OSCL-LXR |
|
|
|
|||
0001 /* SPDX-License-Identifier: GPL-2.0 */ 0002 /* 0003 * KCSAN access checks and modifiers. These can be used to explicitly check 0004 * uninstrumented accesses, or change KCSAN checking behaviour of accesses. 0005 * 0006 * Copyright (C) 2019, Google LLC. 0007 */ 0008 0009 #ifndef _LINUX_KCSAN_CHECKS_H 0010 #define _LINUX_KCSAN_CHECKS_H 0011 0012 /* Note: Only include what is already included by compiler.h. */ 0013 #include <linux/compiler_attributes.h> 0014 #include <linux/types.h> 0015 0016 /* Access types -- if KCSAN_ACCESS_WRITE is not set, the access is a read. */ 0017 #define KCSAN_ACCESS_WRITE (1 << 0) /* Access is a write. */ 0018 #define KCSAN_ACCESS_COMPOUND (1 << 1) /* Compounded read-write instrumentation. */ 0019 #define KCSAN_ACCESS_ATOMIC (1 << 2) /* Access is atomic. */ 0020 /* The following are special, and never due to compiler instrumentation. */ 0021 #define KCSAN_ACCESS_ASSERT (1 << 3) /* Access is an assertion. */ 0022 #define KCSAN_ACCESS_SCOPED (1 << 4) /* Access is a scoped access. */ 0023 0024 /* 0025 * __kcsan_*: Always calls into the runtime when KCSAN is enabled. This may be used 0026 * even in compilation units that selectively disable KCSAN, but must use KCSAN 0027 * to validate access to an address. Never use these in header files! 0028 */ 0029 #ifdef CONFIG_KCSAN 0030 /** 0031 * __kcsan_check_access - check generic access for races 0032 * 0033 * @ptr: address of access 0034 * @size: size of access 0035 * @type: access type modifier 0036 */ 0037 void __kcsan_check_access(const volatile void *ptr, size_t size, int type); 0038 0039 /* 0040 * See definition of __tsan_atomic_signal_fence() in kernel/kcsan/core.c. 0041 * Note: The mappings are arbitrary, and do not reflect any real mappings of C11 0042 * memory orders to the LKMM memory orders and vice-versa! 0043 */ 0044 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_mb __ATOMIC_SEQ_CST 0045 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_wmb __ATOMIC_ACQ_REL 0046 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_rmb __ATOMIC_ACQUIRE 0047 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE_release __ATOMIC_RELEASE 0048 0049 /** 0050 * __kcsan_mb - full memory barrier instrumentation 0051 */ 0052 void __kcsan_mb(void); 0053 0054 /** 0055 * __kcsan_wmb - write memory barrier instrumentation 0056 */ 0057 void __kcsan_wmb(void); 0058 0059 /** 0060 * __kcsan_rmb - read memory barrier instrumentation 0061 */ 0062 void __kcsan_rmb(void); 0063 0064 /** 0065 * __kcsan_release - release barrier instrumentation 0066 */ 0067 void __kcsan_release(void); 0068 0069 /** 0070 * kcsan_disable_current - disable KCSAN for the current context 0071 * 0072 * Supports nesting. 0073 */ 0074 void kcsan_disable_current(void); 0075 0076 /** 0077 * kcsan_enable_current - re-enable KCSAN for the current context 0078 * 0079 * Supports nesting. 0080 */ 0081 void kcsan_enable_current(void); 0082 void kcsan_enable_current_nowarn(void); /* Safe in uaccess regions. */ 0083 0084 /** 0085 * kcsan_nestable_atomic_begin - begin nestable atomic region 0086 * 0087 * Accesses within the atomic region may appear to race with other accesses but 0088 * should be considered atomic. 0089 */ 0090 void kcsan_nestable_atomic_begin(void); 0091 0092 /** 0093 * kcsan_nestable_atomic_end - end nestable atomic region 0094 */ 0095 void kcsan_nestable_atomic_end(void); 0096 0097 /** 0098 * kcsan_flat_atomic_begin - begin flat atomic region 0099 * 0100 * Accesses within the atomic region may appear to race with other accesses but 0101 * should be considered atomic. 