1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * KCSAN access checks and modifiers. These can be used to explicitly check
4 * uninstrumented accesses, or change KCSAN checking behaviour of accesses.
5 *
6 * Copyright (C) 2019, Google LLC.
7 */
8
9 #ifndef _LINUX_KCSAN_CHECKS_H
10 #define _LINUX_KCSAN_CHECKS_H
11
12 /* Note: Only include what is already included by compiler.h. */
13 #include <linux/compiler_attributes.h>
14 #include <linux/types.h>
15
16 /* Access types -- if KCSAN_ACCESS_WRITE is not set, the access is a read. */
17 #define KCSAN_ACCESS_WRITE (1 << 0) /* Access is a write. */
18 #define KCSAN_ACCESS_COMPOUND (1 << 1) /* Compounded read-write instrumentation. */
19 #define KCSAN_ACCESS_ATOMIC (1 << 2) /* Access is atomic. */
20 /* The following are special, and never due to compiler instrumentation. */
21 #define KCSAN_ACCESS_ASSERT (1 << 3) /* Access is an assertion. */
22 #define KCSAN_ACCESS_SCOPED (1 << 4) /* Access is a scoped access. */
23
24 /*
25 * __kcsan_*: Always calls into the runtime when KCSAN is enabled. This may be used
26 * even in compilation units that selectively disable KCSAN, but must use KCSAN
27 * to validate access to an address. Never use these in header files!
28 */
29 #ifdef CONFIG_KCSAN
30 /**
31 * __kcsan_check_access - check generic access for races
32 *
33 * @ptr: address of access
34 * @size: size of access
35 * @type: access type modifier
36 */
37 void __kcsan_check_access(const volatile void *ptr, size_t size, int type);
38
39 /*
40 * See definition of __tsan_atomic_signal_fence() in kernel/kcsan/core.c.
41 * Note: The mappings are arbitrary, and do not reflect any real mappings of C11
42 * memory orders to the LKMM memory orders and vice-versa!
43 */
44 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_mb __ATOMIC_SEQ_CST
45 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_wmb __ATOMIC_ACQ_REL
46 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_rmb __ATOMIC_ACQUIRE
47 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_release __ATOMIC_RELEASE
48
49 /**
50 * __kcsan_mb - full memory barrier instrumentation
51 */
52 void __kcsan_mb(void);
53
54 /**
55 * __kcsan_wmb - write memory barrier instrumentation
56 */
57 void __kcsan_wmb(void);
58
59 /**
60 * __kcsan_rmb - read memory barrier instrumentation
61 */
62 void __kcsan_rmb(void);
63
64 /**
65 * __kcsan_release - release barrier instrumentation
66 */
67 void __kcsan_release(void);
68
69 /**
70 * kcsan_disable_current - disable KCSAN for the current context
71 *
72 * Supports nesting.
73 */
74 void kcsan_disable_current(void);
75
76 /**
77 * kcsan_enable_current - re-enable KCSAN for the current context
78 *
79 * Supports nesting.
80 */
81 void kcsan_enable_current(void);
82 void kcsan_enable_current_nowarn(void); /* Safe in uaccess regions. */
83
84 /**
85 * kcsan_nestable_atomic_begin - begin nestable atomic region
86 *
87 * Accesses within the atomic region may appear to race with other accesses but
88 * should be considered atomic.
89 */
90 void kcsan_nestable_atomic_begin(void);
91
92 /**
93 * kcsan_nestable_atomic_end - end nestable atomic region
94 */
95 void kcsan_nestable_atomic_end(void);
96
97 /**
98 * kcsan_flat_atomic_begin - begin flat atomic region
99 *
100 * Accesses within the atomic region may appear to race with other accesses but
101 * should be considered atomic.
102 */
103 void kcsan_flat_atomic_begin(void);
104
105 /**
106 * kcsan_flat_atomic_end - end flat atomic region
107 */
108 void kcsan_flat_atomic_end(void);
109
110 /**
111 * kcsan_atomic_next - consider following accesses as atomic
112 *
113 * Force treating the next n memory accesses for the current context as atomic
114 * operations.
115 *
116 * @n: number of following memory accesses to treat as atomic.
117 */
118 void kcsan_atomic_next(int n);
119
120 /**
121 * kcsan_set_access_mask - set access mask
122 *
123 * Set the access mask for all accesses for the current context if non-zero.
124 * Only value changes to bits set in the mask will be reported.
