Re: [PATCH] block: Annotate a racy read in blk_do_io_stat()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, May 10, 2024 at 01:30:03PM -0700, Bart Van Assche wrote:
> On 5/10/24 10:08 AM, Paul E. McKenney wrote:
> > To see that, consider a variable that is supposed to be accessed only
> > under a lock (aside from the debugging/statistical access).  Under RCU's
> > KCSAN rules, marking those debugging/statistical accesses with READ_ONCE()
> > would require all the updates to be marked with WRITE_ONCE().  Which would
> > prevent KCSAN from noticing a buggy lockless WRITE_ONCE() update of
> > that variable.
> > 
> > In contrast, if we use data_race() for the debugging/statistical accesses
> > and leave the normal lock-protected accesses unmarked (as normal
> > C-language accesses), then KCSAN will complain about buggy lockless
> > accesses, even if they are marked with READ_ONCE() or WRITE_ONCE().
> > 
> > Does that help, or am I missing your point?
> 
> Thanks, that's very helpful. Has it been considered to add this
> explanation as a comment above the data_race() macro definition?
> There may be other kernel developers who are wondering about when
> to use data_race() and when to use READ_ONCE().

Well, sometimes you need to use both!

Does the prototype patch below help?

(Also adding Marco on CC for his thoughts.)

							Thanx, Paul

------------------------------------------------------------------------

diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index c00cc6c0878a1..78593b40fe7e9 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -194,9 +194,18 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
  * This data_race() macro is useful for situations in which data races
  * should be forgiven.  One example is diagnostic code that accesses
  * shared variables but is not a part of the core synchronization design.
+ * For example, if accesses to a given variable are protected by a lock,
+ * except for diagnostic code, then the accesses under the lock should
+ * be plain C-language accesses and those in the diagnostic code should
+ * use data_race().  This way, KCSAN will complain if buggy lockless
+ * accesses to that variable are introduced, even if the buggy accesses
+ * are protected by READ_ONCE() or WRITE_ONCE().
+ *
+ * This macro *does not* affect normal code generation, but is a hint to
+ * tooling that data races here are to be ignored.  If code generation must
+ * be protected *and* KCSAN should ignore the access, use both data_race()
+ * and READ_ONCE(), for example, data_race(READ_ONCE(x)).
  *
- * This macro *does not* affect normal code generation, but is a hint
- * to tooling that data races here are to be ignored.
  */
 #define data_race(expr)							\
 ({									\
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux