linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mark Rutland <mark.rutland@arm.com>
To: Marco Elver <elver@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>,
	kasan-dev <kasan-dev@googlegroups.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Andrey Konovalov <andreyknvl@google.com>,
	Alexander Potapenko <glider@google.com>,
	"Paul E. McKenney" <paulmck@linux.ibm.com>,
	Paul Turner <pjt@google.com>, Daniel Axtens <dja@axtens.net>,
	Anatol Pomazau <anatol@google.com>,
	Will Deacon <willdeacon@google.com>,
	Andrea Parri <parri.andrea@gmail.com>,
	Alan Stern <stern@rowland.harvard.edu>,
	LKMM Maintainers -- Akira Yokosawa <akiyks@gmail.com>,
	Nicholas Piggin <npiggin@gmail.com>,
	Boqun Feng <boqun.feng@gmail.com>,
	Daniel Lustig <dlustig@nvidia.com>,
	Jade Alglave <j.alglave@ucl.ac.uk>,
	Luc Maranget <luc.maranget@inria.fr>
Subject: Re: Kernel Concurrency Sanitizer (KCSAN)
Date: Thu, 3 Oct 2019 17:12:34 +0100	[thread overview]
Message-ID: <20191003161233.GB38140@lakrids.cambridge.arm.com> (raw)
In-Reply-To: <CANpmjNM+aEzySwuMDkEvsVaeTooxExuTRAv-nzjhp7npT8a3ag@mail.gmail.com>

On Fri, Sep 20, 2019 at 07:51:04PM +0200, Marco Elver wrote:
> On Fri, 20 Sep 2019 at 18:47, Dmitry Vyukov <dvyukov@google.com> wrote:
> >
> > On Fri, Sep 20, 2019 at 6:31 PM Mark Rutland <mark.rutland@arm.com> wrote:
> > >
> > > On Fri, Sep 20, 2019 at 04:18:57PM +0200, Marco Elver wrote:
> > > > We would like to share a new data-race detector for the Linux kernel:
> > > > Kernel Concurrency Sanitizer (KCSAN) --
> > > > https://github.com/google/ktsan/wiki/KCSAN  (Details:
> > > > https://github.com/google/ktsan/blob/kcsan/Documentation/dev-tools/kcsan.rst)
> > >
> > > Nice!
> > >
> > > BTW kcsan_atomic_next() is missing a stub definition in <linux/kcsan.h>
> > > when !CONFIG_KCSAN:
> > >
> > > https://github.com/google/ktsan/commit/a22a093a0f0d0b582c82cdbac4f133a3f61d207c#diff-19d7c475b4b92aab8ba440415ab786ec
> > >
> > > ... and I think the kcsan_{begin,end}_atomic() stubs need to be static
> > > inline too.
> 
> Thanks for catching, fixed and pushed. Feel free to rebase your arm64 branch.

Great; I've just done so!

What's the plan for posting a PATCH or RFC series?

The rest of this email is rabbit-holing on the issue KCSAN spotted;
sorry about that!

[...]

> > > We have some interesting splats at boot time in stop_machine, which
> > > don't seem to have been hit/fixed on x86 yet in the kcsan-with-fixes
> > > branch, e.g.
> > >
> > > [    0.237939] ==================================================================
> > > [    0.239431] BUG: KCSAN: data-race in multi_cpu_stop+0xa8/0x198 and set_state+0x80/0xb0
> > > [    0.241189]
> > > [    0.241606] write to 0xffff00001003bd00 of 4 bytes by task 24 on cpu 3:
> > > [    0.243435]  set_state+0x80/0xb0
> > > [    0.244328]  multi_cpu_stop+0x16c/0x198
> > > [    0.245406]  cpu_stopper_thread+0x170/0x298
> > > [    0.246565]  smpboot_thread_fn+0x40c/0x560
> > > [    0.247696]  kthread+0x1a8/0x1b0
> > > [    0.248586]  ret_from_fork+0x10/0x18
> > > [    0.249589]
> > > [    0.250006] read to 0xffff00001003bd00 of 4 bytes by task 14 on cpu 1:
> > > [    0.251804]  multi_cpu_stop+0xa8/0x198
> > > [    0.252851]  cpu_stopper_thread+0x170/0x298
> > > [    0.254008]  smpboot_thread_fn+0x40c/0x560
> > > [    0.255135]  kthread+0x1a8/0x1b0
> > > [    0.256027]  ret_from_fork+0x10/0x18
> > > [    0.257036]
> > > [    0.257449] Reported by Kernel Concurrency Sanitizer on:
> > > [    0.258918] CPU: 1 PID: 14 Comm: migration/1 Not tainted 5.3.0-00007-g67ab35a199f4-dirty #3
> > > [    0.261241] Hardware name: linux,dummy-virt (DT)
> > > [    0.262517] ==================================================================>
> 
> Thanks, the fixes in -with-fixes were ones I only encountered with
> Syzkaller, where I disable KCSAN during boot. I've just added a fix
> for this race and pushed to kcsan-with-fixes.

