From: Eric Dumazet <edumazet@google.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>,
Marco Elver <elver@google.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
syzbot <syzbot+3ef049d50587836c0606@syzkaller.appspotmail.com>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Andrea Parri <parri.andrea@gmail.com>,
"Paul E. McKenney" <paulmck@kernel.org>,
LKMM Maintainers -- Akira Yokosawa <akiyks@gmail.com>
Subject: Re: KCSAN: data-race in __alloc_file / __alloc_file
Date: Mon, 11 Nov 2019 09:52:41 -0800 [thread overview]
Message-ID: <CANn89i+OBZOq-q4GWAxKVRau6nHYMo3v4y-c1vUb_O8nvra1RQ@mail.gmail.com> (raw)
In-Reply-To: <CAHk-=wjp6yR-gBNYXPzrHQHq+wX_t6WfwrF_S3EEUq9ccz3vng@mail.gmail.com>
On Mon, Nov 11, 2019 at 8:51 AM Linus Torvalds
<torvalds@linux-foundation.org> wrote:
>
> On Mon, Nov 11, 2019 at 7:51 AM Alan Stern <stern@rowland.harvard.edu> wrote:
> >
> > I dislike the explicit annotation approach, because it shifts the
> > burden of proving correctness from the automatic verifier to the
> > programmer.
>
> Yes.
>
> However, sometimes explicit annotations are very useful as
> documentation and as showing of intent even if they might not change
> behavior or code generation.
>
> But they generally should never _replace_ checking - in fact, the
> annotations themselves should hopefully be checked for correctness
> too.
>
> So a good annotation would implicitly document intent, but it should
> also be something that we can check being true, so that we also have
> the check that reality actually _matches_ the intent too. Because
> misleading and wrong documentation is worse than no documentation at
> all.
>
> Side note: an example of a dangerous annotation is the one that Eric
> pointed out, where a 64-bit read in percpu_counter_read_positive()
> could be changed to READ_ONCE(), and we would compile it cleanly, but
> on 32-bit it wouldn't actually be atomic.
>
> We at one time tried to actually verify that READ/WRITE_ONCE() was
> done only on types that could actually be accessed atomically (always
> ignoring alpha because the pain is not worth it), but it showed too
> many problems.
>
> So now we silently accept things that aren't actually atomic. We do
> access them "once" in the sense that we don't allow the compiler to
> reload it, but it's not "once" in the LKMM sense of one single value.
>
> That's ok for some cases. But it's actually a horrid horrid thing from
> a documentation standpoint, and I hate it, and it's dangerous.
>
> Linus
I was hoping to cleanup the 'easy cases' before looking at more serious issues.
But it looks like even the ' easy cases' are not that easy.
Now I wonder what to do with the ~400 KCSAN reports sitting in
pre-moderation queue.
next prev parent reply other threads:[~2019-11-11 17:52 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAHk-=wjB61GNmqpX0BLA5tpL4tsjWV7akaTc2Roth7uGgax+mw@mail.gmail.com>
2019-11-10 16:09 ` KCSAN: data-race in __alloc_file / __alloc_file Alan Stern
2019-11-10 19:10 ` Marco Elver
2019-11-11 15:51 ` Alan Stern
2019-11-11 16:51 ` Linus Torvalds
2019-11-11 17:52 ` Eric Dumazet [this message]
2019-11-11 18:04 ` Linus Torvalds
2019-11-11 18:31 ` Eric Dumazet
2019-11-11 18:44 ` Eric Dumazet
2019-11-11 19:00 ` Linus Torvalds
2019-11-11 19:13 ` Eric Dumazet
2019-11-11 20:43 ` Linus Torvalds
2019-11-11 20:46 ` Linus Torvalds
2019-11-11 21:53 ` Eric Dumazet
2019-11-11 23:51 ` Linus Torvalds
2019-11-12 16:50 ` Kirill Smelkov
2019-11-12 17:23 ` Linus Torvalds
2019-11-12 17:36 ` Linus Torvalds
2019-11-17 18:56 ` Kirill Smelkov
2019-11-17 19:20 ` Linus Torvalds
2019-11-11 18:50 ` Linus Torvalds
2019-11-11 18:59 ` Marco Elver
2019-11-11 18:59 ` Eric Dumazet
2019-11-10 19:12 ` Linus Torvalds
2019-11-10 19:20 ` Linus Torvalds
2019-11-10 20:44 ` Paul E. McKenney
2019-11-10 21:10 ` Linus Torvalds
2019-11-10 21:31 ` Paul E. McKenney
2019-11-11 14:17 ` Marco Elver
2019-11-11 14:31 ` Paul E. McKenney
2019-11-11 15:10 ` Marco Elver
2019-11-13 0:25 ` Paul E. McKenney
2019-11-12 19:14 ` Alan Stern
2019-11-12 19:47 ` Linus Torvalds
2019-11-12 20:29 ` Alan Stern
2019-11-12 20:58 ` Linus Torvalds
2019-11-12 21:13 ` Linus Torvalds
2019-11-12 22:05 ` Marco Elver
2019-11-12 21:48 ` Alan Stern
2019-11-12 22:07 ` Eric Dumazet
2019-11-12 22:44 ` Alexei Starovoitov
2019-11-12 23:17 ` Eric Dumazet
2019-11-12 23:40 ` Linus Torvalds
2019-11-13 15:00 ` Marco Elver
2019-11-13 16:57 ` Linus Torvalds
2019-11-13 21:33 ` Marco Elver
2019-11-13 21:50 ` Alan Stern
2019-11-13 22:48 ` Marco Elver
2019-11-08 13:16 syzbot
2019-11-08 13:28 ` Eric Dumazet
2019-11-08 17:01 ` Linus Torvalds
2019-11-08 17:22 ` Eric Dumazet
2019-11-08 17:38 ` Linus Torvalds
2019-11-08 17:53 ` Eric Dumazet
2019-11-08 17:55 ` Eric Dumazet
2019-11-08 18:02 ` Eric Dumazet
2019-11-08 18:12 ` Linus Torvalds
2019-11-08 20:30 ` Linus Torvalds
2019-11-08 20:53 ` Eric Dumazet
2019-11-08 21:36 ` Linus Torvalds
2019-11-08 18:05 ` Linus Torvalds
2019-11-08 18:15 ` Marco Elver
2019-11-08 18:40 ` Linus Torvalds
2019-11-08 19:48 ` Marco Elver
2019-11-08 20:26 ` Linus Torvalds
2019-11-08 21:57 ` Alan Stern
2019-11-08 22:06 ` Linus Torvalds
2019-11-09 23:08 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANn89i+OBZOq-q4GWAxKVRau6nHYMo3v4y-c1vUb_O8nvra1RQ@mail.gmail.com \
--to=edumazet@google.com \
--cc=akiyks@gmail.com \
--cc=elver@google.com \
--cc=eric.dumazet@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=parri.andrea@gmail.com \
--cc=paulmck@kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+3ef049d50587836c0606@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).