Re: [PATCH v3 3/4] uaccess: Check no rescheduling function is called in unsafe region

From: Julien Thierry
Date: Tue Feb 12 2019 - 04:15:21 EST




On 11/02/2019 13:51, Peter Zijlstra wrote:
> On Mon, Feb 11, 2019 at 02:45:27PM +0100, Ingo Molnar wrote:
>>> diff --git a/kernel/sched/core.c b/kernel/sched/core.c
>>> index a674c7db..b1bb7e9 100644
>>> --- a/kernel/sched/core.c
>>> +++ b/kernel/sched/core.c
>>> @@ -3289,6 +3289,14 @@ static inline void schedule_debug(struct task_struct *prev)
>>> __schedule_bug(prev);
>>> preempt_count_set(PREEMPT_DISABLED);
>>> }
>>> +
>>> + if (IS_ENABLED(CONFIG_DEBUG_UACCESS_SLEEP) &&
>>> + unlikely(unsafe_user_region_active())) {
>>> + printk(KERN_ERR "BUG: scheduling while user_access enabled: %s/%d/0x%08x\n",
>>> + prev->comm, prev->pid, preempt_count());
>>> + dump_stack();
>>> + }
>>> +
>>> rcu_sleep_check();
>>>
>>> profile_hit(SCHED_PROFILING, __builtin_return_address(0));
>>> @@ -6151,6 +6159,20 @@ void ___might_sleep(const char *file, int line, int preempt_offset)
>>> EXPORT_SYMBOL(___might_sleep);
>>> #endif
>>>
>>> +#ifdef CONFIG_DEBUG_UACCESS_SLEEP
>>> +void __might_resched(const char *file, int line)
>>> +{
>>> + if (!unsafe_user_region_active())
>>> + return;
>>
>> Could you please more clearly explain why you want/need an exception from
>> the __might_resched() debug warning?

So, the scenarios I'm trying to avoid are of the following flavour:

if (user_access_begin(ptr, size)) {

[...]

// Calling a function that might call schedule()

[...]
user_access_end();
}


The thing is, as I understand, not all function that call schedule() are
annotated with might_resched(), and on the other hand, not every time we
call a function that might_resched() will it call schedule().

Now with Peter's remark I think I might have been overzealous.

>
> In specific; how is the addition in schedule_debug() not triggering on
> PREEMPT=y kernels?
>
> If code is preemptible, you can (get) schedule(d). If it is not
> preemptible; you do not need these additional tests.
>

Yes that sounds right, might_resched() only potentially reschedules if
in a suitable context, so best case I issue two warnings, worst case I
actually be warn when the caller took care to disable preemption or
interrupts before calling a might_resched().

I guess I got a bit confused with might_sleep() which is "if you call
this in the wrong context I warn" whereas might_resched() is just "if
you call this in preemptible context, lets resched".

I guess I'll drop the might_resched() part of this patch if that sounds
alright.

Thanks,

--
Julien Thierry