125 *
126 * @mask: bitmask
127 */
128 void kcsan_set_access_mask(unsigned long mask);
129
130 /* Scoped access information. */
131 struct kcsan_scoped_access {
132 union {
133 struct list_head list; /* scoped_accesses list */
134 /*
135 * Not an entry in scoped_accesses list; stack depth from where
136 * the access was initialized.
137 */
138 int stack_depth;
139 };
140
141 /* Access information. */
142 const volatile void *ptr;
143 size_t size;
144 int type;
145 /* Location where scoped access was set up. */
146 unsigned long ip;
147 };
148 /*
149 * Automatically call kcsan_end_scoped_access() when kcsan_scoped_access goes
150 * out of scope; relies on attribute "cleanup", which is supported by all
151 * compilers that support KCSAN.
152 */
153 #define __kcsan_cleanup_scoped \
154 __maybe_unused __attribute__((__cleanup__(kcsan_end_scoped_access)))
155
156 /**
157 * kcsan_begin_scoped_access - begin scoped access
158 *
159 * Begin scoped access and initialize @sa, which will cause KCSAN to
160 * continuously check the memory range in the current thread until
161 * kcsan_end_scoped_access() is called for @sa.
162 *
163 * Scoped accesses are implemented by appending @sa to an internal list for the
164 * current execution context, and then checked on every call into the KCSAN
165 * runtime.
166 *
167 * @ptr: address of access
168 * @size: size of access
169 * @type: access type modifier
170 * @sa: struct kcsan_scoped_access to use for the scope of the access
171 */
172 struct kcsan_scoped_access *
173 kcsan_begin_scoped_access(const volatile void *ptr, size_t size, int type,
174 struct kcsan_scoped_access *sa);
175
176 /**
177 * kcsan_end_scoped_access - end scoped access
178 *
179 * End a scoped access, which will stop KCSAN checking the memory range.
180 * Requires that kcsan_begin_scoped_access() was previously called once for @sa.
181 *
182 * @sa: a previously initialized struct kcsan_scoped_access
183 */
184 void kcsan_end_scoped_access(struct kcsan_scoped_access *sa);
185
186
187 #else /* CONFIG_KCSAN */
188
189 static inline void __kcsan_check_access(const volatile void *ptr, size_t size,
190 int type) { }
191
192 static inline void __kcsan_mb(void) { }
193 static inline void __kcsan_wmb(void) { }
194 static inline void __kcsan_rmb(void) { }
195 static inline void __kcsan_release(void) { }
196 static inline void kcsan_disable_current(void) { }
197 static inline void kcsan_enable_current(void) { }
198 static inline void kcsan_enable_current_nowarn(void) { }
199 static inline void kcsan_nestable_atomic_begin(void) { }
200 static inline void kcsan_nestable_atomic_end(void) { }
201 static inline void kcsan_flat_atomic_begin(void) { }
202 static inline void kcsan_flat_atomic_end(void) { }
203 static inline void kcsan_atomic_next(int n) { }
204 static inline void kcsan_set_access_mask(unsigned long mask) { }
205
206 struct kcsan_scoped_access { };
207 #define __kcsan_cleanup_scoped __maybe_unused
208 static inline struct kcsan_scoped_access *
209 kcsan_begin_scoped_access(const volatile void *ptr, size_t size, int type,
210 struct kcsan_scoped_access *sa) { return sa; }
211 static inline void kcsan_end_scoped_access(struct kcsan_scoped_access *sa) { }
212
213 #endif /* CONFIG_KCSAN */
214
215 #ifdef __SANITIZE_THREAD__
216 /*
217 * Only calls into the runtime when the particular compilation unit has KCSAN
218 * instrumentation enabled. May be used in header files.
219 */
220 #define kcsan_check_access __kcsan_check_access
221
222 /*
223 * Only use these to disable KCSAN for accesses in the current compilation unit;
224 * calls into libraries may still perform KCSAN checks.
225 */
226 #define __kcsan_disable_current kcsan_disable_current
227 #define __kcsan_enable_current kcsan_enable_current_nowarn
228 #else /* __SANITIZE_THREAD__ */
229 static inline void kcsan_check_access(const volatile void *ptr, size_t size,
230 int type) { }
231 static inline void __kcsan_enable_current(void) { }
232 static inline void __kcsan_disable_current(void) { }
233 #endif /* __SANITIZE_THREAD__ */
234
235 #if defined(CONFIG_KCSAN_WEAK_MEMORY) && defined(__SANITIZE_THREAD__)
236 /*
237 * Normal barrier instrumentation is not done via explicit calls, but by mapping
238 * to a repurposed __atomic_signal_fence(), which normally does not generate any
239 * real instructions, but is still intercepted by fsanitize=thread. This means,
240 * like any other compile-time instrumentation, barrier instrumentation can be
241 * disabled with the __no_kcsan function attribute.
