1 MARKING SHARED-MEMORY ACCESSES 1 MARKING SHARED-MEMORY ACCESSES
2 ============================== 2 ==============================
3 3
4 This document provides guidelines for marking 4 This document provides guidelines for marking intentionally concurrent
5 normal accesses to shared memory, that is "nor 5 normal accesses to shared memory, that is "normal" as in accesses that do
6 not use read-modify-write atomic operations. 6 not use read-modify-write atomic operations. It also describes how to
7 document these accesses, both with comments an 7 document these accesses, both with comments and with special assertions
8 processed by the Kernel Concurrency Sanitizer 8 processed by the Kernel Concurrency Sanitizer (KCSAN). This discussion
9 builds on an earlier LWN article [1] and Linux !! 9 builds on an earlier LWN article [1].
10 session [2]. <<
11 10
12 11
13 ACCESS-MARKING OPTIONS 12 ACCESS-MARKING OPTIONS
14 ====================== 13 ======================
15 14
16 The Linux kernel provides the following access 15 The Linux kernel provides the following access-marking options:
17 16
18 1. Plain C-language accesses (unmarked), 17 1. Plain C-language accesses (unmarked), for example, "a = b;"
19 18
20 2. Data-race marking, for example, "data_ 19 2. Data-race marking, for example, "data_race(a = b);"
21 20
22 3. READ_ONCE(), for example, "a = READ_ON 21 3. READ_ONCE(), for example, "a = READ_ONCE(b);"
23 The various forms of atomic_read() als 22 The various forms of atomic_read() also fit in here.
24 23
25 4. WRITE_ONCE(), for example, "WRITE_ONCE 24 4. WRITE_ONCE(), for example, "WRITE_ONCE(a, b);"
26 The various forms of atomic_set() also 25 The various forms of atomic_set() also fit in here.
27 26
28 5. __data_racy, for example "int __data_r <<
29 <<
30 6. KCSAN's negative-marking assertions, A <<
31 and ASSERT_EXCLUSIVE_WRITER(), are des <<
32 "ACCESS-DOCUMENTATION OPTIONS" section <<
33 27
34 These may be used in combination, as shown in 28 These may be used in combination, as shown in this admittedly improbable
35 example: 29 example:
36 30
37 WRITE_ONCE(a, b + data_race(c + d) + R 31 WRITE_ONCE(a, b + data_race(c + d) + READ_ONCE(e));
38 32
39 Neither plain C-language accesses nor data_rac 33 Neither plain C-language accesses nor data_race() (#1 and #2 above) place
40 any sort of constraint on the compiler's choic !! 34 any sort of constraint on the compiler's choice of optimizations [2].
41 In contrast, READ_ONCE() and WRITE_ONCE() (#3 35 In contrast, READ_ONCE() and WRITE_ONCE() (#3 and #4 above) restrict the
42 compiler's use of code-motion and common-subex 36 compiler's use of code-motion and common-subexpression optimizations.
43 Therefore, if a given access is involved in an 37 Therefore, if a given access is involved in an intentional data race,
44 using READ_ONCE() for loads and WRITE_ONCE() f 38 using READ_ONCE() for loads and WRITE_ONCE() for stores is usually
45 preferable to data_race(), which in turn is us 39 preferable to data_race(), which in turn is usually preferable to plain
46 C-language accesses. It is permissible to com 40 C-language accesses. It is permissible to combine #2 and #3, for example,
47 data_race(READ_ONCE(a)), which will both restr 41 data_race(READ_ONCE(a)), which will both restrict compiler optimizations
48 and disable KCSAN diagnostics. 42 and disable KCSAN diagnostics.
49 43
50 KCSAN will complain about many types of data r 44 KCSAN will complain about many types of data races involving plain
51 C-language accesses, but marking all accesses 45 C-language accesses, but marking all accesses involved in a given data
52 race with one of data_race(), READ_ONCE(), or 46 race with one of data_race(), READ_ONCE(), or WRITE_ONCE(), will prevent
53 KCSAN from complaining. Of course, lack of KC 47 KCSAN from complaining. Of course, lack of KCSAN complaints does not
54 imply correct code. Therefore, please take a 48 imply correct code. Therefore, please take a thoughtful approach
55 when responding to KCSAN complaints. Churning 49 when responding to KCSAN complaints. Churning the code base with
56 ill-considered additions of data_race(), READ_ 50 ill-considered additions of data_race(), READ_ONCE(), and WRITE_ONCE()
57 is unhelpful. 51 is unhelpful.
58 52
59 In fact, the following sections describe situa 53 In fact, the following sections describe situations where use of
60 data_race() and even plain C-language accesses 54 data_race() and even plain C-language accesses is preferable to
61 READ_ONCE() and WRITE_ONCE(). 55 READ_ONCE() and WRITE_ONCE().
62 56
63 57
64 Use of the data_race() Macro 58 Use of the data_race() Macro
65 ---------------------------- 59 ----------------------------
66 60
67 Here are some situations where data_race() sho 61 Here are some situations where data_race() should be used instead of
68 READ_ONCE() and WRITE_ONCE(): 62 READ_ONCE() and WRITE_ONCE():
69 63
70 1. Data-racy loads from shared variables 64 1. Data-racy loads from shared variables whose values are used only
71 for diagnostic purposes. 65 for diagnostic purposes.
