From: Boqun Feng <boqun.feng@gmail.com>
To: Marco Elver <elver@google.com>
Cc: "Paul E. McKenney" <paulmck@kernel.org>,
Alexander Potapenko <glider@google.com>,
Borislav Petkov <bp@alien8.de>,
Dmitry Vyukov <dvyukov@google.com>,
Ingo Molnar <mingo@kernel.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Mark Rutland <mark.rutland@arm.com>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Waiman Long <longman@redhat.com>, Will Deacon <will@kernel.org>,
kasan-dev@googlegroups.com, linux-arch@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kbuild@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org
Subject: Re: [PATCH v2 03/23] kcsan: Avoid checking scoped accesses from nested contexts
Date: Mon, 29 Nov 2021 22:26:46 +0800 [thread overview]
Message-ID: <YaTjJnl+Wc1qZbG/@boqun-archlinux> (raw)
In-Reply-To: <YaSyGr4vW3yifWWC@elver.google.com>
On Mon, Nov 29, 2021 at 11:57:30AM +0100, Marco Elver wrote:
> On Mon, Nov 29, 2021 at 04:47PM +0800, Boqun Feng wrote:
> > Hi Marco,
> >
> > On Thu, Nov 18, 2021 at 09:10:07AM +0100, Marco Elver wrote:
> > > Avoid checking scoped accesses from nested contexts (such as nested
> > > interrupts or in scheduler code) which share the same kcsan_ctx.
> > >
> > > This is to avoid detecting false positive races of accesses in the same
> >
> > Could you provide an example for a false positive?
> >
> > I think we do want to detect the following race:
> >
> > static int v = SOME_VALUE; // a percpu variable.
> > static int other_v = ... ;
> >
> > void foo(..)
> > {
> > int tmp;
> > int other_tmp;
> >
> > preempt_disable();
> > {
> > ASSERT_EXCLUSIVE_ACCESSS_SCOPED(v);
> > tmp = v;
> >
> > other_tmp = other_v; // int_handler() may run here
> >
> > v = tmp + 2;
> > }
> > preempt_enabled();
> > }
> >
> > void int_handler() // an interrupt handler
> > {
> > v++;
> > }
> >
> > , if I understand correctly, we can detect this currently, but with this
> > patch, we cannot detect this if the interrupt happens while we're doing
> > the check for "other_tmp = other_v;", right? Of course, running tests
> > multiple times may eventually catch this, but I just want to understand
> > what's this patch for, thanks!
>
> The above will still be detected. Task and interrupt contexts in this
> case are distinct, i.e. kcsan_ctx differ (see get_ctx()).
>
Ok, I was missing that.
> But there are rare cases where kcsan_ctx is shared, such as nested
> interrupts (NMI?), or when entering scheduler code -- which currently
> has a KCSAN_SANITIZE := n, but I occasionally test it, which is how I
> found this problem. The problem occurs frequently when enabling KCSAN in
> kernel/sched and placing a random ASSERT_EXCLUSIVE_ACCESS_SCOPED() in
> task context, or just enable "weak memory modeling" without this fix.
> You also need CONFIG_PREEMPT=y + CONFIG_KCSAN_INTERRUPT_WATCHER=y.
>
Thanks for the background, it's now more clear that the problem is
triggered ;-)
> The emphasis here really is on _shared kcsan_ctx_, which is not too
> common. As noted in the commit description, we need to "[...] setting up
> a watchpoint for a non-scoped (normal) access that also "conflicts" with
> a current scoped access."
>
> Consider this:
>
> static int v;
> int foo(..)
> {
> ASSERT_EXCLUSIVE_ACCESS_SCOPED(v);
> v++; // preempted during watchpoint for 'v++'
> }
>
> Here we set up a scoped_access to be checked for v. Then on v++, a
> watchpoint is set up for the normal access. While the watchpoint is set
> up, the task is preempted and upon entering scheduler code, we're still
> in_task() and 'current' is still the same, thus get_ctx() returns a
> kcsan_ctx where the scoped_accesses list is non-empty containing the
> scoped access for foo()'s ASSERT_EXCLUSIVE.
>
> That means, when instrumenting scheduler code or any other code called
> by scheduler code or nested interrupts (anything where get_ctx() still
> returns the same as parent context), it'd now perform checks based on
> the parent context's scoped access, and because the parent context also
> has a watchpoint set up on the variable that conflicts with the scoped
> access we'd report a nonsensical race.
>
Agreed.
> This case is also possible:
>
> static int v;
> static int x;
> int foo(..)
> {
> ASSERT_EXCLUSIVE_ACCESS_SCOPED(v);
> x++; // preempted during watchpoint for 'v' after checking x++
> }
>
> Here, all we need is for the scoped access to be checked after x++, end
> up with a watchpoint for it, then enter scheduler code, which then
> checked 'v', sees the conflicting watchpoint, and reports a nonsensical
> race again.
