On Thu, 6 Feb 2025 at 22:29, Bart Van Assche wrote:
>
> On 2/6/25 10:10 AM, Marco Elver wrote:
> > @@ -243,15 +243,18 @@ const volatile void * __must_check_fn(const volatile
> > void *val)
> > #define DEFINE_CLASS(_name, _type, _exit, _init, _init_args...)
> > \
> > typedef _type
On 2/6/25 10:10 AM, Marco Elver wrote:
@@ -243,15 +243,18 @@ const volatile void * __must_check_fn(const volatile void
*val)
#define DEFINE_CLASS(_name, _type, _exit, _init, _init_args...)
\
typedef _type class_##_name##_t; \
static inlin
On 2/6/25 10:09 AM, Marco Elver wrote:
+/* Sparse context/lock checking support. */
+# define __must_hold(x)__attribute__((context(x,1,1)))
+# define __acquires(x) __attribute__((context(x,0,1)))
+# define __cond_acquires(x)__attribute__((context(x,0,-1)))
+# define __
On Thu, Oct 17, 2024 at 09:55:10AM -0600, Eric Snowberg wrote:
> Add two new fields in public_key_signature to track the intended usage of
> the signature. Also add a flag for the revocation pass. During signature
> validation, two verifications can take place for the same signature. One
> to se
On Thu, 6 Feb 2025 at 19:40, Bart Van Assche wrote:
>
> On 2/6/25 10:09 AM, Marco Elver wrote:
> > +/* Sparse context/lock checking support. */
> > +# define __must_hold(x) __attribute__((context(x,1,1)))
> > +# define __acquires(x) __attribute__((context(x,0,1)))
> > +#
Including into an empty TU will result in the
compiler complaining:
./include/linux/bit_spinlock.h:34:4: error: call to undeclared function
'cpu_relax'; <...>
34 | cpu_relax();
| ^
1 error generated.
Include to allow including bit_spinlo
Enable capability analysis for the KFENCE subsystem.
Notable, kfence_handle_page_fault() required minor restructure, which
also fixed a subtle race; arguably that function is more readable now.
Signed-off-by: Marco Elver
---
mm/kfence/Makefile | 2 ++
mm/kfence/core.c| 24
Enable capability analysis for rhashtable, which was used as an initial
test as it contains a combination of RCU, mutex, and bit_spinlock usage.
Users of rhashtable now also benefit from annotations on the API, which
will now warn if the RCU read lock is not held where required.
Signed-off-by: Ma
Enable capability analysis for stackdepot.
Signed-off-by: Marco Elver
---
lib/Makefile | 1 +
lib/stackdepot.c | 24 ++--
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/lib/Makefile b/lib/Makefile
index 1dbb59175eb0..f40ba93c9a94 100644
--- a/lib/Makefil
Enable capability analysis for the KCOV subsystem.
Signed-off-by: Marco Elver
---
kernel/Makefile | 2 ++
kernel/kcov.c | 40 +---
2 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index 87866b037fbe..7e3
Add support for Clang's capability analysis for rw_semaphore.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/rwsem.h | 56 +---
lib/test_capability-analysis.c| 64 +++
3 files
When compiling include/linux/debugfs.h with CAPABILITY_ANALYSIS enabled,
we can see this error:
./include/linux/debugfs.h:239:17: error: use of undeclared identifier
'cancellation'
239 | void __acquires(cancellation)
Move the __acquires(..) attribute after the declaration, so that the
compiler
Add support for Clang's capability analysis for local_lock_t.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/local_lock.h| 18
include/linux/local_lock_internal.h | 41 ++---
lib/test_capabili
Mark functions that conditionally acquire the passed lock.
Signed-off-by: Marco Elver
---
include/linux/kref.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/kref.h b/include/linux/kref.h
index 88e82ab1367c..c1bd26936f41 100644
--- a/include/linux/kref.h
+++ b/include/linux/
Add support for Clang's capability analysis for SRCU.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/srcu.h | 61 +--
lib/test_capability-analysis.c| 24
3 files changed, 66 ins
The annotations for bit_spinlock.h have simply been using "bitlock" as
the token. For Sparse, that was likely sufficient in most cases. But
Clang's capability analysis is more precise, and we need to ensure we
can distinguish different bitlocks.
To do so, add a token capability, and a macro __bitl
Improve the existing annotations to properly support Clang's capability
analysis.
The old annotations distinguished between RCU, RCU_BH, and RCU_SCHED.
However, it does not make sense to acquire rcu_read_lock_bh() after
rcu_read_lock() - annotate the _bh() and _sched() variants to also
acquire 'RC
Add support for Clang's capability analysis for seqlock_t.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/seqlock.h | 24 +++
include/linux/seqlock_types.h | 5 ++-
lib/test_capability-analysis.c
Add support for Clang's capability analysis for raw_spinlock_t,
spinlock_t, and rwlock. This wholesale conversion is required because
all three of them are interdependent.
To avoid warnings in constructors, the initialization functions mark a
capability as acquired when initialized before guarded
Add support for Clang's capability analysis for mutex.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/mutex.h | 29 +
include/linux/mutex_types.h | 4 +-
lib/test_capability-analysis.c
Clang's capability analysis can be made aware of functions that assert
that capabilities/locks are held.
Presence of these annotations causes the analysis to assume the
capability is held after calls to the annotated function, and avoid
false positives with complex control-flow; for example, where
While Sparse is oblivious to the return value of conditional acquire
functions, Clang's capability analysis needs to know the return value
which indicates successful acquisition.
Add the additional argument, and convert existing uses.
No functional change intended.
Signed-off-by: Marco Elver
--
Warn about applications of capability_unsafe() without a comment, to
encourage documenting the reasoning behind why it was deemed safe.
Signed-off-by: Marco Elver
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
i
Due to the scoped cleanup helpers used for lock guards wrapping
acquire/release around their own constructors/destructors that store
pointers to the passed locks in a separate struct, we currently cannot
accurately annotate *destructors* which lock was released. While it's
possible to annotate the
Adds documentation in Documentation/dev-tools/capability-analysis.rst,
and adds it to the index and cross-references from Sparse's document.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 147 ++
Documentation/dev-tools/index.rst | 1
Add a simple test stub where we will add common supported patterns that
should not generate false positive of each new supported capability.
Signed-off-by: Marco Elver
---
lib/Kconfig.debug | 14 ++
lib/Makefile | 3 +++
lib/test_capability-analysis.c
Capability analysis is a C language extension, which enables statically
checking that user-definable "capabilities" are acquired and released where
required. An obvious application is lock-safety checking for the kernel's
various synchronization primitives (each of which represents a "capability"),
Just like the pairing of attribute __acquires() with a matching
function-like macro __acquire(), the attribute __cond_acquires() should
have a matching function-like macro __cond_acquire().
To be consistent, rename __cond_lock() to __cond_acquire().
Signed-off-by: Marco Elver
---
drivers/net/wi
The conditional definition of lock checking macros and attributes is
about to become more complex. Factor them out into their own header for
better readability, and to make it obvious which features are supported
by which mode (currently only Sparse). This is the first step towards
generalizing tow
[ Note: Bart and I had concurrently been working on bringing Clang's
-Wthread-safety to the kernel:
https://lore.kernel.org/all/20250206175114.1974171-1-bvanass...@acm.org/
Having both RFCs out should hopefully provide a good picture on these
design points and trade-offs - the approaches
30 matches
Mail list logo