72 66
73 2. Data-racy reads whose values are check 67 2. Data-racy reads whose values are checked against marked reload.
74 68
75 3. Reads whose values feed into error-tol 69 3. Reads whose values feed into error-tolerant heuristics.
76 70
77 4. Writes setting values that feed into e 71 4. Writes setting values that feed into error-tolerant heuristics.
78 72
79 73
80 Data-Racy Reads for Approximate Diagnostics 74 Data-Racy Reads for Approximate Diagnostics
81 75
82 Approximate diagnostics include lockdep report 76 Approximate diagnostics include lockdep reports, monitoring/statistics
83 (including /proc and /sys output), WARN*()/BUG 77 (including /proc and /sys output), WARN*()/BUG*() checks whose return
84 values are ignored, and other situations where 78 values are ignored, and other situations where reads from shared variables
85 are not an integral part of the core concurren 79 are not an integral part of the core concurrency design.
86 80
87 In fact, use of data_race() instead READ_ONCE( 81 In fact, use of data_race() instead READ_ONCE() for these diagnostic
88 reads can enable better checking of the remain 82 reads can enable better checking of the remaining accesses implementing
89 the core concurrency design. For example, sup 83 the core concurrency design. For example, suppose that the core design
90 prevents any non-diagnostic reads from shared 84 prevents any non-diagnostic reads from shared variable x from running
91 concurrently with updates to x. Then using pl 85 concurrently with updates to x. Then using plain C-language writes
92 to x allows KCSAN to detect reads from x from 86 to x allows KCSAN to detect reads from x from within regions of code
93 that fail to exclude the updates. In this cas 87 that fail to exclude the updates. In this case, it is important to use
94 data_race() for the diagnostic reads because o 88 data_race() for the diagnostic reads because otherwise KCSAN would give
95 false-positive warnings about these diagnostic 89 false-positive warnings about these diagnostic reads.
96 90
97 If it is necessary to both restrict compiler o 91 If it is necessary to both restrict compiler optimizations and disable
98 KCSAN diagnostics, use both data_race() and RE 92 KCSAN diagnostics, use both data_race() and READ_ONCE(), for example,
99 data_race(READ_ONCE(a)). 93 data_race(READ_ONCE(a)).
100 94
101 In theory, plain C-language loads can also be 95 In theory, plain C-language loads can also be used for this use case.
102 However, in practice this will have the disadv 96 However, in practice this will have the disadvantage of causing KCSAN
103 to generate false positives because KCSAN will 97 to generate false positives because KCSAN will have no way of knowing
104 that the resulting data race was intentional. 98 that the resulting data race was intentional.
105 99
106 100
107 Data-Racy Reads That Are Checked Against Marke 101 Data-Racy Reads That Are Checked Against Marked Reload
108 102
109 The values from some reads are not implicitly 103 The values from some reads are not implicitly trusted. They are instead
110 fed into some operation that checks the full v 104 fed into some operation that checks the full value against a later marked
111 load from memory, which means that the occasio 105 load from memory, which means that the occasional arbitrarily bogus value
112 is not a problem. For example, if a bogus val 106 is not a problem. For example, if a bogus value is fed into cmpxchg(),
113 all that happens is that this cmpxchg() fails, 107 all that happens is that this cmpxchg() fails, which normally results
114 in a retry. Unless the race condition that re 108 in a retry. Unless the race condition that resulted in the bogus value
115 recurs, this retry will with high probability 109 recurs, this retry will with high probability succeed, so no harm done.
116 110
117 However, please keep in mind that a data_race( 111 However, please keep in mind that a data_race() load feeding into
118 a cmpxchg_relaxed() might still be subject to 112 a cmpxchg_relaxed() might still be subject to load fusing on some
119 architectures. Therefore, it is best to captu 113 architectures. Therefore, it is best to capture the return value from
120 the failing cmpxchg() for the next iteration o 114 the failing cmpxchg() for the next iteration of the loop, an approach
121 that provides the compiler much less scope for 115 that provides the compiler much less scope for mischievous optimizations.
122 Capturing the return value from cmpxchg() also 116 Capturing the return value from cmpxchg() also saves a memory reference
123 in many cases. 117 in many cases.
124 118
125 In theory, plain C-language loads can also be 119 In theory, plain C-language loads can also be used for this use case.
126 However, in practice this will have the disadv 120 However, in practice this will have the disadvantage of causing KCSAN
127 to generate false positives because KCSAN will 121 to generate false positives because KCSAN will have no way of knowing
128 that the resulting data race was intentional. 122 that the resulting data race was intentional.
129 123
130 124
131 Reads Feeding Into Error-Tolerant Heuristics 125 Reads Feeding Into Error-Tolerant Heuristics
132 126
133 Values from some reads feed into heuristics th 127 Values from some reads feed into heuristics that can tolerate occasional
134 errors. Such reads can use data_race(), thus 128 errors. Such reads can use data_race(), thus allowing KCSAN to focus on
135 the other accesses to the relevant shared vari 129 the other accesses to the relevant shared variables. But please note
136 that data_race() loads are subject to load fus 130 that data_race() loads are subject to load fusing, which can result in
137 consistent errors, which in turn are quite cap 131 consistent errors, which in turn are quite capable of breaking heuristics.
