On Tue, Aug 13, 2019 at 01:34:02PM +0100, Colin Ian King wrote:
> Hi,
>
> Static analysis on linux-next today found an issue in the following commit:
>
> commit 1afc4b18724f8f7b7a21fdf66cd43cc4a932812d
> Author: Paul E. McKenney <paul...@linux.ibm.com>
> Date: Tue Jul 2 16:03:33 2019 -0700
>
> rcu/nocb: Add bypass callback queueing
>
>
> The coverity report is as follows:
>
> 1783 // If we have advanced to a new jiffy, reset counts to allow
> 1784 // moving back from ->nocb_bypass to ->cblist.
> 1785 if (j == rdp->nocb_nobypass_last) {
> 1786 c = rdp->nocb_nobypass_count + 1;
> 1787 } else {
> 1788 WRITE_ONCE(rdp->nocb_nobypass_last, j);
> 1789 c = rdp->nocb_nobypass_count -
> nocb_nobypass_lim_per_jiffy;
> 1790 if (c > nocb_nobypass_lim_per_jiffy)
> 1791 c = nocb_nobypass_lim_per_jiffy;
>
> CID 85141 (#1 of 1): Unsigned compared against 0
> unsigned_compare: This less-than-zero comparison of an unsigned value is
> never true. c < 0UL.
>
> 1792 else if (c < 0)
> 1793 c = 0;
>
> Variable c is an unsigned long so the c < 0 check is never true. I'm not
> sure what the ramifications are if c is made a signed long instead, so
> I'm not fixing this and reporting this issue.
Good catch!!!
How about the alleged fix shown below?
Thanx, Paul
------------------------------------------------------------------------
diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
index 91cefa3bf943..2defc7fe74c3 100644
--- a/kernel/rcu/tree_plugin.h
+++ b/kernel/rcu/tree_plugin.h
@@ -1787,10 +1787,11 @@ static bool rcu_nocb_try_bypass(struct rcu_data *rdp,
struct rcu_head *rhp,
} else {
WRITE_ONCE(rdp->nocb_nobypass_last, j);
c = rdp->nocb_nobypass_count - nocb_nobypass_lim_per_jiffy;
- if (c > nocb_nobypass_lim_per_jiffy)
- c = nocb_nobypass_lim_per_jiffy;
- else if (c < 0)
+ if (ULONG_CMP_LT(rdp->nocb_nobypass_count,
+ nocb_nobypass_lim_per_jiffy))
c = 0;
+ else if (c > nocb_nobypass_lim_per_jiffy)
+ c = nocb_nobypass_lim_per_jiffy;
}
WRITE_ONCE(rdp->nocb_nobypass_count, c);
