2019-11-14 19:02:54 +01:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 */
|
|
|
|
|
|
|
|
|
|
#ifndef _LINUX_KCSAN_CHECKS_H
|
|
|
|
|
#define _LINUX_KCSAN_CHECKS_H
|
|
|
|
|
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
|
|
|
|
|
/*
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
* ACCESS TYPE MODIFIERS
|
|
|
|
|
*
|
|
|
|
|
* <none>: normal read access;
|
|
|
|
|
* WRITE : write access;
|
|
|
|
|
* ATOMIC: access is atomic;
|
|
|
|
|
* ASSERT: access is not a regular access, but an assertion;
|
2019-11-14 19:02:54 +01:00
|
|
|
*/
|
2019-11-20 10:41:43 +01:00
|
|
|
#define KCSAN_ACCESS_WRITE 0x1
|
2019-11-14 19:02:54 +01:00
|
|
|
#define KCSAN_ACCESS_ATOMIC 0x2
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
#define KCSAN_ACCESS_ASSERT 0x4
|
2019-11-14 19:02:54 +01:00
|
|
|
|
|
|
|
|
/*
|
2019-11-20 10:41:43 +01:00
|
|
|
* __kcsan_*: Always calls into the runtime when KCSAN is enabled. This may be used
|
2019-11-14 19:02:54 +01:00
|
|
|
* even in compilation units that selectively disable KCSAN, but must use KCSAN
|
2019-11-20 10:41:43 +01:00
|
|
|
* to validate access to an address. Never use these in header files!
|
2019-11-14 19:02:54 +01:00
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_KCSAN
|
|
|
|
|
/**
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
* __kcsan_check_access - check generic access for races
|
2019-11-14 19:02:54 +01:00
|
|
|
*
|
|
|
|
|
* @ptr address of access
|
|
|
|
|
* @size size of access
|
|
|
|
|
* @type access type modifier
|
|
|
|
|
*/
|
|
|
|
|
void __kcsan_check_access(const volatile void *ptr, size_t size, int type);
|
|
|
|
|
|
|
|
|
|
#else
|
|
|
|
|
static inline void __kcsan_check_access(const volatile void *ptr, size_t size,
|
|
|
|
|
int type) { }
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
2019-11-20 10:41:43 +01:00
|
|
|
* kcsan_*: Only calls into the runtime when the particular compilation unit has
|
2019-11-14 19:02:54 +01:00
|
|
|
* KCSAN instrumentation enabled. May be used in header files.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef __SANITIZE_THREAD__
|
|
|
|
|
#define kcsan_check_access __kcsan_check_access
|
|
|
|
|
#else
|
|
|
|
|
static inline void kcsan_check_access(const volatile void *ptr, size_t size,
|
|
|
|
|
int type) { }
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/**
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
* __kcsan_check_read - check regular read access for races
|
2019-11-14 19:02:54 +01:00
|
|
|
*
|
|
|
|
|
* @ptr address of access
|
|
|
|
|
* @size size of access
|
|
|
|
|
*/
|
|
|
|
|
#define __kcsan_check_read(ptr, size) __kcsan_check_access(ptr, size, 0)
|
|
|
|
|
|
|
|
|
|
/**
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
* __kcsan_check_write - check regular write access for races
|
2019-11-14 19:02:54 +01:00
|
|
|
*
|
|
|
|
|
* @ptr address of access
|
|
|
|
|
* @size size of access
|
|
|
|
|
*/
|
|
|
|
|
#define __kcsan_check_write(ptr, size) \
|
|
|
|
|
__kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
|
|
|
|
|
|
|
|
|
|
/**
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
* kcsan_check_read - check regular read access for races
|
2019-11-14 19:02:54 +01:00
|
|
|
*
|
|
|
|
|
* @ptr address of access
|
|
|
|
|
* @size size of access
|
|
|
|
|
*/
|
|
|
|
|
#define kcsan_check_read(ptr, size) kcsan_check_access(ptr, size, 0)
|
|
|
|
|
|
|
|
|
|
/**
|
kcsan: Introduce KCSAN_ACCESS_ASSERT access type
The KCSAN_ACCESS_ASSERT access type may be used to introduce dummy reads
and writes to assert certain properties of concurrent code, where bugs
could not be detected as normal data races.
For example, a variable that is only meant to be written by a single
CPU, but may be read (without locking) by other CPUs must still be
marked properly to avoid data races. However, concurrent writes,
regardless if WRITE_ONCE() or not, would be a bug. Using
kcsan_check_access(&x, sizeof(x), KCSAN_ACCESS_ASSERT) would allow
catching such bugs.