138 Therefore use of data_race() should be limited 132 Therefore use of data_race() should be limited to cases where some other
139 code (such as a barrier() call) will force the 133 code (such as a barrier() call) will force the occasional reload.
140 134
141 Note that this use case requires that the heur 135 Note that this use case requires that the heuristic be able to handle
142 any possible error. In contrast, if the heuri 136 any possible error. In contrast, if the heuristics might be fatally
143 confused by one or more of the possible errone 137 confused by one or more of the possible erroneous values, use READ_ONCE()
144 instead of data_race(). 138 instead of data_race().
145 139
146 In theory, plain C-language loads can also be 140 In theory, plain C-language loads can also be used for this use case.
147 However, in practice this will have the disadv 141 However, in practice this will have the disadvantage of causing KCSAN
148 to generate false positives because KCSAN will 142 to generate false positives because KCSAN will have no way of knowing
149 that the resulting data race was intentional. 143 that the resulting data race was intentional.
150 144
151 145
152 Writes Setting Values Feeding Into Error-Toler 146 Writes Setting Values Feeding Into Error-Tolerant Heuristics
153 147
154 The values read into error-tolerant heuristics 148 The values read into error-tolerant heuristics come from somewhere,
155 for example, from sysfs. This means that some 149 for example, from sysfs. This means that some code in sysfs writes
156 to this same variable, and these writes can al 150 to this same variable, and these writes can also use data_race().
157 After all, if the heuristic can tolerate the o 151 After all, if the heuristic can tolerate the occasional bogus value
158 due to compiler-mangled reads, it can also tol 152 due to compiler-mangled reads, it can also tolerate the occasional
159 compiler-mangled write, at least assuming that 153 compiler-mangled write, at least assuming that the proper value is in
160 place once the write completes. 154 place once the write completes.
161 155
162 Plain C-language stores can also be used for t 156 Plain C-language stores can also be used for this use case. However,
163 in kernels built with CONFIG_KCSAN_ASSUME_PLAI 157 in kernels built with CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n, this
164 will have the disadvantage of causing KCSAN to 158 will have the disadvantage of causing KCSAN to generate false positives
165 because KCSAN will have no way of knowing that 159 because KCSAN will have no way of knowing that the resulting data race
166 was intentional. 160 was intentional.
167 161
168 162
169 Use of Plain C-Language Accesses 163 Use of Plain C-Language Accesses
170 -------------------------------- 164 --------------------------------
171 165
172 Here are some example situations where plain C 166 Here are some example situations where plain C-language accesses should
173 used instead of READ_ONCE(), WRITE_ONCE(), and 167 used instead of READ_ONCE(), WRITE_ONCE(), and data_race():
174 168
175 1. Accesses protected by mutual exclusion 169 1. Accesses protected by mutual exclusion, including strict locking
176 and sequence locking. 170 and sequence locking.
177 171
178 2. Initialization-time and cleanup-time a 172 2. Initialization-time and cleanup-time accesses. This covers a
179 wide variety of situations, including 173 wide variety of situations, including the uniprocessor phase of
180 system boot, variables to be used by n 174 system boot, variables to be used by not-yet-spawned kthreads,
181 structures not yet published to refere 175 structures not yet published to reference-counted or RCU-protected
182 data structures, and the cleanup side 176 data structures, and the cleanup side of any of these situations.
183 177
184 3. Per-CPU variables that are not accesse 178 3. Per-CPU variables that are not accessed from other CPUs.
185 179
186 4. Private per-task variables, including 180 4. Private per-task variables, including on-stack variables, some
187 fields in the task_struct structure, a 181 fields in the task_struct structure, and task-private heap data.
188 182
189 5. Any other loads for which there is not 183 5. Any other loads for which there is not supposed to be a concurrent
190 store to that same variable. 184 store to that same variable.
191 185
192 6. Any other stores for which there shoul 186 6. Any other stores for which there should be neither concurrent
193 loads nor concurrent stores to that sa 187 loads nor concurrent stores to that same variable.
194 188
195 But note that KCSAN makes two explicit 189 But note that KCSAN makes two explicit exceptions to this rule
196 by default, refraining from flagging p 190 by default, refraining from flagging plain C-language stores:
197 191
198 a. No matter what. You can overr 192 a. No matter what. You can override this default by building
199 with CONFIG_KCSAN_ASSUME_PLAIN 193 with CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n.
200 194
201 b. When the store writes the valu 195 b. When the store writes the value already contained in
202 that variable. You can overri 196 that variable. You can override this default by building
203 with CONFIG_KCSAN_REPORT_VALUE 197 with CONFIG_KCSAN_REPORT_VALUE_CHANGE_ONLY=n.
204 198
205 c. When one of the stores is in a 199 c. When one of the stores is in an interrupt handler and
206 the other in the interrupted c 200 the other in the interrupted code. You can override this
207 default by building with CONFI 201 default by building with CONFIG_KCSAN_INTERRUPT_WATCHER=y.
