2019-11-14 18:02:54 +00:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
|
|
|
config HAVE_ARCH_KCSAN
|
|
|
|
bool
|
|
|
|
|
|
|
|
menuconfig KCSAN
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 15:46:24 +00:00
|
|
|
bool "KCSAN: dynamic race detector"
|
2020-02-04 17:21:12 +00:00
|
|
|
depends on HAVE_ARCH_KCSAN && DEBUG_KERNEL && !KASAN
|
|
|
|
select STACKTRACE
|
2019-11-14 18:02:54 +00:00
|
|
|
help
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 15:46:24 +00:00
|
|
|
The Kernel Concurrency Sanitizer (KCSAN) is a dynamic race detector,
|
|
|
|
which relies on compile-time instrumentation, and uses a
|
|
|
|
watchpoint-based sampling approach to detect races.
|
|
|
|
|
|
|
|
KCSAN's primary purpose is to detect data races. KCSAN can also be
|
|
|
|
used to check properties, with the help of provided assertions, of
|
|
|
|
concurrent code where bugs do not manifest as data races.
|
2020-02-04 17:21:12 +00:00
|
|
|
|
|
|
|
See <file:Documentation/dev-tools/kcsan.rst> for more details.
|
2019-11-14 18:02:54 +00:00
|
|
|
|
|
|
|
if KCSAN
|
|
|
|
|
2020-02-21 23:10:27 +00:00
|
|
|
config KCSAN_VERBOSE
|
|
|
|
bool "Show verbose reports with more information about system state"
|
|
|
|
depends on PROVE_LOCKING
|
|
|
|
help
|
|
|
|
If enabled, reports show more information about the system state that
|
|
|
|
may help better analyze and debug races. This includes held locks and
|
|
|
|
IRQ trace events.
|
|
|
|
|
|
|
|
While this option should generally be benign, we call into more
|
|
|
|
external functions on report generation; if a race report is
|
|
|
|
generated from any one of them, system stability may suffer due to
|
|
|
|
deadlocks or recursion. If in doubt, say N.
|
|
|
|
|
2019-11-14 18:02:54 +00:00
|
|
|
config KCSAN_DEBUG
|
|
|
|
bool "Debugging of KCSAN internals"
|
|
|
|
|
|
|
|
config KCSAN_SELFTEST
|
|
|
|
bool "Perform short selftests on boot"
|
|
|
|
default y
|
|
|
|
help
|
2019-11-20 09:41:43 +00:00
|
|
|
Run KCSAN selftests on boot. On test failure, causes the kernel to panic.
|
2019-11-14 18:02:54 +00:00
|
|
|
|
|
|
|
config KCSAN_EARLY_ENABLE
|
|
|
|
bool "Early enable during boot"
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
If KCSAN should be enabled globally as soon as possible. KCSAN can
|
|
|
|
later be enabled/disabled via debugfs.
|
|
|
|
|
|
|
|
config KCSAN_NUM_WATCHPOINTS
|
|
|
|
int "Number of available watchpoints"
|
|
|
|
default 64
|
|
|
|
help
|
|
|
|
Total number of available watchpoints. An address range maps into a
|
|
|
|
specific watchpoint slot as specified in kernel/kcsan/encoding.h.
|
|
|
|
Although larger number of watchpoints may not be usable due to
|
|
|
|
limited number of CPUs, a larger value helps to improve performance
|
|
|
|
due to reducing cache-line contention. The chosen default is a
|
|
|
|
conservative value; we should almost never observe "no_capacity"
|
|
|
|
events (see /sys/kernel/debug/kcsan).
|
|
|
|
|
|
|
|
config KCSAN_UDELAY_TASK
|
|
|
|
int "Delay in microseconds (for tasks)"
|
|
|
|
default 80
|
|
|
|
help
|
|
|
|
For tasks, the microsecond delay after setting up a watchpoint.
|
|
|
|
|
|
|
|
config KCSAN_UDELAY_INTERRUPT
|
|
|
|
int "Delay in microseconds (for interrupts)"
|
|
|
|
default 20
|
|
|
|
help
|
|
|
|
For interrupts, the microsecond delay after setting up a watchpoint.
|
|
|
|
Interrupts have tighter latency requirements, and their delay should
|
|
|
|
be lower than for tasks.
|
|
|
|
|
|
|
|
config KCSAN_DELAY_RANDOMIZE
|
|
|
|
bool "Randomize above delays"
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
If delays should be randomized, where the maximum is KCSAN_UDELAY_*.
|
2019-11-20 09:41:43 +00:00
|
|
|
If false, the chosen delays are always the KCSAN_UDELAY_* values
|
|
|
|
as defined above.
|
2019-11-14 18:02:54 +00:00
|
|
|
|
|
|
|
config KCSAN_SKIP_WATCH
|
|
|
|
int "Skip instructions before setting up watchpoint"
|
|
|
|
default 4000
|
|
|
|
help
|
|
|
|
The number of per-CPU memory operations to skip, before another
|
|
|
|
watchpoint is set up, i.e. one in KCSAN_WATCH_SKIP per-CPU
|
|
|
|
memory operations are used to set up a watchpoint. A smaller value
|
|
|
|
results in more aggressive race detection, whereas a larger value
|
|
|
|
improves system performance at the cost of missing some races.