0102 */ 0103 void kcsan_flat_atomic_begin(void); 0104 0105 /** 0106 * kcsan_flat_atomic_end - end flat atomic region 0107 */ 0108 void kcsan_flat_atomic_end(void); 0109 0110 /** 0111 * kcsan_atomic_next - consider following accesses as atomic 0112 * 0113 * Force treating the next n memory accesses for the current context as atomic 0114 * operations. 0115 * 0116 * @n: number of following memory accesses to treat as atomic. 0117 */ 0118 void kcsan_atomic_next(int n); 0119 0120 /** 0121 * kcsan_set_access_mask - set access mask 0122 * 0123 * Set the access mask for all accesses for the current context if non-zero. 0124 * Only value changes to bits set in the mask will be reported. 0125 * 0126 * @mask: bitmask 0127 */ 0128 void kcsan_set_access_mask(unsigned long mask); 0129 0130 /* Scoped access information. */ 0131 struct kcsan_scoped_access { 0132 union { 0133 struct list_head list; /* scoped_accesses list */ 0134 /* 0135 * Not an entry in scoped_accesses list; stack depth from where 0136 * the access was initialized. 0137 */ 0138 int stack_depth; 0139 }; 0140 0141 /* Access information. */ 0142 const volatile void *ptr; 0143 size_t size; 0144 int type; 0145 /* Location where scoped access was set up. */ 0146 unsigned long ip; 0147 }; 0148 /* 0149 * Automatically call kcsan_end_scoped_access() when kcsan_scoped_access goes 0150 * out of scope; relies on attribute "cleanup", which is supported by all 0151 * compilers that support KCSAN. 0152 */ 0153 #define __kcsan_cleanup_scoped \ 0154 __maybe_unused __attribute__((__cleanup__(kcsan_end_scoped_access))) 0155 0156 /** 0157 * kcsan_begin_scoped_access - begin scoped access 0158 * 0159 * Begin scoped access and initialize @sa, which will cause KCSAN to 0160 * continuously check the memory range in the current thread until 0161 * kcsan_end_scoped_access() is called for @sa. 0162 * 0163 * Scoped accesses are implemented by appending @sa to an internal list for the 0164 * current execution context, and then checked on every call into the KCSAN 0165 * runtime. 0166 * 0167 * @ptr: address of access 0168 * @size: size of access 0169 * @type: access type modifier 0170 * @sa: struct kcsan_scoped_access to use for the scope of the access 0171 */ 0172 struct kcsan_scoped_access * 0173 kcsan_begin_scoped_access(const volatile void *ptr, size_t size, int type, 0174 struct kcsan_scoped_access *sa); 0175 0176 /** 0177 * kcsan_end_scoped_access - end scoped access 0178 * 0179 * End a scoped access, which will stop KCSAN checking the memory range. 0180 * Requires that kcsan_begin_scoped_access() was previously called once for @sa. 0181 * 0182 * @sa: a previously initialized struct kcsan_scoped_access 0183 */ 0184 void kcsan_end_scoped_access(struct kcsan_scoped_access *sa); 0185 0186 0187 #else /* CONFIG_KCSAN */ 0188 0189 static inline void __kcsan_check_access(const volatile void *ptr, size_t size, 0190 int type) { } 0191 0192 static inline void __kcsan_mb(void) { } 0193 static inline void __kcsan_wmb(void) { } 0194 static inline void __kcsan_rmb(void) { } 0195 static inline void __kcsan_release(void) { } 0196 static inline void kcsan_disable_current(void) { } 0197 static inline void kcsan_enable_current(void) { } 0198 static inline void kcsan_enable_current_nowarn(void) { } 0199 static inline