242 *
243 * Also see definition of __tsan_atomic_signal_fence() in kernel/kcsan/core.c.
244 *
245 * These are all macros, like <asm/barrier.h>, since some architectures use them
246 * in non-static inline functions.
247 */
248 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE(name) \
249 do { \
250 barrier(); \
251 __atomic_signal_fence(__KCSAN_BARRIER_TO_SIGNAL_FENCE_##name); \
252 barrier(); \
253 } while (0)
254 #define kcsan_mb() __KCSAN_BARRIER_TO_SIGNAL_FENCE(mb)
255 #define kcsan_wmb() __KCSAN_BARRIER_TO_SIGNAL_FENCE(wmb)
256 #define kcsan_rmb() __KCSAN_BARRIER_TO_SIGNAL_FENCE(rmb)
257 #define kcsan_release() __KCSAN_BARRIER_TO_SIGNAL_FENCE(release)
258 #elif defined(CONFIG_KCSAN_WEAK_MEMORY) && defined(__KCSAN_INSTRUMENT_BARRIERS__)
259 #define kcsan_mb __kcsan_mb
260 #define kcsan_wmb __kcsan_wmb
261 #define kcsan_rmb __kcsan_rmb
262 #define kcsan_release __kcsan_release
263 #else /* CONFIG_KCSAN_WEAK_MEMORY && ... */
264 #define kcsan_mb() do { } while (0)
265 #define kcsan_wmb() do { } while (0)
266 #define kcsan_rmb() do { } while (0)
267 #define kcsan_release() do { } while (0)
268 #endif /* CONFIG_KCSAN_WEAK_MEMORY && ... */
269
270 /**
271 * __kcsan_check_read - check regular read access for races
272 *
273 * @ptr: address of access
274 * @size: size of access
275 */
276 #define __kcsan_check_read(ptr, size) __kcsan_check_access(ptr, size, 0)
277
278 /**
279 * __kcsan_check_write - check regular write access for races
280 *
281 * @ptr: address of access
282 * @size: size of access
283 */
284 #define __kcsan_check_write(ptr, size) \
285 __kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
286
287 /**
288 * __kcsan_check_read_write - check regular read-write access for races
289 *
290 * @ptr: address of access
291 * @size: size of access
292 */
293 #define __kcsan_check_read_write(ptr, size) \
294 __kcsan_check_access(ptr, size, KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE)
295
296 /**
297 * kcsan_check_read - check regular read access for races
298 *
299 * @ptr: address of access
300 * @size: size of access
301 */
302 #define kcsan_check_read(ptr, size) kcsan_check_access(ptr, size, 0)
303
304 /**
305 * kcsan_check_write - check regular write access for races
306 *
307 * @ptr: address of access
308 * @size: size of access
309 */
310 #define kcsan_check_write(ptr, size) \
311 kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
312
313 /**
314 * kcsan_check_read_write - check regular read-write access for races
315 *
316 * @ptr: address of access
317 * @size: size of access
318 */
319 #define kcsan_check_read_write(ptr, size) \
320 kcsan_check_access(ptr, size, KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE)
321
322 /*
323 * Check for atomic accesses: if atomic accesses are not ignored, this simply
324 * aliases to kcsan_check_access(), otherwise becomes a no-op.
325 */
326 #ifdef CONFIG_KCSAN_IGNORE_ATOMICS
327 #define kcsan_check_atomic_read(...) do { } while (0)
328 #define kcsan_check_atomic_write(...) do { } while (0)
329 #define kcsan_check_atomic_read_write(...) do { } while (0)
330 #else
331 #define kcsan_check_atomic_read(ptr, size) \
332 kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC)
333 #define kcsan_check_atomic_write(ptr, size) \
334 kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE)
335 #define kcsan_check_atomic_read_write(ptr, size) \
336 kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE | KCSAN_ACCESS_COMPOUND)
337 #endif
338
339 /**
340 * ASSERT_EXCLUSIVE_WRITER - assert no concurrent writes to @var
341 *
342 * Assert that there are no concurrent writes to @var; other readers are
343 * allowed. This assertion can be used to specify properties of concurrent code,
344 * where violation cannot be detected as a normal data race.