208 202
209 Note that it is important to use plain C-langu 203 Note that it is important to use plain C-language accesses in these cases,
210 because doing otherwise prevents KCSAN from de 204 because doing otherwise prevents KCSAN from detecting violations of your
211 code's synchronization rules. 205 code's synchronization rules.
212 206
213 207
214 Use of __data_racy <<
215 ------------------ <<
216 <<
217 Adding the __data_racy type qualifier to the d <<
218 causes KCSAN to treat all accesses to that var <<
219 enclosed by data_race(). However, __data_racy <<
220 compiler, though one could imagine hardened ke <<
221 __data_racy type qualifier as if it was the vo <<
222 <<
223 Note well that __data_racy is subject to the s <<
224 rules as are other type qualifiers such as con <<
225 For example: <<
226 <<
227 int __data_racy *p; // Pointer to data <<
228 int *__data_racy p; // Data-racy point <<
229 <<
230 <<
231 ACCESS-DOCUMENTATION OPTIONS 208 ACCESS-DOCUMENTATION OPTIONS
232 ============================ 209 ============================
233 210
234 It is important to comment marked accesses so 211 It is important to comment marked accesses so that people reading your
235 code, yourself included, are reminded of the s 212 code, yourself included, are reminded of the synchronization design.
236 However, it is even more important to comment 213 However, it is even more important to comment plain C-language accesses
237 that are intentionally involved in data races. 214 that are intentionally involved in data races. Such comments are
238 needed to remind people reading your code, aga 215 needed to remind people reading your code, again, yourself included,
239 of how the compiler has been prevented from op 216 of how the compiler has been prevented from optimizing those accesses
240 into concurrency bugs. 217 into concurrency bugs.
241 218
242 It is also possible to tell KCSAN about your s 219 It is also possible to tell KCSAN about your synchronization design.
243 For example, ASSERT_EXCLUSIVE_ACCESS(foo) tell 220 For example, ASSERT_EXCLUSIVE_ACCESS(foo) tells KCSAN that any
244 concurrent access to variable foo by any other 221 concurrent access to variable foo by any other CPU is an error, even
245 if that concurrent access is marked with READ_ 222 if that concurrent access is marked with READ_ONCE(). In addition,
246 ASSERT_EXCLUSIVE_WRITER(foo) tells KCSAN that 223 ASSERT_EXCLUSIVE_WRITER(foo) tells KCSAN that although it is OK for there
247 to be concurrent reads from foo from other CPU 224 to be concurrent reads from foo from other CPUs, it is an error for some
248 other CPU to be concurrently writing to foo, e 225 other CPU to be concurrently writing to foo, even if that concurrent
249 write is marked with data_race() or WRITE_ONCE 226 write is marked with data_race() or WRITE_ONCE().
250 227
251 Note that although KCSAN will call out data ra 228 Note that although KCSAN will call out data races involving either
252 ASSERT_EXCLUSIVE_ACCESS() or ASSERT_EXCLUSIVE_ 229 ASSERT_EXCLUSIVE_ACCESS() or ASSERT_EXCLUSIVE_WRITER() on the one hand
253 and data_race() writes on the other, KCSAN wil 230 and data_race() writes on the other, KCSAN will not report the location
254 of these data_race() writes. 231 of these data_race() writes.
255 232
256 233
257 EXAMPLES 234 EXAMPLES
258 ======== 235 ========
259 236
260 As noted earlier, the goal is to prevent the c 237 As noted earlier, the goal is to prevent the compiler from destroying
261 your concurrent algorithm, to help the human r 238 your concurrent algorithm, to help the human reader, and to inform
262 KCSAN of aspects of your concurrency design. 239 KCSAN of aspects of your concurrency design. This section looks at a
263 few examples showing how this can be done. 240 few examples showing how this can be done.
