Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp2995073lqo; Tue, 14 May 2024 16:47:43 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVvJxV7RBl3cy064P2aP/NE72RJj+5yqMkuRMPwUFX9bTfj13MJGmfg/j6AXWAhlHqIXEcVfPon2ACj5RqW6qVJn37dGcleMaiJxhVkcw== X-Google-Smtp-Source: AGHT+IE4nDe6OnaY5TYbqyhAbNyioNrPuvZ+BthjgeAMpyHwaoY3WARfR7jREbEPezmOrFveWPad X-Received: by 2002:a17:903:183:b0:1e0:c37d:cfcb with SMTP id d9443c01a7336-1ef4404a1c4mr203058595ad.49.1715730463561; Tue, 14 May 2024 16:47:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715730463; cv=pass; d=google.com; s=arc-20160816; b=qc+YI04vxrDZ+AE+RUJ6+VKkhgoQk+9k6YJfqU2fPHmCW/1HVhlT54kx/QOmfVbFDz 8DVFrb5iwg4lIVJpKHG/CmcPkeXe9IhT1EZ+K5zAQyC/RDsCGHf1atauIJ8xNazrvAd6 a5MS11hbDQmv2hSl5Vm1jdVQF5vuao8j4RWv9yR3qaUvPPj+aA3c3/RLqKAc5a8mZNEV ENPq3jT7sf/gcvCz91TdlW8R18Ucc23fccWrY9LS8S9zyxAgUpABpJ0xIxzW7vLbKOHK tisxohvPeBgSiULhrqgHMnVs8a8YR/kqLvKDT5IM8GIIk2wYPIgBOsg8jPJo+i/288xn 1G8w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=UxCZ6ifLu422NJepJrpsGMXxGcGIAzdxTz+nsRRnwuI=; fh=geeHGWzaZWX1ulQSwzfD/QqY6q7T1geIMMpKSDUZUzQ=; b=Lf37tgUYA+qzYoNLRKttKIXi0M+QgHbKM0Pt7i/Y7b9pr0obtmsF3rr8vX4PVyqNK/ gzLRTe103/MLec7NbWyvYgP/zxHX0SGdKCmZ6w62zAbsNDFshK0Q4mN4sF/seCdKMEif dAk3tw2CQJbcWoYCkbw3RtdTp2RpbInWapsXG1zO7rNj5GMWzxHBER4T0mWtJuLTKte2 lIMgUJQwSoR8ItIrLYaBjoX518U1QReq+qLYZRuC6VfZs5exvvro51RUiKo3Gpz7bKYe n/Bzb0NVQJ9uhxinwgW0GQMjVePv9v4hmKNiGLq/AIeVen/wfd3rc08wTIkGqkTXujM/ F+9w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="fEqx0/Ld"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-179267-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179267-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id d9443c01a7336-1ef0bad5a16si114049105ad.169.2024.05.14.16.47.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 May 2024 16:47:43 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-179267-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="fEqx0/Ld"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-179267-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-179267-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id C2982B2155D for ; Tue, 14 May 2024 23:47:37 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 11062182CAA; Tue, 14 May 2024 23:47:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="fEqx0/Ld" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EEB81E491; Tue, 14 May 2024 23:47:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715730447; cv=none; b=JgG5IZ4svv61c2hDDwq4FsTPp0S4jmk8DwsShHWXQuZ3cN6RGxqQde25V6s8dwG1Id+2r1ij8hSQQD4m+r1NAqHfRsaRJFrlKoHjIk42fdghxHyR3dRWnMlSHudZ1UH/7qOtUc3vtl7qm71L2K33j6gBWNG5ROILI0LimzLxb10= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715730447; c=relaxed/simple; bh=o4JgtoyEfkU/Yd1SUDt14xVTJSlfqvyOqiOw5VQG7/0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=OdoFuJoTSdGBJ4tABYYFyLTwKtXcFsy59uwgreSnFx00S70DPvDW24Bq5wgIrIsnzhOOLfkSN8dSV4f8Y5YnWDirgtiGWTdn3Jr4Z1XRYUhouPS0hhhlaDh8jYKxfne+Tu/Z/6EcKJYkEYhiDpcxYIiGDIWNHdUTRCNXx8KGBps= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=fEqx0/Ld; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 54F3DC2BD10; Tue, 14 May 2024 23:47:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1715730446; bh=o4JgtoyEfkU/Yd1SUDt14xVTJSlfqvyOqiOw5VQG7/0=; h=Date:From:To:Cc:Subject:Reply-To:References:In-Reply-To:From; b=fEqx0/Ld3CgEOSgmJ7Z6qkwX8v/vX6lnyWZSCIIzlxyXFWuljqPLYD6qhFEAhPw1D