On Wed, 5 Mar 2025 at 10:15, Jiri Slaby wrote:
>
> On 04. 03. 25, 10:21, Marco Elver wrote:
> > Enable capability analysis for drivers/tty/*.
> >
> > This demonstrates a larger conversion to use Clang's capability
> > analysis. The benefit is additional static c
On Wed, Mar 05, 2025 at 11:36AM +0300, Dan Carpenter wrote:
> On Tue, Mar 04, 2025 at 10:21:00AM +0100, Marco Elver wrote:
> > +#ifndef _LINUX_COMPILER_CAPABILITY_ANALYSIS_H
> > +#define _LINUX_COMPILER_CAPABILITY_ANALYSIS_H
> > +
> > +#ifdef __CHECKER__
> > +
>
On Wed, 5 Mar 2025 at 00:52, Bart Van Assche wrote:
>
> On 3/4/25 1:21 AM, Marco Elver wrote:
> > +#include
> > +
> > +/*
> > + * Test that helper macros work as expected.
> > + */
> > +static void __used test_common_helpers(void)
> > +{
On Tue, 4 Mar 2025 at 16:29, Peter Zijlstra wrote:
>
> On Tue, Mar 04, 2025 at 10:21:01AM +0100, Marco Elver wrote:
>
> > +# define __asserts_cap(var)
> > __attribute__((assert_capability(var)))
> > +# define __asserts_shared_cap(var)
On Tue, 4 Mar 2025 at 13:55, Peter Zijlstra wrote:
>
> On Tue, Mar 04, 2025 at 10:21:05AM +0100, Marco Elver wrote:
> > Due to the scoped cleanup helpers used for lock guards wrapping
> > acquire/release around their own constructors/destructors that store
> > pointers
On Tue, 4 Mar 2025 at 12:21, Peter Zijlstra wrote:
>
> On Tue, Mar 04, 2025 at 10:20:59AM +0100, Marco Elver wrote:
>
> > === Initial Uses ===
> >
> > With this initial series, the following synchronization primitives are
> > supported: `raw_spinlock_t`,
version to version 20+.
With this in place, we can start enabling the analysis on more complex
subsystems in subsequent changes.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 ++
lib/Kconfig.debug | 4 ++-
scripts/Makefile.capability
Add support for Clang's capability analysis for mutex.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/mutex.h | 29 +
include/linux/mutex_types.h | 4 +-
lib/test_capability-analy
Signed-off-by: Marco Elver
---
v2:
* New patch.
---
.../dev-tools/capability-analysis.rst | 2 -
Documentation/mm/process_addrs.rst| 6 +-
.../net/wireless/intel/iwlwifi/iwl-trans.c| 4 +-
.../net/wireless/intel/iwlwifi/iwl-trans.h| 6 +-
.../wireless/intel/iwlwifi
ical.
[1] https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#scoped-capability
Signed-off-by: Marco Elver
---
include/linux/cleanup.h | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h
index ec00e3f7af2b..93a166549ad
obal, move
the annotation to printk.c. Capability analysis remains disabled for
printk.c.
This is needed to enable capability analysis for modules that include
.
Signed-off-by: Marco Elver
---
v2:
* New patch.
---
include/linux/console.h | 4 ++--
kernel/printk/printk.c | 2 ++
2 files
Enable capability analysis for stackdepot.
Signed-off-by: Marco Elver
---
v2:
* Remove disable/enable_capability_analysis() around headers.
---
lib/Makefile | 1 +
lib/stackdepot.c | 20 ++--
2 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/lib/Makefile b/lib
Add entry for all new files added for Clang's capability analysis.
Signed-off-by: Marco Elver
Cc: Bart Van Assche
---
MAINTAINERS | 11 +++
1 file changed, 11 insertions(+)
diff --git a/MAINTAINERS b/MAINTAINERS
index 8e0736dc2ee0..cf9bf14f99b9 100644
--- a/MAINTAINERS
= NULL;
For which Tetsuo writes:
"Good catch. This should be data_race(), for tomoyo_write_control()
might concurrently update head->write_buf from non-NULL to non-NULL
with head->io_sem held."
Signed-off-by: Marco Elver
Cc: Kentaro Takeda
Cc: Tetsuo Handa
---
v2:
Enable capability analysis for drivers/tty/*.
