Re: [RFC PATCH v2] cleanup: Add cond_guard() to conditional guards

From: Dan Williams
Date: Tue Jan 30 2024 - 12:03:16 EST

Next message: syzbot: "[syzbot] [pvrusb2?] KASAN: slab-use-after-free Read in pvr2_context_set_notify (2)"
Previous message: Conor Dooley: "Re: [PATCH v1 2/4] dt-bindings: can: Add bindings for CAST CAN Controller"
In reply to: Fabio M. De Francesco: "[RFC PATCH v2] cleanup: Add cond_guard() to conditional guards"
Next in thread: Fabio M. De Francesco: "Re: [RFC PATCH v2] cleanup: Add cond_guard() to conditional guards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fabio M. De Francesco wrote:
> Add cond_guard() to conditional guards.
>
> cond_guard() is used for the _interruptible(), _killable(), and _try
> versions of locks. It expects a block where the failure can be handled
> (e.g., calling printk() and returning -EINTR in case of failure).
>
> As the other guards, it avoids to open code the release of the lock
> after a goto to an 'out' label.
>
> This remains an RFC because Dan suggested a slightly different syntax:
>
> if (cond_guard(...))
> return -EINTR;
>
> But the scoped_cond_guard() macro omits the if statement:
>
> scoped_cond_guard (...) {
> }
>
> Thus define cond_guard() similarly to scoped_cond_guard() but with a block
> to handle the failure case:
>
> cond_guard(...)
> return -EINTR;

That's too subtle for me, because of the mistakes that can be made with
brackets how about a syntax like:

cond_guard(..., return -EINTR, ...)

..to make it clear what happens if the lock acquisition fails without
having to remember there is a hidden incomplete "if ()" statement in
that macro? More below...

>
> Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
> Cc: Dan Williams <dan.j.williams@xxxxxxxxx>
> Suggested-by: Ira Weiny <ira.weiny@xxxxxxxxx>
> Signed-off-by: Fabio M. De Francesco <fabio.maria.de.francesco@xxxxxxxxxxxxxxx>
> ---
> drivers/cxl/core/region.c | 17 +++++------------
> include/linux/cleanup.h | 13 +++++++++++++
> 2 files changed, 18 insertions(+), 12 deletions(-)
>
> diff --git a/drivers/cxl/core/region.c b/drivers/cxl/core/region.c
> index 0f05692bfec3..20d405f01df5 100644
> --- a/drivers/cxl/core/region.c
> +++ b/drivers/cxl/core/region.c
> @@ -666,28 +666,21 @@ static size_t show_targetN(struct cxl_region *cxlr, char *buf, int pos)
> {
> struct cxl_region_params *p = &cxlr->params;
> struct cxl_endpoint_decoder *cxled;
> - int rc;
>
> - rc = down_read_interruptible(&cxl_region_rwsem);
> - if (rc)
> - return rc;
> + cond_guard(rwsem_read_intr, &cxl_region_rwsem)
> + return -EINTR;
>
> if (pos >= p->interleave_ways) {
> dev_dbg(&cxlr->dev, "position %d out of range %d\n", pos,
> p->interleave_ways);
> - rc = -ENXIO;
> - goto out;
> + return -ENXIO;
> }
>
> cxled = p->targets[pos];
> if (!cxled)
> - rc = sysfs_emit(buf, "\n");
> + return sysfs_emit(buf, "\n");
> else
> - rc = sysfs_emit(buf, "%s\n", dev_name(&cxled->cxld.dev));
> -out:
> - up_read(&cxl_region_rwsem);
> -
> - return rc;
> + return sysfs_emit(buf, "%s\n", dev_name(&cxled->cxld.dev));
> }
>
> static int match_free_decoder(struct device *dev, void *data)
> diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h
> index c2d09bc4f976..fc850e61a47e 100644
> --- a/include/linux/cleanup.h
> +++ b/include/linux/cleanup.h
> @@ -134,6 +134,15 @@ static inline class_##_name##_t class_##_name##ext##_constructor(_init_args) \
> * an anonymous instance of the (guard) class, not recommended for
> * conditional locks.
> *
> + * cond_guard(_name, args...):
> + * for conditional locks like mutex_trylock() or down_read_interruptible().
> + * It expects a block for handling errors like in the following example:
> + *
> + * cond_guard(rwsem_read_intr, &my_sem) {
> + * printk(KERN_NOTICE "Try failure in work0()\n");
> + * return -EINTR;
> + * }
> + *
> * scoped_guard (name, args...) { }:
> * similar to CLASS(name, scope)(args), except the variable (with the
> * explicit name 'scope') is declard in a for-loop such that its scope is
> @@ -165,6 +174,10 @@ static inline class_##_name##_t class_##_name##ext##_constructor(_init_args) \
>
> #define __guard_ptr(_name) class_##_name##_lock_ptr
>
> +#define cond_guard(_name, args...) \
> + CLASS(_name, scope)(args); \
> + if (!__guard_ptr(_name)(&scope))

This needs to protect against being used within another if () block.
Imagine a case of:

if (...) {
cond_guard(...);
<statement>
} else if (...)

..does that "else if" belong to the first "if ()" or the hidden one
inside the macro?

You can steal the embedded "if ()" trick from scoped_cond_guard() and do
something like (untested):

#define cond_guard(_name, _fail, args...) \
CLASS(_name, scope)(args); \
if (!__guard_ptr(_name)(&scope)) _fail; else /* pass */;

Next message: syzbot: "[syzbot] [pvrusb2?] KASAN: slab-use-after-free Read in pvr2_context_set_notify (2)"
Previous message: Conor Dooley: "Re: [PATCH v1 2/4] dt-bindings: can: Add bindings for CAST CAN Controller"
In reply to: Fabio M. De Francesco: "[RFC PATCH v2] cleanup: Add cond_guard() to conditional guards"
Next in thread: Fabio M. De Francesco: "Re: [RFC PATCH v2] cleanup: Add cond_guard() to conditional guards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]