I think that's:

  https://github.com/google/ktsan/commit/c1bc8ab013a66919d8347c2392f320feabb14f92

... but that doesn't look quite right to me, as it leaves us with the shape:

	do {
		if (READ_ONCE(msdata->state) != curstate) {
			curstate = msdata->state;
			switch (curstate) {
				...
			}
			ack_state(msdata);
		}
	} while (curstate != MULTI_STOP_EXIT);

I don't believe that we have a guarantee of read-after-read ordering
between the READ_ONCE(msdata->state) and the subsequent plain access of
msdata->state, as we've been caught out on that in the past, e.g.

  https://lore.kernel.org/lkml/1506527369-19535-1-git-send-email-will.deacon@arm.com/

... which I think means we could switch on a stale value of
msdata->state. That would mean we might handle the same state twice,
calling ack_state() more times than expected and corrupting the count.

The compiler could also replace uses of curstate with a reload of
msdata->state. If it did so for the while condition, we could skip the
expected ack_state() for MULTI_STOP_EXIT, though it looks like that
might not matter.

I think we need to make sure that we use a consistent snapshot,
something like the below. Assuming I'm not barking up the wrong tree, I
can spin this as a proper patch.

Thanks,
Mark.

---->8----
diff --git a/kernel/stop_machine.c b/kernel/stop_machine.c
index b4f83f7bdf86..67a0b454b5b5 100644
--- a/kernel/stop_machine.c
+++ b/kernel/stop_machine.c
@@ -167,7 +167,7 @@ static void set_state(struct multi_stop_data *msdata,
        /* Reset ack counter. */
        atomic_set(&msdata->thread_ack, msdata->num_threads);
        smp_wmb();
-       msdata->state = newstate;
+       WRITE_ONCE(msdata->state, newstate);
 }
 
 /* Last one to ack a state moves to the next state. */
@@ -186,7 +186,7 @@ void __weak stop_machine_yield(const struct cpumask *cpumask)
 static int multi_cpu_stop(void *data)
 {
        struct multi_stop_data *msdata = data;
-       enum multi_stop_state curstate = MULTI_STOP_NONE;
+       enum multi_stop_state newstate, curstate = MULTI_STOP_NONE;
        int cpu = smp_processor_id(), err = 0;
        const struct cpumask *cpumask;
        unsigned long flags;
@@ -210,8 +210,9 @@ static int multi_cpu_stop(void *data)
        do {
                /* Chill out and ensure we re-read multi_stop_state. */
                stop_machine_yield(cpumask);
-               if (msdata->state != curstate) {
-                       curstate = msdata->state;
+               newstate = READ_ONCE(msdata->state);
+               if (newstate != curstate) {
+                       curstate = newstate;
                        switch (curstate) {
                        case MULTI_STOP_DISABLE_IRQ:
                                local_irq_disable();


  reply	other threads:[~2019-10-03 16:12 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-20 14:18 Kernel Concurrency Sanitizer (KCSAN) Marco Elver
2019-09-20 15:54 ` Will Deacon
2019-09-20 17:50   ` Marco Elver
2019-09-23  4:31   ` Boqun Feng
2019-09-23  8:21     ` Dmitry Vyukov
2019-09-23  8:54       ` Boqun Feng
2019-09-23  8:59         ` Dmitry Vyukov
2019-09-23 11:01           ` Marco Elver
2019-09-23 12:32             ` Boqun Feng
2019-10-05  0:58   ` Eric Dumazet
2019-10-05  4:16     ` Dmitry Vyukov
2019-10-09  7:45       ` Dmitry Vyukov
2019-10-09 16:39         ` Eric Dumazet
2019-10-09 20:17         ` Andrea Parri
2019-09-20 16:31 ` Mark Rutland
2019-09-20 16:46   ` Dmitry Vyukov
2019-09-20 17:51     ` Marco Elver
2019-10-03 16:12       ` Mark Rutland [this message]
2019-10-03 19:27         ` Marco Elver
2019-10-01 14:50 ` Daniel Axtens
2019-10-02 19:42   ` Marco Elver
2019-10-11  3:45     ` Daniel Axtens
2019-10-01 21:19 ` Joel Fernandes
2019-10-02 19:51   ` Marco Elver
2019-10-03 13:13     ` Dmitry Vyukov
2019-10-03 16:00       ` Dmitry Vyukov
2019-10-03 19:39         ` Christian Brauner
2019-10-04 16:48     ` Joel Fernandes
2019-10-04 16:52       ` Dmitry Vyukov
2019-10-04 16:57         ` Joel Fernandes
2019-10-04 17:01           ` Dmitry Vyukov
2019-10-04 18:08             ` Joel Fernandes
2019-10-04 18:28               ` Dmitry Vyukov
     [not found] ` <CADyx2V6j+do+CmmSYEUr0iP7TUWD7xHLP2ZJPrqB1Y+QEAwzhw@mail.gmail.com>
2019-12-12 20:53   ` Marco Elver

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191003161233.GB38140@lakrids.cambridge.arm.com \
    --to=mark.rutland@arm.com \
    --cc=akiyks@gmail.com \
    --cc=anatol@google.com \
    --cc=andreyknvl@google.com \
    --cc=boqun.feng@gmail.com \
    --cc=dja@axtens.net \
    --cc=dlustig@nvidia.com \
    --cc=dvyukov@google.com \
    --cc=elver@google.com \
    --cc=glider@google.com \
    --cc=j.alglave@ucl.ac.uk \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=luc.maranget@inria.fr \
    --cc=npiggin@gmail.com \
    --cc=parri.andrea@gmail.com \
    --cc=paulmck@linux.ibm.com \
    --cc=pjt@google.com \
    --cc=stern@rowland.harvard.edu \
    --cc=willdeacon@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).