This demonstrates a larger conversion to use Clang's capability
analysis. The benefit is additional static checking of locking rules,
along with better documentation.
Signed-off-by: Marco Elver
Cc: Greg Kroah-Hartman
Cc: Jiri Slaby
---
v2:
: Marco Elver
---
v2:
* Remove disable/enable_capability_analysis() around headers.
---
include/linux/rhashtable.h | 14 +++---
lib/Makefile | 2 ++
lib/rhashtable.c | 5 +++--
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/include/linux/rhashtable.h
Enable capability analysis for crypto subsystem.
This demonstrates a larger conversion to use Clang's capability
analysis. The benefit is additional static checking of locking rules,
along with better documentation.
Signed-off-by: Marco Elver
Cc: Herbert Xu
Cc: "David S. Miller&q
Enable capability analysis for the KCOV subsystem.
Signed-off-by: Marco Elver
---
v2:
* Remove disable/enable_capability_analysis() around headers.
---
kernel/Makefile | 2 ++
kernel/kcov.c | 36 +---
2 files changed, 27 insertions(+), 11 deletions(-)
diff
Enable capability analysis for the KFENCE subsystem.
Notable, kfence_handle_page_fault() required minor restructure, which
also fixed a subtle race; arguably that function is more readable now.
Signed-off-by: Marco Elver
---
v2:
* Remove disable/enable_capability_analysis() around headers
(..) macro imply capability-unsafety. The
data_race() macro already denotes the intent that something subtly
unsafe is about to happen, so it should be clear enough as-is.
Signed-off-by: Marco Elver
---
v2:
* New patch.
---
include/linux/compiler.h | 2 ++
lib/test_capability-analysis.c | 2
capability analysis makes incorrect use of the API harder.
Signed-off-by: Marco Elver
---
v2:
* New patch.
---
.../dev-tools/capability-analysis.rst | 3 +-
include/linux/ww_mutex.h | 21 --
lib/test_capability-analysis.c| 65 +++
3 fil
Add support for Clang's capability analysis for local_lock_t.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/local_lock.h| 18
include/linux/local_lock_internal.h | 41 ++---
"Luc Van Oostenryck"
Cc: Peter Zijlstra
Signed-off-by: Marco Elver
---
v2:
* New patch.
---
Documentation/dev-tools/sparse.rst | 19 ---
include/linux/compiler-capability-analysis.h | 56 ++--
include/linux/rcupdate.h | 15 +-
3 file
rst
use in this function)
33 | l->owner = current;
Include missing headers to allow including local_lock.h where the
required headers are not otherwise included.
Signed-off-by: Marco Elver
---
include/linux/local_lock_internal.h | 2 ++
1 file changed, 2 insertions(+)
diff --
o that the
compiler can see the cancellation function argument, as well as making
struct debugfs_cancellation a real capability to benefit from Clang's
capability analysis.
Signed-off-by: Marco Elver
---
include/linux/debugfs.h | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-
Mark functions that conditionally acquire the passed lock.
Signed-off-by: Marco Elver
---
include/linux/kref.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/kref.h b/include/linux/kref.h
index 88e82ab1367c..9bc6abe57572 100644
--- a/include/linux/kref.h
+++ b/include/linux
Add support for Clang's capability analysis for rw_semaphore.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/rwsem.h | 56 +---
lib/test_capability-analysis.c| 64 +
Add support for Clang's capability analysis for SRCU.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/srcu.h | 61 +--
lib/test_capability-analysis.c| 24
3 files change
tended.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 3 ++-
include/linux/bit_spinlock.h | 22 +---
include/linux/list_bl.h | 2 ++
lib/test_capability-analysis.c| 26 +++
4 fi
which enforces using them to update RCU-protected
pointers marked with __rcu_guarded.
Signed-off-by: Marco Elver
---
v2:
* Reword commit message and point out re-entrancy caveat.
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/cleanup.h | 4 +
in
allow including bit_spinlock.h where
is not otherwise included.
Signed-off-by: Marco Elver
---
include/linux/bit_spinlock.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/bit_spinlock.h b/include/linux/bit_spinlock.h
index bbc4730a6505..f1174a2fcc4d 100644
--- a/include/linux/bit_
Add support for Clang's capability analysis for seqlock_t.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/seqlock.h | 24 +++
include/linux/seqlock_types.h | 5 ++-
lib/test_capability-analy
which
should be more intuitive.