Lb8veeJshWrPcMZhGi7y++JT0PJiHHGwHL0WpxXht1onot6zQhqfKZhbItKiN+Ztyx oXnKJeN3kFfWHr5P1Cionpx7K0YA1ODVUJVPVDfIVMvYtPvqvpe+9YUlDVpn4PSiSa SsZaB4WPE6++/usvGoe/bOk6iM6XYlXn7dmsxupmypl4QjqURd9b3M1cMIH/vI9OLA 7Bz3FZxx1ly1+qv0tzlPg43i3COuwbWnvB9v3yehxEelsUa0vBzKCYEV3V3VvJmnuZ GeZ7/XwTuNw9w== Received: by paulmck-ThinkPad-P17-Gen-1.home (Postfix, from userid 1000) id B82F0CE0481; Tue, 14 May 2024 16:47:20 -0700 (PDT) Date: Tue, 14 May 2024 16:47:20 -0700 From: "Paul E. McKenney" To: Marco Elver Cc: Bart Van Assche , Breno Leitao , Jens Axboe , "open list:BLOCK LAYER" , open list Subject: Re: [PATCH] block: Annotate a racy read in blk_do_io_stat() Message-ID: Reply-To: paulmck@kernel.org References: <20240510141921.883231-1-leitao@debian.org> <4d230bac-bdb0-4a01-8006-e95156965aa8@acm.org> <447ad732-3ff8-40bf-bd82-f7be66899cee@paulmck-laptop> <59ec96c2-52ce-4da1-92c3-9fe38053cd3d@paulmck-laptop> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon, May 13, 2024 at 10:13:49AM +0200, Marco Elver wrote: > On Sat, 11 May 2024 at 02:41, Paul E. McKenney wrote: > [...] > > ------------------------------------------------------------------------ > > > > commit 930cb5f711443d8044e88080ee21b0a5edda33bd > > Author: Paul E. McKenney > > Date: Fri May 10 15:36:57 2024 -0700 > > > > kcsan: Add example to data_race() kerneldoc header > > > > Although the data_race() kerneldoc header accurately states what it does, > > some of the implications and usage patterns are non-obvious. Therefore, > > add a brief locking example and also state how to have KCSAN ignore > > accesses while also preventing the compiler from folding, spindling, > > or otherwise mutilating the access. > > > > [ paulmck: Apply Bart Van Assche feedback. ] > > > > Reported-by: Bart Van Assche > > Signed-off-by: Paul E. McKenney > > Cc: Marco Elver > > Cc: Breno Leitao > > Cc: Jens Axboe > > > > diff --git a/include/linux/compiler.h b/include/linux/compiler.h > > index c00cc6c0878a1..9249768ec7a26 100644 > > --- a/include/linux/compiler.h > > +++ b/include/linux/compiler.h > > @@ -194,9 +194,17 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val, > > * This data_race() macro is useful for situations in which data races > > * should be forgiven. One example is diagnostic code that accesses > > * shared variables but is not a part of the core synchronization design. > > + * For example, if accesses to a given variable are protected by a lock, > > + * except for diagnostic code, then the accesses under the lock should > > + * be plain C-language accesses and those in the diagnostic code should > > + * use data_race(). This way, KCSAN will complain if buggy lockless > > + * accesses to that variable are introduced, even if the buggy accesses > > + * are protected by READ_ONCE() or WRITE_ONCE(). > > * > > - * This macro *does not* affect normal code generation, but is a hint > > - * to tooling that data races here are to be ignored. > > + * This macro *does not* affect normal code generation, but is a hint to > > + * tooling that data races here are to be ignored. If code generation must > > + * be protected *and* KCSAN should ignore the access, use both data_race() > > "code generation must be protected" seems ambiguous, because > protecting code generation could mean a lot of different things to > different people. > > The more precise thing would be to write that "If the access must be > atomic *and* KCSAN should ignore the access, use both ...". Good