Re: [PATCH 2/2] fs: nfs: dir.c: Fix sparse error

From: Paul E. McKenney
Date: Fri Dec 06 2019 - 11:02:43 EST


On Fri, Dec 06, 2019 at 08:46:40PM +0530, madhuparnabhowmik04@xxxxxxxxx wrote:
> From: Madhuparna Bhowmik <madhuparnabhowmik04@xxxxxxxxx>
>
> This patch fixes the following errors:
> fs/nfs/dir.c:2353:14: error: incompatible types in comparison expression (different address spaces):
> fs/nfs/dir.c:2353:14: struct list_head [noderef] <asn:4> *
> fs/nfs/dir.c:2353:14: struct list_head *
>
> caused due to directly accessing the prev pointer of
> a RCU protected list.
> Accessing the pointer using the macro list_prev_rcu() fixes this error.
>
> Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@xxxxxxxxx>
> ---
> fs/nfs/dir.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
> index e180033e35cf..2035254cc283 100644
> --- a/fs/nfs/dir.c
> +++ b/fs/nfs/dir.c
> @@ -2350,7 +2350,7 @@ static int nfs_access_get_cached_rcu(struct inode *inode, const struct cred *cre
> rcu_read_lock();
> if (nfsi->cache_validity & NFS_INO_INVALID_ACCESS)
> goto out;
> - lh = rcu_dereference(nfsi->access_cache_entry_lru.prev);
> + lh = rcu_dereference(list_prev_rcu(&nfsi->access_cache_entry_lru));

And as noted in the earlier email, what is preventing concurrent
insertions into and deletions from this list?

o This use of list_move_tail() is OK because it does not poison.
Though it isn't being all that friendly to lockless access to
->prev -- no WRITE_ONCE() in list_move_tail().

o The use of list_add_tail() is not safe with RCU readers, though
they do at least partially compensate via use of smp_wmb()
in nfs_access_add_cache() before calling nfs_access_add_rbtree().

o The list_del() near the end of nfs_access_add_rbtree() will
poison the ->prev pointer. I don't see how this is safe given the
possibility of a concurrent call to nfs_access_get_cached_rcu().

> cache = list_entry(lh, struct nfs_access_entry, lru);
> if (lh == &nfsi->access_cache_entry_lru ||
> cred != cache->cred)

And a few lines below here, it really does dereference the pointer
obtained from ->prev!

So how to really fix this? Here is one possibility, but we of course
need to get the NFS developers' and maintainers' thoughts:

o Create a list that is safe for bidirectional RCU traversal.
This can use list_head, and would need these functions,
give or take the exact names:

list_add_tail_rcuprev(): This is like list_add_tail_rcu(),
but also has smp_store_release() for ->prev. (As in there is
also a __list_add_rcuprev() helper that actually contains the
additional smp_store_release().)

list_del_rcuprev(): This can be exactly __list_del_entry(),
but with the assignment to ->prev in __list_del() becoming
WRITE_ONCE(). And it looks like callers to __list_del_entry()
and __list_del() might need some attention! And these might
result in additional users of *_rcuprev().

list_prev_rcu() as in your first patch, but with READ_ONCE().
Otherwise DEC Alpha can fail. And more subtle compiler issues
can appear on other architectures.

Note that list_move_tail() will be OK give or take *_ONCE().
It might be better to define a list_move_tail_rcuprev(), given
the large number of users of list_move_tail() -- some of these
users might not like even the possibility of added overhead due
to volatile accesses. ;-)

Or am I missing something subtle here?

Thanx, Paul