|
|
|
|
|
|
|
|
config KCSAN_SKIP_WATCH_RANDOMIZE
|
|
|
|
bool "Randomize watchpoint instruction skip count"
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
If instruction skip count should be randomized, where the maximum is
|
|
|
|
KCSAN_WATCH_SKIP. If false, the chosen value is always
|
|
|
|
KCSAN_WATCH_SKIP.
|
|
|
|
|
2020-02-21 22:02:09 +00:00
|
|
|
config KCSAN_INTERRUPT_WATCHER
|
|
|
|
bool "Interruptible watchers"
|
|
|
|
help
|
|
|
|
If enabled, a task that set up a watchpoint may be interrupted while
|
|
|
|
delayed. This option will allow KCSAN to detect races between
|
|
|
|
interrupted tasks and other threads of execution on the same CPU.
|
|
|
|
|
|
|
|
Currently disabled by default, because not all safe per-CPU access
|
|
|
|
primitives and patterns may be accounted for, and therefore could
|
|
|
|
result in false positives.
|
|
|
|
|
2020-01-10 18:48:34 +00:00
|
|
|
config KCSAN_REPORT_ONCE_IN_MS
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 15:46:24 +00:00
|
|
|
int "Duration in milliseconds, in which any given race is only reported once"
|
2020-01-10 18:48:34 +00:00
|
|
|
default 3000
|
|
|
|
help
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 15:46:24 +00:00
|
|
|
Any given race is only reported once in the defined time window.
|
|
|
|
Different races may still generate reports within a duration that is
|
|
|
|
smaller than the duration defined here. This allows rate limiting
|
|
|
|
reporting to avoid flooding the console with reports. Setting this
|
|
|
|
to 0 disables rate limiting.
|
2020-01-10 18:48:34 +00:00
|
|
|
|
2020-02-04 17:21:10 +00:00
|
|
|
# The main purpose of the below options is to control reported data races (e.g.
|
|
|
|
# in fuzzer configs), and are not expected to be switched frequently by other
|
|
|
|
# users. We could turn some of them into boot parameters, but given they should
|
|
|
|
# not be switched normally, let's keep them here to simplify configuration.
|
|
|
|
#
|
|
|
|
# The defaults below are chosen to be very conservative, and may miss certain
|
|
|
|
# bugs.
|
2019-11-14 18:02:54 +00:00
|
|
|
|
|
|
|
config KCSAN_REPORT_RACE_UNKNOWN_ORIGIN
|
|
|
|
bool "Report races of unknown origin"
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
If KCSAN should report races where only one access is known, and the
|
|
|
|
conflicting access is of unknown origin. This type of race is
|
|
|
|
reported if it was only possible to infer a race due to a data value
|
|
|
|
change while an access is being delayed on a watchpoint.
|
|
|
|
|
|
|
|
config KCSAN_REPORT_VALUE_CHANGE_ONLY
|
|
|
|
bool "Only report races where watcher observed a data value change"
|
|
|
|
default y
|
|
|
|
help
|
2019-11-20 09:41:43 +00:00
|
|
|
If enabled and a conflicting write is observed via a watchpoint, but
|
2019-11-14 18:02:54 +00:00
|
|
|
the data value of the memory location was observed to remain
|
|
|
|
unchanged, do not report the data race.
|
|
|
|
|
2020-02-04 17:21:10 +00:00
|
|
|
config KCSAN_ASSUME_PLAIN_WRITES_ATOMIC
|
|
|
|
bool "Assume that plain aligned writes up to word size are atomic"
|
|
|
|
default y
|
|
|
|
help
|
|
|
|
Assume that plain aligned writes up to word size are atomic by
|
|
|
|
default, and also not subject to other unsafe compiler optimizations
|
|
|
|
resulting in data races. This will cause KCSAN to not report data
|
|
|
|
races due to conflicts where the only plain accesses are aligned
|
|
|
|
writes up to word size: conflicts between marked reads and plain
|
|
|
|
aligned writes up to word size will not be reported as data races;
|
|
|
|
notice that data races between two conflicting plain aligned writes
|
|
|
|
will also not be reported.
|
|
|
|
|
2019-11-14 18:02:54 +00:00
|
|
|
config KCSAN_IGNORE_ATOMICS
|
|
|
|
bool "Do not instrument marked atomic accesses"
|
|
|
|
help
|
2020-02-04 17:21:11 +00:00
|
|
|
Never instrument marked atomic accesses. This option can be used for
|
|
|
|
additional filtering. Conflicting marked atomic reads and plain
|
|
|
|
writes will never be reported as a data race, however, will cause
|
|
|
|
plain reads and marked writes to result in "unknown origin" reports.
|
|
|
|
If combined with CONFIG_KCSAN_REPORT_RACE_UNKNOWN_ORIGIN=n, data
|
|
|
|
races where at least one access is marked atomic will never be
|
|
|
|
reported.
|
|
|
|
|
|
|
|
Similar to KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, but including unaligned
|
|
|
|
accesses, conflicting marked atomic reads and plain writes will not
|
|
|
|
be reported as data races; however, unlike that option, data races
|
|
|
|
due to two conflicting plain writes will be reported (aligned and
|
|
|
|
unaligned, if CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n).
|
2019-11-14 18:02:54 +00:00
|
|
|
|
|
|
|
endif # KCSAN
|