To support KCSAN_ACCESS_ASSERT the following notable changes were made:
* If an access is of type KCSAN_ASSERT_ACCESS, disable various filters
that only apply to data races, so that all races that KCSAN observes are
reported.
* Bug reports that involve an ASSERT access type will be reported as
"KCSAN: assert: race in ..." instead of "data-race"; this will help
more easily distinguish them.
* Update a few comments to just mention 'races' where we do not always
mean pure data races.
Signed-off-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2020-02-06 16:46:24 +01:00
|
|
|
* kcsan_check_write - check regular write access for races
|
2019-11-14 19:02:54 +01:00
|
|
|
*
|
|
|
|
|
* @ptr address of access
|
|
|
|
|
* @size size of access
|
|
|
|
|
*/
|
|
|
|
|
#define kcsan_check_write(ptr, size) \
|
|
|
|
|
kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE)
|
|
|
|
|
|
|
|
|
|
/*
|
2019-11-20 10:41:43 +01:00
|
|
|
* Check for atomic accesses: if atomic accesses are not ignored, this simply
|
|
|
|
|
* aliases to kcsan_check_access(), otherwise becomes a no-op.
|
2019-11-14 19:02:54 +01:00
|
|
|
*/
|
|
|
|
|
#ifdef CONFIG_KCSAN_IGNORE_ATOMICS
|
2019-11-20 10:41:43 +01:00
|
|
|
#define kcsan_check_atomic_read(...) do { } while (0)
|
|
|
|
|
#define kcsan_check_atomic_write(...) do { } while (0)
|
2019-11-14 19:02:54 +01:00
|
|
|
#else
|
|
|
|
|
#define kcsan_check_atomic_read(ptr, size) \
|
|
|
|
|
kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC)
|
|
|
|
|
#define kcsan_check_atomic_write(ptr, size) \
|
|
|
|
|
kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE)
|
|
|
|
|
#endif
|
|
|
|
|
|
2020-02-06 16:46:25 +01:00
|
|
|
/**
|
|
|
|
|
* ASSERT_EXCLUSIVE_WRITER - assert no other threads are writing @var
|
|
|
|
|
*
|
|
|
|
|
* Assert that there are no other threads writing @var; other readers are
|
|
|
|
|
* allowed. This assertion can be used to specify properties of concurrent code,
|
|
|
|
|
* where violation cannot be detected as a normal data race.
|
|
|
|
|
*
|
|
|
|
|
* For example, if a per-CPU variable is only meant to be written by a single
|
|
|
|
|
* CPU, but may be read from other CPUs; in this case, reads and writes must be
|
|
|
|
|
* marked properly, however, if an off-CPU WRITE_ONCE() races with the owning
|
|
|
|
|
* CPU's WRITE_ONCE(), would not constitute a data race but could be a harmful
|
|
|
|
|
* race condition. Using this macro allows specifying this property in the code
|
|
|
|
|
* and catch such bugs.
|
|
|
|
|
*
|
|
|
|
|
* @var variable to assert on
|
|
|
|
|
*/
|
|
|
|
|
#define ASSERT_EXCLUSIVE_WRITER(var) \
|
|
|
|
|
__kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_ASSERT)
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* ASSERT_EXCLUSIVE_ACCESS - assert no other threads are accessing @var
|
|
|
|
|
*
|
|
|
|
|
* Assert that no other thread is accessing @var (no readers nor writers). This
|
|
|
|
|
* assertion can be used to specify properties of concurrent code, where
|
|
|
|
|
* violation cannot be detected as a normal data race.
|
|
|
|
|
*
|
|
|
|
|
* For example, in a reference-counting algorithm where exclusive access is
|
|
|
|
|
* expected after the refcount reaches 0. We can check that this property
|
|
|
|
|
* actually holds as follows:
|
|
|
|
|
*
|
|
|
|
|
* if (refcount_dec_and_test(&obj->refcnt)) {
|
|
|
|
|
* ASSERT_EXCLUSIVE_ACCESS(*obj);
|
|
|
|
|
* safely_dispose_of(obj);
|
|
|
|
|
* }
|
|
|
|
|
*
|
|
|
|
|
* @var variable to assert on
|
|
|
|
|
*/
|
|
|
|
|
#define ASSERT_EXCLUSIVE_ACCESS(var) \
|
|
|
|
|
__kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT)
|
|
|
|
|
|
2019-11-14 19:02:54 +01:00
|
|
|
#endif /* _LINUX_KCSAN_CHECKS_H */
|