264 241
265 242
266 Lock Protection With Lockless Diagnostic Acces 243 Lock Protection With Lockless Diagnostic Access
267 ---------------------------------------------- 244 -----------------------------------------------
268 245
269 For example, suppose a shared variable "foo" i 246 For example, suppose a shared variable "foo" is read only while a
270 reader-writer spinlock is read-held, written o 247 reader-writer spinlock is read-held, written only while that same
271 spinlock is write-held, except that it is also 248 spinlock is write-held, except that it is also read locklessly for
272 diagnostic purposes. The code might look as f 249 diagnostic purposes. The code might look as follows:
273 250
274 int foo; 251 int foo;
275 DEFINE_RWLOCK(foo_rwlock); 252 DEFINE_RWLOCK(foo_rwlock);
276 253
277 void update_foo(int newval) 254 void update_foo(int newval)
278 { 255 {
279 write_lock(&foo_rwlock); 256 write_lock(&foo_rwlock);
280 foo = newval; 257 foo = newval;
281 do_something(newval); 258 do_something(newval);
282 write_unlock(&foo_rwlock); 259 write_unlock(&foo_rwlock);
283 } 260 }
284 261
285 int read_foo(void) 262 int read_foo(void)
286 { 263 {
287 int ret; 264 int ret;
288 265
289 read_lock(&foo_rwlock); 266 read_lock(&foo_rwlock);
290 do_something_else(); 267 do_something_else();
291 ret = foo; 268 ret = foo;
292 read_unlock(&foo_rwlock); 269 read_unlock(&foo_rwlock);
293 return ret; 270 return ret;
294 } 271 }
295 272
296 void read_foo_diagnostic(void) 273 void read_foo_diagnostic(void)
297 { 274 {
298 pr_info("Current value of foo: 275 pr_info("Current value of foo: %d\n", data_race(foo));
299 } 276 }
300 277
301 The reader-writer lock prevents the compiler f 278 The reader-writer lock prevents the compiler from introducing concurrency
302 bugs into any part of the main algorithm using 279 bugs into any part of the main algorithm using foo, which means that
303 the accesses to foo within both update_foo() a 280 the accesses to foo within both update_foo() and read_foo() can (and
304 should) be plain C-language accesses. One ben 281 should) be plain C-language accesses. One benefit of making them be
305 plain C-language accesses is that KCSAN can de 282 plain C-language accesses is that KCSAN can detect any erroneous lockless
306 reads from or updates to foo. The data_race() 283 reads from or updates to foo. The data_race() in read_foo_diagnostic()
307 tells KCSAN that data races are expected, and 284 tells KCSAN that data races are expected, and should be silently
308 ignored. This data_race() also tells the huma 285 ignored. This data_race() also tells the human reading the code that
309 read_foo_diagnostic() might sometimes return a 286 read_foo_diagnostic() might sometimes return a bogus value.
310 287
311 If it is necessary to suppress compiler optimi 288 If it is necessary to suppress compiler optimization and also detect
312 buggy lockless writes, read_foo_diagnostic() c 289 buggy lockless writes, read_foo_diagnostic() can be updated as follows:
313 290
314 void read_foo_diagnostic(void) 291 void read_foo_diagnostic(void)
315 { 292 {
316 pr_info("Current value of foo: 293 pr_info("Current value of foo: %d\n", data_race(READ_ONCE(foo)));
317 } 294 }
318 295
319 Alternatively, given that KCSAN is to ignore a 296 Alternatively, given that KCSAN is to ignore all accesses in this function,
320 this function can be marked __no_kcsan and the 297 this function can be marked __no_kcsan and the data_race() can be dropped:
321 298
322 void __no_kcsan read_foo_diagnostic(vo 299 void __no_kcsan read_foo_diagnostic(void)
323 { 300 {
324 pr_info("Current value of foo: 301 pr_info("Current value of foo: %d\n", READ_ONCE(foo));
325 } 302 }
326 303
327 However, in order for KCSAN to detect buggy lo 304 However, in order for KCSAN to detect buggy lockless writes, your kernel
328 must be built with CONFIG_KCSAN_ASSUME_PLAIN_W 305 must be built with CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n. If you
329 need KCSAN to detect such a write even if that 306 need KCSAN to detect such a write even if that write did not change
330 the value of foo, you also need CONFIG_KCSAN_R 307 the value of foo, you also need CONFIG_KCSAN_REPORT_VALUE_CHANGE_ONLY=n.
331 If you need KCSAN to detect such a write happe 308 If you need KCSAN to detect such a write happening in an interrupt handler
332 running on the same CPU doing the legitimate l 309 running on the same CPU doing the legitimate lock-protected write, you
333 also need CONFIG_KCSAN_INTERRUPT_WATCHER=y. W 310 also need CONFIG_KCSAN_INTERRUPT_WATCHER=y. With some or all of these
334 Kconfig options set properly, KCSAN can be qui 311 Kconfig options set properly, KCSAN can be quite helpful, although
335 it is not necessarily a full replacement for h 312 it is not necessarily a full replacement for hardware watchpoints.
336 On the other hand, neither are hardware watchp 313 On the other hand, neither are hardware watchpoints a full replacement
337 for KCSAN because it is not always easy to tel 314 for KCSAN because it is not always easy to tell hardware watchpoint to
338 conditionally trap on accesses. 315 conditionally trap on accesses.
339 316
340 317
341 Lock-Protected Writes With Lockless Reads 318 Lock-Protected Writes With Lockless Reads
342 ----------------------------------------- 319 -----------------------------------------
343 320
344 For another example, suppose a shared variable 321 For another example, suppose a shared variable "foo" is updated only
345 while holding a spinlock, but is read lockless 322 while holding a spinlock, but is read locklessly. The code might look
346 as follows: 323 as follows:
347 324
348 int foo; 325 int foo;
349 DEFINE_SPINLOCK(foo_lock); 326 DEFINE_SPINLOCK(foo_lock);
350 327
351 void update_foo(int newval) 328 void update_foo(int newval)
352 { 329 {
353 spin_lock(&foo_lock); 330 spin_lock(&foo_lock);
354 WRITE_ONCE(foo, newval); 331 WRITE_ONCE(foo, newval);
355 ASSERT_EXCLUSIVE_WRITER(foo); 332 ASSERT_EXCLUSIVE_WRITER(foo);
356 do_something(newval); 333 do_something(newval);
357 spin_unlock(&foo_wlock); 334 spin_unlock(&foo_wlock);
358 } 335 }
359 336
360 int read_foo(void) 337 int read_foo(void)
361 { 338 {
362 do_something_else(); 339 do_something_else();
363 return READ_ONCE(foo); 340 return READ_ONCE(foo);
364 } 341 }
365 342
366 Because foo is read locklessly, all accesses a 343 Because foo is read locklessly, all accesses are marked. The purpose
367 of the ASSERT_EXCLUSIVE_WRITER() is to allow K 344 of the ASSERT_EXCLUSIVE_WRITER() is to allow KCSAN to check for a buggy
368 concurrent write, whether marked or not. !! 345 concurrent lockless write.