No functional change intended.
Signed-off-by: Marco Elver
---
v2:
* Use symbolic values for __cond_acquires() and __cond_acquires_shared()
(suggested by Bart).
---
fs/dlm/lock.c| 2 +-
include/linux/compiler-capability
arded variables.
The test verifies that common patterns do not generate false positives.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 3 +-
include/linux/rwlock.h| 25 ++--
include/linux/rwlock_api_smp.h| 29 +++-
in
ample, where not all
control-flow paths in a function require a held lock, and therefore
marking the function with __must_hold(..) is inappropriate.
Signed-off-by: Marco Elver
---
include/linux/lockdep.h | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/lock
Warn about applications of capability_unsafe() without a comment, to
encourage documenting the reasoning behind why it was deemed safe.
Signed-off-by: Marco Elver
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
Adds documentation in Documentation/dev-tools/capability-analysis.rst,
and adds it to the index and cross-references from Sparse's document.
Signed-off-by: Marco Elver
---
v2:
* Remove cross-reference to Sparse, since we plan to remove Sparse
support anyway.
* Mention __no_capability_ana
Add a simple test stub where we will add common supported patterns that
should not generate false positive of each new supported capability.
Signed-off-by: Marco Elver
---
lib/Kconfig.debug | 14 ++
lib/Makefile | 3 +++
lib/test_capability-analysis.c
t changes.
A Clang version that supports -Wthread-safety-pointer is recommended,
but not required: https://github.com/llvm/llvm-project/commit/de10e44b6fe7
Signed-off-by: Marco Elver
---
v2:
* New -Wthread-safety feature rename to -Wthread-safety-pointer (was
-Wthread-safety-addressof).
* Introdu
towards "capability analysis".
No functional change intended.
Signed-off-by: Marco Elver
---
include/linux/compiler-capability-analysis.h | 32
include/linux/compiler_types.h | 18 ++-
2 files changed, 34 insertions(+), 16 deletions(-)
create m
ems as additional examples
of larger subsystem. Where it was obvious, the __guarded_by
attribute was added to lock-guarded variables to improve coverage.
* drivers/tty
* security/tomoyo
* crypto/
RFC v1: https://lore.kernel.org/lkml/20250206181711.1902989-1-el...@google.com
On Thu, 6 Feb 2025 at 19:17, Marco Elver wrote:
[...]
> Capability analysis is a C language extension, which enables statically
> checking that user-definable "capabilities" are acquired and released where
> required. An obvious application is lock-safety checking for the
On Fri, 21 Feb 2025 at 19:52, Peter Zijlstra wrote:
>
> On Fri, Feb 21, 2025 at 10:08:06AM -0800, Paul E. McKenney wrote:
>
> > > ... unfortunately even for shared locks, the compiler does not like
> > > re-entrancy yet. It's not yet supported, and to fix that I'd have to go
> > > and implement th
On Thu, Feb 20, 2025 at 05:26PM -0800, Paul E. McKenney wrote:
[...]
> > That's what I've tried with this patch (rcu_read_lock_bh() also
> > acquires "RCU", on top of "RCU_BH"). I need to add a re-entrancy test,
> > and make sure it doesn't complain about that. At a later stage we
> > might also wa
On Thu, 20 Feb 2025 at 23:36, Paul E. McKenney wrote:
[...]
> Suppose that one function walks an RCU-protected list, calling some
> function from some other subsystem on each element. Suppose that each
> element has another RCU protected list.
>
> It would be good if the two subsystems could just
On Thu, 20 Feb 2025 at 23:00, Paul E. McKenney wrote:
>
> On Thu, Feb 06, 2025 at 07:10:09PM +0100, Marco Elver wrote:
> > Improve the existing annotations to properly support Clang's capability
> > analysis.
