Re: C aggregate passing (Rust kernel policy)
From: David Laight
Date: Thu Feb 27 2025 - 15:47:38 EST
On Wed, 26 Feb 2025 17:35:34 -0500
Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> On Wed, 26 Feb 2025 14:22:26 -0800
> Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> > > But if I used:
> > >
> > > if (global > 1000)
> > > goto out;
> > > x = global;
> >
> > which can have the TUCTOU issue because 'global' is read twice.
>
> Correct, but if the variable had some other protection, like a lock held
> when this function was called, it is fine to do and the compiler may
> optimize it or not and still have the same result.
>
> I guess you can sum this up to:
>
> The compiler should never assume it's safe to read a global more than the
> code specifies, but if the code reads a global more than once, it's fine
> to cache the multiple reads.
>
> Same for writes, but I find WRITE_ONCE() used less often than READ_ONCE().
> And when I do use it, it is more to prevent write tearing as you mentioned.
Except that (IIRC) it is actually valid for the compiler to write something
entirely unrelated to a memory location before writing the expected value.
(eg use it instead of stack for a register spill+reload.)
Not gcc doesn't do that - but the standard lets it do it.
David
>
> -- Steve
>