369 346
370 347
371 Lock-Protected Writes With Heuristic Lockless 348 Lock-Protected Writes With Heuristic Lockless Reads
372 ---------------------------------------------- 349 ---------------------------------------------------
373 350
374 For another example, suppose that the code can 351 For another example, suppose that the code can normally make use of
375 a per-data-structure lock, but there are times 352 a per-data-structure lock, but there are times when a global lock
376 is required. These times are indicated via a 353 is required. These times are indicated via a global flag. The code
377 might look as follows, and is based loosely on 354 might look as follows, and is based loosely on nf_conntrack_lock(),
378 nf_conntrack_all_lock(), and nf_conntrack_all_ 355 nf_conntrack_all_lock(), and nf_conntrack_all_unlock():
379 356
380 bool global_flag; 357 bool global_flag;
381 DEFINE_SPINLOCK(global_lock); 358 DEFINE_SPINLOCK(global_lock);
382 struct foo { 359 struct foo {
383 spinlock_t f_lock; 360 spinlock_t f_lock;
384 int f_data; 361 int f_data;
385 }; 362 };
386 363
387 /* All foo structures are in the follo 364 /* All foo structures are in the following array. */
388 int nfoo; 365 int nfoo;
389 struct foo *foo_array; 366 struct foo *foo_array;
390 367
391 void do_something_locked(struct foo *f 368 void do_something_locked(struct foo *fp)
392 { 369 {
393 /* This works even if data_rac 370 /* This works even if data_race() returns nonsense. */
394 if (!data_race(global_flag)) { 371 if (!data_race(global_flag)) {
395 spin_lock(&fp->f_lock) 372 spin_lock(&fp->f_lock);
396 if (!smp_load_acquire( 373 if (!smp_load_acquire(&global_flag)) {
397 do_something(f 374 do_something(fp);
398 spin_unlock(&f 375 spin_unlock(&fp->f_lock);
399 return; 376 return;
400 } 377 }
401 spin_unlock(&fp->f_loc 378 spin_unlock(&fp->f_lock);
402 } 379 }
403 spin_lock(&global_lock); 380 spin_lock(&global_lock);
404 /* global_lock held, thus glob 381 /* global_lock held, thus global flag cannot be set. */
405 spin_lock(&fp->f_lock); 382 spin_lock(&fp->f_lock);
406 spin_unlock(&global_lock); 383 spin_unlock(&global_lock);
407 /* 384 /*
408 * global_flag might be set he 385 * global_flag might be set here, but begin_global()
409 * will wait for ->f_lock to b 386 * will wait for ->f_lock to be released.
410 */ 387 */
411 do_something(fp); 388 do_something(fp);
412 spin_unlock(&fp->f_lock); 389 spin_unlock(&fp->f_lock);
413 } 390 }
414 391
415 void begin_global(void) 392 void begin_global(void)
416 { 393 {
417 int i; 394 int i;
418 395
419 spin_lock(&global_lock); 396 spin_lock(&global_lock);
420 WRITE_ONCE(global_flag, true); 397 WRITE_ONCE(global_flag, true);
421 for (i = 0; i < nfoo; i++) { 398 for (i = 0; i < nfoo; i++) {
422 /* 399 /*
423 * Wait for pre-existi 400 * Wait for pre-existing local locks. One at
424 * a time to avoid loc 401 * a time to avoid lockdep limitations.
425 */ 402 */
426 spin_lock(&fp->f_lock) 403 spin_lock(&fp->f_lock);
427 spin_unlock(&fp->f_loc 404 spin_unlock(&fp->f_lock);
428 } 405 }
429 } 406 }
430 407
431 void end_global(void) 408 void end_global(void)
432 { 409 {
433 smp_store_release(&global_flag 410 smp_store_release(&global_flag, false);
434 spin_unlock(&global_lock); 411 spin_unlock(&global_lock);
435 } 412 }
436 413
437 All code paths leading from the do_something_l 414 All code paths leading from the do_something_locked() function's first
438 read from global_flag acquire a lock, so endle 415 read from global_flag acquire a lock, so endless load fusing cannot
439 happen. 416 happen.
440 417
441 If the value read from global_flag is true, th 418 If the value read from global_flag is true, then global_flag is
442 rechecked while holding ->f_lock, which, if gl 419 rechecked while holding ->f_lock, which, if global_flag is now false,
443 prevents begin_global() from completing. It i 420 prevents begin_global() from completing. It is therefore safe to invoke
444 do_something(). 421 do_something().