> >
> > The old annotations distinguished
On Mon, 10 Feb 2025 at 19:54, Bart Van Assche wrote:
>
>
> On 2/10/25 10:23 AM, Marco Elver wrote:
> > If you try to write code where you access a guarded_by variable, but
> > the lock is held not in all paths we can write it like this:
> >
> > struct bar {
>
On Mon, 10 Feb 2025 at 19:10, Bart Van Assche wrote:
>
> On 2/6/25 10:10 AM, Marco Elver wrote:
> > diff --git a/include/linux/lockdep.h b/include/linux/lockdep.h
> > index 67964dc4db95..5cea929b2219 100644
> > --- a/include/linux/lockdep.h
> > +++ b/include/linux/lo
On Fri, 7 Feb 2025 at 10:41, Peter Zijlstra wrote:
>
> On Fri, Feb 07, 2025 at 10:32:25AM +0100, Marco Elver wrote:
> > On Fri, Feb 07, 2025 at 09:28AM +0100, Peter Zijlstra wrote:
> > > On Thu, Feb 06, 2025 at 07:09:56PM +0100, Marco Elver wrote:
> > > > J
On Fri, Feb 07, 2025 at 09:28AM +0100, Peter Zijlstra wrote:
> On Thu, Feb 06, 2025 at 07:09:56PM +0100, Marco Elver wrote:
> > Just like the pairing of attribute __acquires() with a matching
> > function-like macro __acquire(), the attribute __cond_acquires() should
> > hav
On Thu, 6 Feb 2025 at 22:29, Bart Van Assche wrote:
>
> On 2/6/25 10:10 AM, Marco Elver wrote:
> > @@ -243,15 +243,18 @@ const volatile void * __must_check_fn(const volatile
> > void *val)
> > #define DEFINE_CLASS(_name, _type, _exit, _init, _init_args...)
On Thu, 6 Feb 2025 at 19:40, Bart Van Assche wrote:
>
> On 2/6/25 10:09 AM, Marco Elver wrote:
> > +/* Sparse context/lock checking support. */
> > +# define __must_hold(x) __attribute__((context(x,1,1)))
> > +# define __acquires(x) __at
allow including bit_spinlock.h where
is not otherwise included.
Signed-off-by: Marco Elver
---
include/linux/bit_spinlock.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/bit_spinlock.h b/include/linux/bit_spinlock.h
index bbc4730a6505..f1174a2fcc4d 100644
--- a/include/linux/bit_
Enable capability analysis for the KFENCE subsystem.
Notable, kfence_handle_page_fault() required minor restructure, which
also fixed a subtle race; arguably that function is more readable now.
Signed-off-by: Marco Elver
---
mm/kfence/Makefile | 2 ++
mm/kfence/core.c| 24
: Marco Elver
---
include/linux/rhashtable.h | 14 +++---
lib/Makefile | 2 ++
lib/rhashtable.c | 12 +---
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h
index 8463a128e2f4..c6374691ccc7
Enable capability analysis for stackdepot.
Signed-off-by: Marco Elver
---
lib/Makefile | 1 +
lib/stackdepot.c | 24 ++--
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/lib/Makefile b/lib/Makefile
index 1dbb59175eb0..f40ba93c9a94 100644
--- a/lib
Enable capability analysis for the KCOV subsystem.
Signed-off-by: Marco Elver
---
kernel/Makefile | 2 ++
kernel/kcov.c | 40 +---
2 files changed, 31 insertions(+), 11 deletions(-)
diff --git a/kernel/Makefile b/kernel/Makefile
index 87866b037fbe
Add support for Clang's capability analysis for rw_semaphore.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/rwsem.h | 56 +---
lib/test_capability-analysis.c| 64 +
o that the
compiler can see the cancellation function argument, as well as making
struct debugfs_cancellation a real capability to benefit from Clang's
capability analysis.
Signed-off-by: Marco Elver
---
include/linux/debugfs.h | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-
Add support for Clang's capability analysis for local_lock_t.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/local_lock.h| 18
include/linux/local_lock_internal.h | 41 ++---
Mark functions that conditionally acquire the passed lock.
Signed-off-by: Marco Elver
---
include/linux/kref.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/linux/kref.h b/include/linux/kref.h
index 88e82ab1367c..c1bd26936f41 100644
--- a/include/linux/kref.h
+++ b/include/linux
Add support for Clang's capability analysis for SRCU.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/srcu.h | 61 +--
lib/test_capability-analysis.c| 24
3 files change
tended.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 3 ++-
include/linux/bit_spinlock.h | 22 +---
include/linux/list_bl.h | 2 ++
lib/test_capability-analysis.c| 26 +++
4 fi
warn if a pointer is dereferenced without any of the RCU locks held, or
updated without the appropriate helpers.