>
Just to be clear, in both examples, the assumption is that 'v' is a
variable that scheduler code doesn't access, right? Because if scheduler
code does access 'v', then it's a problem that KCSAN should report. Yes,
I don't know any variable that scheduler exports, just to make sure
here.
> By disallowing scoped access checking for a kcsan_ctx, we simply make
> sure that in such nested contexts where kcsan_ctx is shared, none of
> these nonsensical races would be detected nor reported.
>
> Hopefully that clarifies what this is about.
>
Make sense to me, thanks.
Regards,
Boqun
> Thanks,
> -- Marco
next prev parent reply other threads:[~2021-11-29 16:43 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-18 8:10 [PATCH v2 00/23] kcsan: Support detecting a subset of missing memory barriers Marco Elver
2021-11-18 8:10 ` [PATCH v2 01/23] kcsan: Refactor reading of instrumented memory Marco Elver
2021-11-18 11:08 ` Mark Rutland
2021-11-18 8:10 ` [PATCH v2 02/23] kcsan: Remove redundant zero-initialization of globals Marco Elver
2021-11-18 11:09 ` Mark Rutland
2021-11-18 8:10 ` [PATCH v2 03/23] kcsan: Avoid checking scoped accesses from nested contexts Marco Elver
2021-11-29 8:47 ` Boqun Feng
2021-11-29 10:57 ` Marco Elver
2021-11-29 14:26 ` Boqun Feng [this message]
2021-11-29 14:42 ` Marco Elver
2021-11-18 8:10 ` [PATCH v2 04/23] kcsan: Add core support for a subset of weak memory modeling Marco Elver
2021-11-18 8:10 ` [PATCH v2 05/23] kcsan: Add core memory barrier instrumentation functions Marco Elver
2021-11-18 8:10 ` [PATCH v2 06/23] kcsan, kbuild: Add option for barrier instrumentation only Marco Elver
2021-11-18 8:10 ` [PATCH v2 07/23] kcsan: Call scoped accesses reordered in reports Marco Elver
2021-11-18 8:10 ` [PATCH v2 08/23] kcsan: Show location access was reordered to Marco Elver
2021-11-18 8:10 ` [PATCH v2 09/23] kcsan: Document modeling of weak memory Marco Elver
2021-11-18 8:10 ` [PATCH v2 10/23] kcsan: test: Match reordered or normal accesses Marco Elver
2021-11-18 8:10 ` [PATCH v2 11/23] kcsan: test: Add test cases for memory barrier instrumentation Marco Elver
2021-11-18 8:10 ` [PATCH v2 12/23] kcsan: Ignore GCC 11+ warnings about TSan runtime support Marco Elver
2021-11-18 8:10 ` [PATCH v2 13/23] kcsan: selftest: Add test case to check memory barrier instrumentation Marco Elver
2021-11-18 8:10 ` [PATCH v2 14/23] locking/barriers, kcsan: Add instrumentation for barriers Marco Elver
2021-11-18 8:10 ` [PATCH v2 15/23] locking/barriers, kcsan: Support generic instrumentation Marco Elver
2021-11-18 8:10 ` [PATCH v2 16/23] locking/atomics, kcsan: Add instrumentation for barriers Marco Elver
2021-11-18 8:10 ` [PATCH v2 17/23] asm-generic/bitops, " Marco Elver
2021-11-18 8:10 ` [PATCH v2 18/23] x86/barriers, kcsan: Use generic instrumentation for non-smp barriers Marco Elver
2021-11-18 8:10 ` [PATCH v2 19/23] x86/qspinlock, kcsan: Instrument barrier of pv_queued_spin_unlock() Marco Elver
2021-11-18 8:10 ` [PATCH v2 20/23] mm, kcsan: Enable barrier instrumentation Marco Elver
2021-11-18 8:10 ` [PATCH v2 21/23] sched, kcsan: Enable memory " Marco Elver
2021-11-18 8:10 ` [PATCH v2 22/23] objtool, kcsan: Add memory barrier instrumentation to whitelist Marco Elver
2021-11-18 8:10 ` [PATCH v2 23/23] objtool, kcsan: Remove memory barrier instrumentation from noinstr Marco Elver
2021-11-19 20:31 ` Josh Poimboeuf
2021-11-19 21:31 ` Marco Elver
2021-11-23 11:29 ` Marco Elver
2021-11-24 17:53 ` Josh Poimboeuf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YaTjJnl+Wc1qZbG/@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=bp@alien8.de \
--cc=dvyukov@google.com \
--cc=elver@google.com \
--cc=glider@google.com \
--cc=jpoimboe@redhat.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=longman@redhat.com \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).