445 422
446 Otherwise, if either value read from global_fl 423 Otherwise, if either value read from global_flag is true, then after
447 global_lock is acquired global_flag must be fa 424 global_lock is acquired global_flag must be false. The acquisition of
448 ->f_lock will prevent any call to begin_global 425 ->f_lock will prevent any call to begin_global() from returning, which
449 means that it is safe to release global_lock a 426 means that it is safe to release global_lock and invoke do_something().
450 427
451 For this to work, only those foo structures in 428 For this to work, only those foo structures in foo_array[] may be passed
452 to do_something_locked(). The reason for this 429 to do_something_locked(). The reason for this is that the synchronization
453 with begin_global() relies on momentarily hold 430 with begin_global() relies on momentarily holding the lock of each and
454 every foo structure. 431 every foo structure.
455 432
456 The smp_load_acquire() and smp_store_release() 433 The smp_load_acquire() and smp_store_release() are required because
457 changes to a foo structure between calls to be 434 changes to a foo structure between calls to begin_global() and
458 end_global() are carried out without holding t 435 end_global() are carried out without holding that structure's ->f_lock.
459 The smp_load_acquire() and smp_store_release() 436 The smp_load_acquire() and smp_store_release() ensure that the next
460 invocation of do_something() from do_something 437 invocation of do_something() from do_something_locked() will see those
461 changes. 438 changes.
462 439
463 440
464 Lockless Reads and Writes 441 Lockless Reads and Writes
465 ------------------------- 442 -------------------------
466 443
467 For another example, suppose a shared variable 444 For another example, suppose a shared variable "foo" is both read and
468 updated locklessly. The code might look as fo 445 updated locklessly. The code might look as follows:
469 446
470 int foo; 447 int foo;
471 448
472 int update_foo(int newval) 449 int update_foo(int newval)
473 { 450 {
474 int ret; 451 int ret;
475 452
476 ret = xchg(&foo, newval); 453 ret = xchg(&foo, newval);
477 do_something(newval); 454 do_something(newval);
478 return ret; 455 return ret;
479 } 456 }
480 457
481 int read_foo(void) 458 int read_foo(void)
482 { 459 {
483 do_something_else(); 460 do_something_else();
484 return READ_ONCE(foo); 461 return READ_ONCE(foo);
485 } 462 }
486 463
487 Because foo is accessed locklessly, all access 464 Because foo is accessed locklessly, all accesses are marked. It does
488 not make sense to use ASSERT_EXCLUSIVE_WRITER( 465 not make sense to use ASSERT_EXCLUSIVE_WRITER() in this case because
489 there really can be concurrent lockless writer 466 there really can be concurrent lockless writers. KCSAN would
490 flag any concurrent plain C-language reads fro 467 flag any concurrent plain C-language reads from foo, and given
491 CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n, als 468 CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n, also any concurrent plain
492 C-language writes to foo. 469 C-language writes to foo.
493 470
494 471
495 Lockless Reads and Writes, But With Single-Thr 472 Lockless Reads and Writes, But With Single-Threaded Initialization
496 ---------------------------------------------- 473 ------------------------------------------------------------------
497 474
498 For yet another example, suppose that foo is i 475 For yet another example, suppose that foo is initialized in a
499 single-threaded manner, but that a number of k 476 single-threaded manner, but that a number of kthreads are then created
500 that locklessly and concurrently access foo. 477 that locklessly and concurrently access foo. Some snippets of this code
501 might look as follows: 478 might look as follows:
502 479
503 int foo; 480 int foo;
504 481
505 void initialize_foo(int initval, int n 482 void initialize_foo(int initval, int nkthreads)
506 { 483 {
507 int i; 484 int i;
508 485
509 foo = initval; 486 foo = initval;
510 ASSERT_EXCLUSIVE_ACCESS(foo); 487 ASSERT_EXCLUSIVE_ACCESS(foo);
511 for (i = 0; i < nkthreads; i++ 488 for (i = 0; i < nkthreads; i++)
512 kthread_run(access_foo 489 kthread_run(access_foo_concurrently, ...);
513 } 490 }
514 491
515 /* Called from access_foo_concurrently 492 /* Called from access_foo_concurrently(). */
516 int update_foo(int newval) 493 int update_foo(int newval)
517 { 494 {
518 int ret; 495 int ret;
519 496
520 ret = xchg(&foo, newval); 497 ret = xchg(&foo, newval);
521 do_something(newval); 498 do_something(newval);
522 return ret; 499 return ret;
523 } 500 }
524 501
525 /* Also called from access_foo_concurr 502 /* Also called from access_foo_concurrently(). */
526 int read_foo(void) 503 int read_foo(void)
527 { 504 {
528 do_something_else(); 505 do_something_else();
529 return READ_ONCE(foo); 506 return READ_ONCE(foo);
530 } 507 }
531 508
532 The initialize_foo() uses a plain C-language w 509 The initialize_foo() uses a plain C-language write to foo because there
533 are not supposed to be concurrent accesses dur 510 are not supposed to be concurrent accesses during initialization. The
534 ASSERT_EXCLUSIVE_ACCESS() allows KCSAN to flag 511 ASSERT_EXCLUSIVE_ACCESS() allows KCSAN to flag buggy concurrent unmarked
535 reads, and the ASSERT_EXCLUSIVE_ACCESS() call 512 reads, and the ASSERT_EXCLUSIVE_ACCESS() call further allows KCSAN to
536 flag buggy concurrent writes, even if: (1) Th 513 flag buggy concurrent writes, even if: (1) Those writes are marked or
537 (2) The kernel was built with CONFIG_KCSAN_ASS 514 (2) The kernel was built with CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=y.