void kcsan_nestable_atomic_begin(void) { } 0200 static inline void kcsan_nestable_atomic_end(void) { } 0201 static inline void kcsan_flat_atomic_begin(void) { } 0202 static inline void kcsan_flat_atomic_end(void) { } 0203 static inline void kcsan_atomic_next(int n) { } 0204 static inline void kcsan_set_access_mask(unsigned long mask) { } 0205 0206 struct kcsan_scoped_access { }; 0207 #define __kcsan_cleanup_scoped __maybe_unused 0208 static inline struct kcsan_scoped_access * 0209 kcsan_begin_scoped_access(const volatile void *ptr, size_t size, int type, 0210 struct kcsan_scoped_access *sa) { return sa; } 0211 static inline void kcsan_end_scoped_access(struct kcsan_scoped_access *sa) { } 0212 0213 #endif /* CONFIG_KCSAN */ 0214 0215 #ifdef __SANITIZE_THREAD__ 0216 /* 0217 * Only calls into the runtime when the particular compilation unit has KCSAN 0218 * instrumentation enabled. May be used in header files. 0219 */ 0220 #define kcsan_check_access __kcsan_check_access 0221 0222 /* 0223 * Only use these to disable KCSAN for accesses in the current compilation unit; 0224 * calls into libraries may still perform KCSAN checks. 0225 */ 0226 #define __kcsan_disable_current kcsan_disable_current 0227 #define __kcsan_enable_current kcsan_enable_current_nowarn 0228 #else /* __SANITIZE_THREAD__ */ 0229 static inline void kcsan_check_access(const volatile void *ptr, size_t size, 0230 int type) { } 0231 static inline void __kcsan_enable_current(void) { } 0232 static inline void __kcsan_disable_current(void) { } 0233 #endif /* __SANITIZE_THREAD__ */ 0234 0235 #if defined(CONFIG_KCSAN_WEAK_MEMORY) && defined(__SANITIZE_THREAD__) 0236 /* 0237 * Normal barrier instrumentation is not done via explicit calls, but by mapping 0238 * to a repurposed __atomic_signal_fence(), which normally does not generate any 0239 * real instructions, but is still intercepted by fsanitize=thread. This means, 0240 * like any other compile-time instrumentation, barrier instrumentation can be 0241 * disabled with the __no_kcsan function attribute. 0242 * 0243 * Also see definition of __tsan_atomic_signal_fence() in kernel/kcsan/core.c. 0244 * 0245 * These are all macros, like <asm/barrier.h>, since some architectures use them 0246 * in non-static inline functions. 0247 */ 0248 #define __KCSAN_BARRIER_TO_SIGNAL_FENCE(name) \ 0249 do { \ 0250 barrier(); \ 0251 __atomic_signal_fence(__KCSAN_BARRIER_TO_SIGNAL_FENCE_##name); \ 0252 barrier(); \ 0253 } while (0) 0254 #define kcsan_mb() __KCSAN_BARRIER_TO_SIGNAL_FENCE(mb) 0255 #define kcsan_wmb() __KCSAN_BARRIER_TO_SIGNAL_FENCE(wmb) 0256 #define kcsan_rmb() __KCSAN_BARRIER_TO_SIGNAL_FENCE(rmb) 0257 #define kcsan_release() __KCSAN_BARRIER_TO_SIGNAL_FENCE(release) 0258 #elif defined(CONFIG_KCSAN_WEAK_MEMORY) && defined(__KCSAN_INSTRUMENT_BARRIERS__) 0259 #define kcsan_mb __kcsan_mb 0260 #define kcsan_wmb __kcsan_wmb 0261 #define kcsan_rmb __kcsan_rmb 0262 #define kcsan_release __kcsan_release 0263 #else /* CONFIG_KCSAN_WEAK_MEMORY && ... */ 0264 #define kcsan_mb() do { } while (0) 0265 #define kcsan_wmb() do { } while (0) 0266 #define kcsan_rmb() do { } while (0) 0267 #define kcsan_release() do { } while (0) 0268 #endif /* CONFIG_KCSAN_WEAK_MEMORY && ... */ 0269 0270 /** 0271 * __kcsan_check_read - check regular read access for races 0272 * 0273 * @ptr: address of access 0274 * @size: size of access 0275 */ 0276 #define __kcsan_check_read(ptr, size) __kcsan_check_access(ptr, size, 