point, and I took your wording, thank you. > I've also had trouble in the past referring to "miscompilation" or > similar, because that also entirely depends on the promised vs. > expected semantics: if the code in question assumes for the access to > be atomic, the compiler compiling the code in a way that the access is > no longer atomic would be a "miscompilation". Although is it still a > "miscompilation" if the compiler generated code according to specified > language semantics (say according to our own LKMM) - and that's where > opinions can diverge because it depends on which side we stand > (compiler vs. our code). Agreed, use of words like "miscompilation" can annoy people. What word would you suggest using instead? > > + * and READ_ONCE(), for example, data_race(READ_ONCE(x)). > > Having more documentation sounds good to me, thanks for adding! > > This extra bit of documentation also exists in a longer form in > access-marking.txt, correct? I wonder how it would be possible to > refer to it, in case the reader wants to learn even more. Good point, especially given that I had forgotten about it. I don't have any immediate ideas for calling attention to this file, but would the following update be helpful? Thanx, Paul ------------------------------------------------------------------------ diff --git a/tools/memory-model/Documentation/access-marking.txt b/tools/memory-model/Documentation/access-marking.txt index 65778222183e3..690dd59b7ac59 100644 --- a/tools/memory-model/Documentation/access-marking.txt +++ b/tools/memory-model/Documentation/access-marking.txt @@ -24,6 +24,12 @@ The Linux kernel provides the following access-marking options: 4. WRITE_ONCE(), for example, "WRITE_ONCE(a, b);" The various forms of atomic_set() also fit in here. +5. ASSERT_EXCLUSIVE_ACCESS() and ASSERT_EXCLUSIVE_WRITER(). + +6. The volatile keyword, for example, "int volatile a;" + +7. __data_racy, for example "int __data_racy a;" + These may be used in combination, as shown in this admittedly improbable example: @@ -205,6 +211,27 @@ because doing otherwise prevents KCSAN from detecting violations of your code's synchronization rules. +Use of volatile and __data_racy +------------------------------- + +Adding the volatile keyword to the declaration of a variable causes both +the compiler and KCSAN to treat all reads from that variable as if they +were protected by READ_ONCE() and all writes to that variable as if they +were protected by WRITE_ONCE(). + +Adding the __data_racy type qualifier to the declaration of a variable +causes KCSAN to treat all accesses to that variable as if they were +enclosed by data_race(). However, __data_racy does not affect the +compiler, though one could imagine hardened kernel builds treating the +__data_racy type qualifier as if it was the volatile keyword. + +Note well that __data_racy is subject to the same pointer-declaration +rules as is the volatile keyword. For example: + + int __data_racy *p; // Pointer to data-racy data. + int *__data_racy p; // Data-racy pointer to non-data-racy data. + + ACCESS-DOCUMENTATION OPTIONS ============================ @@ -342,7 +369,7 @@ as follows: Because foo is read locklessly, all accesses are marked. The purpose of the ASSERT_EXCLUSIVE_WRITER() is to allow KCSAN to check for a buggy -concurrent lockless write. +concurrent write, whether marked or not. Lock-Protected Writes With Heuristic Lockless Reads