[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHk-=wjodfXqd9=iW=ziFrfY7xqopgO3Ko_HrAUp-kUQHHyyqg@mail.gmail.com>
Date: Fri, 8 Nov 2019 10:40:32 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Marco Elver <elver@...gle.com>
Cc: Eric Dumazet <edumazet@...gle.com>,
Eric Dumazet <eric.dumazet@...il.com>,
syzbot <syzbot+3ef049d50587836c0606@...kaller.appspotmail.com>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Al Viro <viro@...iv.linux.org.uk>,
Alan Stern <stern@...land.harvard.edu>,
Andrea Parri <parri.andrea@...il.com>,
"Paul E. McKenney" <paulmck@...nel.org>,
LKMM Maintainers -- Akira Yokosawa <akiyks@...il.com>
Subject: Re: KCSAN: data-race in __alloc_file / __alloc_file
On Fri, Nov 8, 2019 at 10:16 AM Marco Elver <elver@...gle.com> wrote:
>
> KCSAN does not use volatile to distinguish accesses. Right now
> READ_ONCE, WRITE_ONCE, atomic bitops, atomic_t (+ some arch specific
> primitives) are treated as marked atomic operations.
Ok, so we'd have to do this in terms of ATOMIC_WRITE().
One alternative might be KCSAN enhancement, where you notice the
following pattern:
- a field is initialized before the data structure gets exposed (I
presume KCSAN already must understand about this issue -
initializations are different and not atomic)
- while the field is live, there are operations that write the same
(let's call it "idempotent") value to the field under certain
circumstances
- at release time, after all the reference counts are gone, the field
is read for whether that situation happened. I'm assuming KCSAN
already understands about this case too?
So it would only be the "idempotent writes" thing that would be
something KCSAN would have to realize do not involve a race - because
it simply doesn't matter if two writes of the same value race against
each other.
But I guess we could also just do
#define WRITE_IDEMPOTENT(x,y) WRITE_ONCE(x,y)
and use that in the kernel to annotate these things. And if we have
that kind of annotation, we could then possibly change it to
#define WRITE_IDEMPOTENT(x,y) \
if READ_ONCE(x)!=y WRITE_ONCE(x,y)
if we have numbers that that actually helps (that macro written to be
intentionally invalid C - it obviously needs statement protection and
protection against evaluating the arguments multiple times etc).
Linus
Powered by blists - more mailing lists