345 *
346 * For example, if we only have a single writer, but multiple concurrent
347 * readers, to avoid data races, all these accesses must be marked; even
348 * concurrent marked writes racing with the single writer are bugs.
349 * Unfortunately, due to being marked, they are no longer data races. For cases
350 * like these, we can use the macro as follows:
351 *
352 * .. code-block:: c
353 *
354 * void writer(void) {
355 * spin_lock(&update_foo_lock);
356 * ASSERT_EXCLUSIVE_WRITER(shared_foo);
357 * WRITE_ONCE(shared_foo, ...);
358 * spin_unlock(&update_foo_lock);
359 * }
360 * void reader(void) {
361 * // update_foo_lock does not need to be held!
362 * ... = READ_ONCE(shared_foo);
363 * }
364 *
365 * Note: ASSERT_EXCLUSIVE_WRITER_SCOPED(), if applicable, performs more thorough
366 * checking if a clear scope where no concurrent writes are expected exists.
367 *
368 * @var: variable to assert on
369 */
370 #define ASSERT_EXCLUSIVE_WRITER(var) \
371 __kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_ASSERT)
372
373 /*
374 * Helper macros for implementation of for ASSERT_EXCLUSIVE_*_SCOPED(). @id is
375 * expected to be unique for the scope in which instances of kcsan_scoped_access
376 * are declared.
377 */
378 #define __kcsan_scoped_name(c, suffix) __kcsan_scoped_##c##suffix
379 #define __ASSERT_EXCLUSIVE_SCOPED(var, type, id) \
380 struct kcsan_scoped_access __kcsan_scoped_name(id, _) \
381 __kcsan_cleanup_scoped; \
382 struct kcsan_scoped_access *__kcsan_scoped_name(id, _dummy_p) \
383 __maybe_unused = kcsan_begin_scoped_access( \
384 &(var), sizeof(var), KCSAN_ACCESS_SCOPED | (type), \
385 &__kcsan_scoped_name(id, _))
386
387 /**
388 * ASSERT_EXCLUSIVE_WRITER_SCOPED - assert no concurrent writes to @var in scope
389 *
390 * Scoped variant of ASSERT_EXCLUSIVE_WRITER().
391 *
392 * Assert that there are no concurrent writes to @var for the duration of the
393 * scope in which it is introduced. This provides a better way to fully cover
394 * the enclosing scope, compared to multiple ASSERT_EXCLUSIVE_WRITER(), and
395 * increases the likelihood for KCSAN to detect racing accesses.
396 *
397 * For example, it allows finding race-condition bugs that only occur due to
398 * state changes within the scope itself:
399 *
400 * .. code-block:: c
401 *
402 * void writer(void) {
403 * spin_lock(&update_foo_lock);
404 * {
405 * ASSERT_EXCLUSIVE_WRITER_SCOPED(shared_foo);
406 * WRITE_ONCE(shared_foo, 42);
407 * ...
408 * // shared_foo should still be 42 here!
409 * }
410 * spin_unlock(&update_foo_lock);
411 * }
412 * void buggy(void) {
413 * if (READ_ONCE(shared_foo) == 42)
414 * WRITE_ONCE(shared_foo, 1); // bug!
415 * }
416 *
417 * @var: variable to assert on
418 */
419 #define ASSERT_EXCLUSIVE_WRITER_SCOPED(var) \
420 __ASSERT_EXCLUSIVE_SCOPED(var, KCSAN_ACCESS_ASSERT, __COUNTER__)
421
422 /**
423 * ASSERT_EXCLUSIVE_ACCESS - assert no concurrent accesses to @var
424 *
425 * Assert that there are no concurrent accesses to @var (no readers nor
426 * writers). This assertion can be used to specify properties of concurrent
427 * code, where violation cannot be detected as a normal data race.
428 *
429 * For example, where exclusive access is expected after determining no other
430 * users of an object are left, but the object is not actually freed. We can
431 * check that this property actually holds as follows:
432 *
433 * .. code-block:: c
434 *
435 * if (refcount_dec_and_test(&obj->refcnt)) {
436 * ASSERT_EXCLUSIVE_ACCESS(*obj);
437 * do_some_cleanup(obj);
438 * release_for_reuse(obj);
439 * }
440 *
441 * Note:
442 *
443 * 1. ASSERT_EXCLUSIVE_ACCESS_SCOPED(), if applicable, performs more thorough
444 * checking if a clear scope where no concurrent accesses are expected exists.