0) 0277 0278 /** 0279 * __kcsan_check_write - check regular write access for races 0280 * 0281 * @ptr: address of access 0282 * @size: size of access 0283 */ 0284 #define __kcsan_check_write(ptr, size) \ 0285 __kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE) 0286 0287 /** 0288 * __kcsan_check_read_write - check regular read-write access for races 0289 * 0290 * @ptr: address of access 0291 * @size: size of access 0292 */ 0293 #define __kcsan_check_read_write(ptr, size) \ 0294 __kcsan_check_access(ptr, size, KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE) 0295 0296 /** 0297 * kcsan_check_read - check regular read access for races 0298 * 0299 * @ptr: address of access 0300 * @size: size of access 0301 */ 0302 #define kcsan_check_read(ptr, size) kcsan_check_access(ptr, size, 0) 0303 0304 /** 0305 * kcsan_check_write - check regular write access for races 0306 * 0307 * @ptr: address of access 0308 * @size: size of access 0309 */ 0310 #define kcsan_check_write(ptr, size) \ 0311 kcsan_check_access(ptr, size, KCSAN_ACCESS_WRITE) 0312 0313 /** 0314 * kcsan_check_read_write - check regular read-write access for races 0315 * 0316 * @ptr: address of access 0317 * @size: size of access 0318 */ 0319 #define kcsan_check_read_write(ptr, size) \ 0320 kcsan_check_access(ptr, size, KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE) 0321 0322 /* 0323 * Check for atomic accesses: if atomic accesses are not ignored, this simply 0324 * aliases to kcsan_check_access(), otherwise becomes a no-op. 0325 */ 0326 #ifdef CONFIG_KCSAN_IGNORE_ATOMICS 0327 #define kcsan_check_atomic_read(...) do { } while (0) 0328 #define kcsan_check_atomic_write(...) do { } while (0) 0329 #define kcsan_check_atomic_read_write(...) do { } while (0) 0330 #else 0331 #define kcsan_check_atomic_read(ptr, size) \ 0332 kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC) 0333 #define kcsan_check_atomic_write(ptr, size) \ 0334 kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE) 0335 #define kcsan_check_atomic_read_write(ptr, size) \ 0336 kcsan_check_access(ptr, size, KCSAN_ACCESS_ATOMIC | KCSAN_ACCESS_WRITE | KCSAN_ACCESS_COMPOUND) 0337 #endif 0338 0339 /** 0340 * ASSERT_EXCLUSIVE_WRITER - assert no concurrent writes to @var 0341 * 0342 * Assert that there are no concurrent writes to @var; other readers are 0343 * allowed. This assertion can be used to specify properties of concurrent code, 0344 * where violation cannot be detected as a normal data race. 0345 * 0346 * For example, if we only have a single writer, but multiple concurrent 0347 * readers, to avoid data races, all these accesses must be marked; even 0348 * concurrent marked writes racing with the single writer are bugs. 0349 * Unfortunately, due to being marked, they are no longer data races. For cases 0350 * like these, we can use the macro as follows: 0351 * 0352 * .. code-block:: c 0353 * 0354 * void writer(void) { 0355 * spin_lock(&update_foo_lock); 0356 * ASSERT_EXCLUSIVE_WRITER(shared_foo); 0357 * WRITE_ONCE(shared_foo, ...); 0358 * spin_unlock(&update_foo_lock); 0359 * } 0360 * void reader(void) { 0361 * // update_foo_lock does not need to be held! 0362 * ... = READ_ONCE(shared_foo); 0363 * } 0364 * 0365 * Note: ASSERT_EXCLUSIVE_WRITER_SCOPED(), if applicable, performs more thorough 0366 * checking if a clear scope where no concurrent writes are expected exists. 