.c +++ b/kernel/events/hw_breakpoint.c @@ -849,7 +849,7 @@ register_wide_hw_breakpoint(struct perf_event_attr *attr, cpu_events = alloc_percpu(typeof(*cpu_events)); if (!cpu_events) - return (void __percpu __force *)ERR_PTR(-ENOMEM); + return (void __percpu __force *)(uintptr_t)ERR_PTR(-ENOMEM); cpus_read_lock(); for_each_online_cpu(cpu) { @@ -868,7 +868,7 @@ register_wide_hw_breakpoint(struct perf_event_attr *attr, return cpu_events; unregister_wide_hw_breakpoint(cpu_events); - return (void __percpu __force *)ERR_PTR(err); + return (void __percpu __force *)(uintptr_t)ERR_PTR(err); } EXPORT_SYMBOL_GPL(register_wide_hw_breakpoint); diff --git a/kernel/workqueue.c b/kernel/workqueue.c index 1745ca788ede..32729a2e93af 100644 --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -377,7 +377,7 @@ struct workqueue_struct { /* hot fields used during command issue, aligned to cacheline */ unsigned int flags ____cacheline_aligned; /* WQ: WQ_* flags */ - struct pool_workqueue __percpu __rcu **cpu_pwq; /* I: per-cpu pwqs */ + struct pool_workqueue __rcu * __percpu *cpu_pwq; /* I: per-cpu pwqs */ struct wq_node_nr_active *node_nr_active[]; /* I: per-node nr_active */ }; diff --git a/lib/percpu_counter.c b/lib/percpu_counter.c index 51bc5246986d..3d0613ac7e73 100644 --- a/lib/percpu_counter.c +++ b/lib/percpu_counter.c @@ -209,7 +209,7 @@ int __percpu_counter_init_many(struct percpu_counter *fbc, s64 amount, INIT_LIST_HEAD(&fbc[i].list); #endif fbc[i].count = amount; - fbc[i].counters = (void *)counters + (i * counter_size); + fbc[i].counters = (void __percpu *)counters + (i * counter_size); debug_percpu_counter_activate(&fbc[i]); } diff --git a/net/core/dev.c b/net/core/dev.c index 751d9b70e6ad..5cad88cf029c 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -10860,7 +10860,7 @@ noinline void netdev_core_stats_inc(struct net_device *dev, u32 offset) return; } - field = (__force unsigned long __percpu *)((__force void *)p + offset); + field = (unsigned long __percpu *)(void __percpu *)(p + offset); this_cpu_inc(*field); } EXPORT_SYMBOL_GPL(netdev_core_stats_inc);
Assorted fixes to prevent defconfig build failures when strict percpu address space checks will be enabled. These show effeciveness of strict percpu address space checks. Signed-off-by: Uros Bizjak <ubizjak@gmail.com> Cc: Dennis Zhou <dennis@kernel.org> Cc: Tejun Heo <tj@kernel.org> Cc: Christoph Lameter <cl@linux.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Ingo Molnar <mingo@kernel.org> Cc: Nadav Amit <nadav.amit@gmail.com> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Borislav Petkov <bp@alien8.de> Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com> --- arch/x86/kernel/head64.c | 3 ++- drivers/base/devres.c | 2 +- fs/aio.c | 2 +- include/linux/cleanup.h | 4 ++-- include/linux/prandom.h | 1 + kernel/events/hw_breakpoint.c | 4 ++-- kernel/workqueue.c | 2 +- lib/percpu_counter.c | 2 +- net/core/dev.c | 2 +- 9 files changed, 12 insertions(+), 10 deletions(-)