1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | /* |
3 | * Special rules for ignoring entire classes of data-racy memory accesses. None |
4 | * of the rules here imply that such data races are generally safe! |
5 | * |
6 | * All rules in this file can be configured via CONFIG_KCSAN_PERMISSIVE. Keep |
7 | * them separate from core code to make it easier to audit. |
8 | * |
9 | * Copyright (C) 2019, Google LLC. |
10 | */ |
11 | |
12 | #ifndef _KERNEL_KCSAN_PERMISSIVE_H |
13 | #define _KERNEL_KCSAN_PERMISSIVE_H |
14 | |
15 | #include <linux/bitops.h> |
16 | #include <linux/sched.h> |
17 | #include <linux/types.h> |
18 | |
19 | /* |
20 | * Access ignore rules based on address. |
21 | */ |
22 | static __always_inline bool kcsan_ignore_address(const volatile void *ptr) |
23 | { |
24 | if (!IS_ENABLED(CONFIG_KCSAN_PERMISSIVE)) |
25 | return false; |
26 | |
27 | /* |
28 | * Data-racy bitops on current->flags are too common, ignore completely |
29 | * for now. |
30 | */ |
31 | return ptr == ¤t->flags; |
32 | } |
33 | |
34 | /* |
35 | * Data race ignore rules based on access type and value change patterns. |
36 | */ |
37 | static bool |
38 | kcsan_ignore_data_race(size_t size, int type, u64 old, u64 new, u64 diff) |
39 | { |
40 | if (!IS_ENABLED(CONFIG_KCSAN_PERMISSIVE)) |
41 | return false; |
42 | |
43 | /* |
44 | * Rules here are only for plain read accesses, so that we still report |
45 | * data races between plain read-write accesses. |
46 | */ |
47 | if (type || size > sizeof(long)) |
48 | return false; |
49 | |
50 | /* |
51 | * A common pattern is checking/setting just 1 bit in a variable; for |
52 | * example: |
53 | * |
54 | * if (flags & SOME_FLAG) { ... } |
55 | * |
56 | * and elsewhere flags is updated concurrently: |
57 | * |
58 | * flags |= SOME_OTHER_FLAG; // just 1 bit |
59 | * |
60 | * While it is still recommended that such accesses be marked |
61 | * appropriately, in many cases these types of data races are so common |
62 | * that marking them all is often unrealistic and left to maintainer |
63 | * preference. |
64 | * |
65 | * The assumption in all cases is that with all known compiler |
66 | * optimizations (including those that tear accesses), because no more |
67 | * than 1 bit changed, the plain accesses are safe despite the presence |
68 | * of data races. |
69 | * |
70 | * The rules here will ignore the data races if we observe no more than |
71 | * 1 bit changed. |
72 | * |
73 | * Of course many operations can effecively change just 1 bit, but the |
74 | * general assuption that data races involving 1-bit changes can be |
75 | * tolerated still applies. |
76 | * |
77 | * And in case a true bug is missed, the bug likely manifests as a |
78 | * reportable data race elsewhere. |
79 | */ |
80 | if (hweight64(diff) == 1) { |
81 | /* |
82 | * Exception: Report data races where the values look like |
83 | * ordinary booleans (one of them was 0 and the 0th bit was |
84 | * changed) More often than not, they come with interesting |
85 | * memory ordering requirements, so let's report them. |
86 | */ |
87 | if (!((!old || !new) && diff == 1)) |
88 | return true; |
89 | } |
90 | |
91 | return false; |
92 | } |
93 | |
94 | #endif /* _KERNEL_KCSAN_PERMISSIVE_H */ |
95 | |