0367 * 0368 * @var: variable to assert on 0369 */ 0370 #define ASSERT_EXCLUSIVE_WRITER(var) \ 0371 __kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_ASSERT) 0372 0373 /* 0374 * Helper macros for implementation of for ASSERT_EXCLUSIVE_*_SCOPED(). @id is 0375 * expected to be unique for the scope in which instances of kcsan_scoped_access 0376 * are declared. 0377 */ 0378 #define __kcsan_scoped_name(c, suffix) __kcsan_scoped_##c##suffix 0379 #define __ASSERT_EXCLUSIVE_SCOPED(var, type, id) \ 0380 struct kcsan_scoped_access __kcsan_scoped_name(id, _) \ 0381 __kcsan_cleanup_scoped; \ 0382 struct kcsan_scoped_access *__kcsan_scoped_name(id, _dummy_p) \ 0383 __maybe_unused = kcsan_begin_scoped_access( \ 0384 &(var), sizeof(var), KCSAN_ACCESS_SCOPED | (type), \ 0385 &__kcsan_scoped_name(id, _)) 0386 0387 /** 0388 * ASSERT_EXCLUSIVE_WRITER_SCOPED - assert no concurrent writes to @var in scope 0389 * 0390 * Scoped variant of ASSERT_EXCLUSIVE_WRITER(). 0391 * 0392 * Assert that there are no concurrent writes to @var for the duration of the 0393 * scope in which it is introduced. This provides a better way to fully cover 0394 * the enclosing scope, compared to multiple ASSERT_EXCLUSIVE_WRITER(), and 0395 * increases the likelihood for KCSAN to detect racing accesses. 0396 * 0397 * For example, it allows finding race-condition bugs that only occur due to 0398 * state changes within the scope itself: 0399 * 0400 * .. code-block:: c 0401 * 0402 * void writer(void) { 0403 * spin_lock(&update_foo_lock); 0404 * { 0405 * ASSERT_EXCLUSIVE_WRITER_SCOPED(shared_foo); 0406 * WRITE_ONCE(shared_foo, 42); 0407 * ... 0408 * // shared_foo should still be 42 here! 0409 * } 0410 * spin_unlock(&update_foo_lock); 0411 * } 0412 * void buggy(void) { 0413 * if (READ_ONCE(shared_foo) == 42) 0414 * WRITE_ONCE(shared_foo, 1); // bug! 0415 * } 0416 * 0417 * @var: variable to assert on 0418 */ 0419 #define ASSERT_EXCLUSIVE_WRITER_SCOPED(var) \ 0420 __ASSERT_EXCLUSIVE_SCOPED(var, KCSAN_ACCESS_ASSERT, __COUNTER__) 0421 0422 /** 0423 * ASSERT_EXCLUSIVE_ACCESS - assert no concurrent accesses to @var 0424 * 0425 * Assert that there are no concurrent accesses to @var (no readers nor 0426 * writers). This assertion can be used to specify properties of concurrent 0427 * code, where violation cannot be detected as a normal data race. 0428 * 0429 * For example, where exclusive access is expected after determining no other 0430 * users of an object are left, but the object is not actually freed. We can 0431 * check that this property actually holds as follows: 0432 * 0433 * .. code-block:: c 0434 * 0435 * if (refcount_dec_and_test(&obj->refcnt)) { 0436 * ASSERT_EXCLUSIVE_ACCESS(*obj); 0437 * do_some_cleanup(obj); 0438 * release_for_reuse(obj); 0439 * } 0440 * 0441 * Note: 0442 * 0443 * 1. ASSERT_EXCLUSIVE_ACCESS_SCOPED(), if applicable, performs more thorough 0444 * checking if a clear scope where no concurrent accesses are expected exists. 0445 * 0446 * 2. For cases where the object is freed, `KASAN <kasan.html>`_ is a better 0447 * fit to detect use-after-free bugs. 0448 * 0449 * @var: variable to assert on 0450 */ 0451 #define ASSERT_EXCLUSIVE_ACCESS(var) \ 0452 __kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT) 0453 0454 /** 0455 * ASSERT_EXCLUSIVE_ACCESS_SCOPED - assert no concurrent accesses to @var in scope 0456 * 0457 * Scoped variant of ASSERT_EXCLUSIVE_ACCESS(). 