445 *
446 * 2. For cases where the object is freed, `KASAN <kasan.html>`_ is a better
447 * fit to detect use-after-free bugs.
448 *
449 * @var: variable to assert on
450 */
451 #define ASSERT_EXCLUSIVE_ACCESS(var) \
452 __kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT)
453
454 /**
455 * ASSERT_EXCLUSIVE_ACCESS_SCOPED - assert no concurrent accesses to @var in scope
456 *
457 * Scoped variant of ASSERT_EXCLUSIVE_ACCESS().
458 *
459 * Assert that there are no concurrent accesses to @var (no readers nor writers)
460 * for the entire duration of the scope in which it is introduced. This provides
461 * a better way to fully cover the enclosing scope, compared to multiple
462 * ASSERT_EXCLUSIVE_ACCESS(), and increases the likelihood for KCSAN to detect
463 * racing accesses.
464 *
465 * @var: variable to assert on
466 */
467 #define ASSERT_EXCLUSIVE_ACCESS_SCOPED(var) \
468 __ASSERT_EXCLUSIVE_SCOPED(var, KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT, __COUNTER__)
469
470 /**
471 * ASSERT_EXCLUSIVE_BITS - assert no concurrent writes to subset of bits in @var
472 *
473 * Bit-granular variant of ASSERT_EXCLUSIVE_WRITER().
474 *
475 * Assert that there are no concurrent writes to a subset of bits in @var;
476 * concurrent readers are permitted. This assertion captures more detailed
477 * bit-level properties, compared to the other (word granularity) assertions.
478 * Only the bits set in @mask are checked for concurrent modifications, while
479 * ignoring the remaining bits, i.e. concurrent writes (or reads) to ~mask bits
480 * are ignored.
481 *
482 * Use this for variables, where some bits must not be modified concurrently,
483 * yet other bits are expected to be modified concurrently.
484 *
485 * For example, variables where, after initialization, some bits are read-only,
486 * but other bits may still be modified concurrently. A reader may wish to
487 * assert that this is true as follows:
488 *
489 * .. code-block:: c
490 *
491 * ASSERT_EXCLUSIVE_BITS(flags, READ_ONLY_MASK);
492 * foo = (READ_ONCE(flags) & READ_ONLY_MASK) >> READ_ONLY_SHIFT;
493 *
494 * Note: The access that immediately follows ASSERT_EXCLUSIVE_BITS() is assumed
495 * to access the masked bits only, and KCSAN optimistically assumes it is
496 * therefore safe, even in the presence of data races, and marking it with
497 * READ_ONCE() is optional from KCSAN's point-of-view. We caution, however, that
498 * it may still be advisable to do so, since we cannot reason about all compiler
499 * optimizations when it comes to bit manipulations (on the reader and writer
500 * side). If you are sure nothing can go wrong, we can write the above simply
501 * as:
502 *
503 * .. code-block:: c
504 *
505 * ASSERT_EXCLUSIVE_BITS(flags, READ_ONLY_MASK);
506 * foo = (flags & READ_ONLY_MASK) >> READ_ONLY_SHIFT;
507 *
508 * Another example, where this may be used, is when certain bits of @var may
509 * only be modified when holding the appropriate lock, but other bits may still
510 * be modified concurrently. Writers, where other bits may change concurrently,
511 * could use the assertion as follows:
512 *
513 * .. code-block:: c
514 *
515 * spin_lock(&foo_lock);
516 * ASSERT_EXCLUSIVE_BITS(flags, FOO_MASK);
517 * old_flags = flags;
518 * new_flags = (old_flags & ~FOO_MASK) | (new_foo << FOO_SHIFT);
519 * if (cmpxchg(&flags, old_flags, new_flags) != old_flags) { ... }
520 * spin_unlock(&foo_lock);
521 *
522 * @var: variable to assert on
523 * @mask: only check for modifications to bits set in @mask
524 */
525 #define ASSERT_EXCLUSIVE_BITS(var, mask) \
526 do { \
527 kcsan_set_access_mask(mask); \
528 __kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_ASSERT);\
529 kcsan_set_access_mask(0); \
530 kcsan_atomic_next(1); \
531 } while (0)
532
533 #endif /* _LINUX_KCSAN_CHECKS_H */
534
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.