538 515
539 516
540 Checking Stress-Test Race Coverage 517 Checking Stress-Test Race Coverage
541 ---------------------------------- 518 ----------------------------------
542 519
543 When designing stress tests it is important to 520 When designing stress tests it is important to ensure that race conditions
544 of interest really do occur. For example, con 521 of interest really do occur. For example, consider the following code
545 fragment: 522 fragment:
546 523
547 int foo; 524 int foo;
548 525
549 int update_foo(int newval) 526 int update_foo(int newval)
550 { 527 {
551 return xchg(&foo, newval); 528 return xchg(&foo, newval);
552 } 529 }
553 530
554 int xor_shift_foo(int shift, int mask) 531 int xor_shift_foo(int shift, int mask)
555 { 532 {
556 int old, new, newold; 533 int old, new, newold;
557 534
558 newold = data_race(foo); /* Ch 535 newold = data_race(foo); /* Checked by cmpxchg(). */
559 do { 536 do {
560 old = newold; 537 old = newold;
561 new = (old << shift) ^ 538 new = (old << shift) ^ mask;
562 newold = cmpxchg(&foo, 539 newold = cmpxchg(&foo, old, new);
563 } while (newold != old); 540 } while (newold != old);
564 return old; 541 return old;
565 } 542 }
566 543
567 int read_foo(void) 544 int read_foo(void)
568 { 545 {
569 return READ_ONCE(foo); 546 return READ_ONCE(foo);
570 } 547 }
571 548
572 If it is possible for update_foo(), xor_shift_ 549 If it is possible for update_foo(), xor_shift_foo(), and read_foo() to be
573 invoked concurrently, the stress test should f 550 invoked concurrently, the stress test should force this concurrency to
574 actually happen. KCSAN can evaluate the stres 551 actually happen. KCSAN can evaluate the stress test when the above code
575 is modified to read as follows: 552 is modified to read as follows:
576 553
577 int foo; 554 int foo;
578 555
579 int update_foo(int newval) 556 int update_foo(int newval)
580 { 557 {
581 ASSERT_EXCLUSIVE_ACCESS(foo); 558 ASSERT_EXCLUSIVE_ACCESS(foo);
582 return xchg(&foo, newval); 559 return xchg(&foo, newval);
583 } 560 }
584 561
585 int xor_shift_foo(int shift, int mask) 562 int xor_shift_foo(int shift, int mask)
586 { 563 {
587 int old, new, newold; 564 int old, new, newold;
588 565
589 newold = data_race(foo); /* Ch 566 newold = data_race(foo); /* Checked by cmpxchg(). */
590 do { 567 do {
591 old = newold; 568 old = newold;
592 new = (old << shift) ^ 569 new = (old << shift) ^ mask;
593 ASSERT_EXCLUSIVE_ACCES 570 ASSERT_EXCLUSIVE_ACCESS(foo);
594 newold = cmpxchg(&foo, 571 newold = cmpxchg(&foo, old, new);
595 } while (newold != old); 572 } while (newold != old);
596 return old; 573 return old;
597 } 574 }
598 575
599 576
600 int read_foo(void) 577 int read_foo(void)
601 { 578 {
602 ASSERT_EXCLUSIVE_ACCESS(foo); 579 ASSERT_EXCLUSIVE_ACCESS(foo);
603 return READ_ONCE(foo); 580 return READ_ONCE(foo);
604 } 581 }
605 582
606 If a given stress-test run does not result in 583 If a given stress-test run does not result in KCSAN complaints from
607 each possible pair of ASSERT_EXCLUSIVE_ACCESS( 584 each possible pair of ASSERT_EXCLUSIVE_ACCESS() invocations, the
608 stress test needs improvement. If the stress 585 stress test needs improvement. If the stress test was to be evaluated
609 on a regular basis, it would be wise to place 586 on a regular basis, it would be wise to place the above instances of
610 ASSERT_EXCLUSIVE_ACCESS() under #ifdef so that 587 ASSERT_EXCLUSIVE_ACCESS() under #ifdef so that they did not result in
611 false positives when not evaluating the stress 588 false positives when not evaluating the stress test.
612 589
613 590
614 REFERENCES 591 REFERENCES
615 ========== 592 ==========
616 593
617 [1] "Concurrency bugs should fear the big bad 594 [1] "Concurrency bugs should fear the big bad data-race detector (part 2)"
618 https://lwn.net/Articles/816854/ 595 https://lwn.net/Articles/816854/
619 596
620 [2] "The Kernel Concurrency Sanitizer" !! 597 [2] "Who's afraid of a big bad optimizing compiler?"
621 https://www.linuxfoundation.org/webinars/t <<
622 <<
623 [3] "Who's afraid of a big bad optimizing comp <<
624 https://lwn.net/Articles/793253/ 598 https://lwn.net/Articles/793253/
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.