0458 * 0459 * Assert that there are no concurrent accesses to @var (no readers nor writers) 0460 * for the entire duration of the scope in which it is introduced. This provides 0461 * a better way to fully cover the enclosing scope, compared to multiple 0462 * ASSERT_EXCLUSIVE_ACCESS(), and increases the likelihood for KCSAN to detect 0463 * racing accesses. 0464 * 0465 * @var: variable to assert on 0466 */ 0467 #define ASSERT_EXCLUSIVE_ACCESS_SCOPED(var) \ 0468 __ASSERT_EXCLUSIVE_SCOPED(var, KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ASSERT, __COUNTER__) 0469 0470 /** 0471 * ASSERT_EXCLUSIVE_BITS - assert no concurrent writes to subset of bits in @var 0472 * 0473 * Bit-granular variant of ASSERT_EXCLUSIVE_WRITER(). 0474 * 0475 * Assert that there are no concurrent writes to a subset of bits in @var; 0476 * concurrent readers are permitted. This assertion captures more detailed 0477 * bit-level properties, compared to the other (word granularity) assertions. 0478 * Only the bits set in @mask are checked for concurrent modifications, while 0479 * ignoring the remaining bits, i.e. concurrent writes (or reads) to ~mask bits 0480 * are ignored. 0481 * 0482 * Use this for variables, where some bits must not be modified concurrently, 0483 * yet other bits are expected to be modified concurrently. 0484 * 0485 * For example, variables where, after initialization, some bits are read-only, 0486 * but other bits may still be modified concurrently. A reader may wish to 0487 * assert that this is true as follows: 0488 * 0489 * .. code-block:: c 0490 * 0491 * ASSERT_EXCLUSIVE_BITS(flags, READ_ONLY_MASK); 0492 * foo = (READ_ONCE(flags) & READ_ONLY_MASK) >> READ_ONLY_SHIFT; 0493 * 0494 * Note: The access that immediately follows ASSERT_EXCLUSIVE_BITS() is assumed 0495 * to access the masked bits only, and KCSAN optimistically assumes it is 0496 * therefore safe, even in the presence of data races, and marking it with 0497 * READ_ONCE() is optional from KCSAN's point-of-view. We caution, however, that 0498 * it may still be advisable to do so, since we cannot reason about all compiler 0499 * optimizations when it comes to bit manipulations (on the reader and writer 0500 * side). If you are sure nothing can go wrong, we can write the above simply 0501 * as: 0502 * 0503 * .. code-block:: c 0504 * 0505 * ASSERT_EXCLUSIVE_BITS(flags, READ_ONLY_MASK); 0506 * foo = (flags & READ_ONLY_MASK) >> READ_ONLY_SHIFT; 0507 * 0508 * Another example, where this may be used, is when certain bits of @var may 0509 * only be modified when holding the appropriate lock, but other bits may still 0510 * be modified concurrently. Writers, where other bits may change concurrently, 0511 * could use the assertion as follows: 0512 * 0513 * .. code-block:: c 0514 * 0515 * spin_lock(&foo_lock); 0516 * ASSERT_EXCLUSIVE_BITS(flags, FOO_MASK); 0517 * old_flags = flags; 0518 * new_flags = (old_flags & ~FOO_MASK) | (new_foo << FOO_SHIFT); 0519 * if (cmpxchg(&flags, old_flags, new_flags) != old_flags) { ... } 0520 * spin_unlock(&foo_lock); 0521 * 0522 * @var: variable to assert on 0523 * @mask: only check for modifications to bits set in @mask 0524 */ 0525 #define ASSERT_EXCLUSIVE_BITS(var, mask) \ 0526 do { \ 0527 kcsan_set_access_mask(mask); \ 0528 __kcsan_check_access(&(var), sizeof(var), KCSAN_ACCESS_ASSERT);\ 0529 kcsan_set_access_mask(0); \ 0530 kcsan_atomic_next(1); \ 0531 } while (0) 0532 0533 #endif /* _LINUX_KCSAN_CHECKS_H */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.1.0 LXR engine. The LXR team |
|