The primitives rcu_assign_pointer() and friends are wrapped with
capability_unsafe(), which enforces using them to update RCU-protected
pointers marked with __rcu_guarded.
Signed-off-by: Marco
Add support for Clang's capability analysis for seqlock_t.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/seqlock.h | 24 +++
include/linux/seqlock_types.h | 5 ++-
lib/test_capability-analy
arded variables.
The test verifies that common patterns do not generate false positives.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 3 +-
include/linux/rwlock.h| 25 ++--
include/linux/rwlock_api_smp.h| 29 +++-
in
Add support for Clang's capability analysis for mutex.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 2 +-
include/linux/mutex.h | 29 +
include/linux/mutex_types.h | 4 +-
lib/test_capability-analy
ample, where not all
control-flow paths in a function require a held lock, and therefore
marking the function with __must_hold(..) is inappropriate.
Signed-off-by: Marco Elver
---
include/linux/lockdep.h | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/lock
While Sparse is oblivious to the return value of conditional acquire
functions, Clang's capability analysis needs to know the return value
which indicates successful acquisition.
Add the additional argument, and convert existing uses.
No functional change intended.
Signed-off-by: Marco
Warn about applications of capability_unsafe() without a comment, to
encourage documenting the reasoning behind why it was deemed safe.
Signed-off-by: Marco Elver
---
scripts/checkpatch.pl | 8
1 file changed, 8 insertions(+)
diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
ical.
[1] https://clang.llvm.org/docs/ThreadSafetyAnalysis.html#scoped-capability
Signed-off-by: Marco Elver
---
include/linux/cleanup.h | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/include/linux/cleanup.h b/include/linux/cleanup.h
index ec00e3f7af2b..93a166549ad
Adds documentation in Documentation/dev-tools/capability-analysis.rst,
and adds it to the index and cross-references from Sparse's document.
Signed-off-by: Marco Elver
---
.../dev-tools/capability-analysis.rst | 147 ++
Documentation/dev-tools/index.rst
Add a simple test stub where we will add common supported patterns that
should not generate false positive of each new supported capability.
Signed-off-by: Marco Elver
---
lib/Kconfig.debug | 14 ++
lib/Makefile | 3 +++
lib/test_capability-analysis.c
changes.
[ RFC Note: A Clang version that supports -Wthread-safety-addressof is
recommended, but not required:
https://github.com/llvm/llvm-project/pull/123063
Should this patch series reach non-RFC stage, it is planned to be
committed to Clang before. ]
Signed-off-by: Marco Elver
-
Just like the pairing of attribute __acquires() with a matching
function-like macro __acquire(), the attribute __cond_acquires() should
have a matching function-like macro __cond_acquire().
To be consistent, rename __cond_lock() to __cond_acquire().
Signed-off-by: Marco Elver
---
drivers/net
towards "capability analysis".
No functional change intended.
Signed-off-by: Marco Elver
---
include/linux/compiler-capability-analysis.h | 32
include/linux/compiler_types.h | 18 ++-
2 files changed, 34 insertions(+), 16 deletions(-)
create m
ency:
https://github.com/llvm/llvm-project/pull/123063
This series is also available at this Git tree:
https://git.kernel.org/pub/scm/linux/kernel/git/melver/linux.git/log/?h=cap-analysis
Marco Elver (24):
compiler_types: Move lock checking attributes to
compiler-capability-a
On Fri, 2 Feb 2024 at 13:17, Kees Cook wrote:
>
> On Fri, Feb 02, 2024 at 12:01:55PM +0100, Marco Elver wrote:
> > On Fri, 2 Feb 2024 at 11:16, Kees Cook wrote:
> > > [...]
> > > +config UBSAN_UNSIGNED_WRAP
> > > + bool "Perform
ithmetic wrap-around.
>
> Additionally keep these disabled under CONFIG_COMPILE_TEST for now.
>
> Link: https://github.com/KSPP/linux/issues/26 [1]
> Link: https://github.com/KSPP/linux/issues/27 [2]
> Link: https://github.com/KSPP/linux/issues/344 [3]
> Cc: Justin Stitt
> Cc: Miguel
79 matches
Mail list logo
