kernel/kcsan/permissive.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 /*
0003  * Special rules for ignoring entire classes of data-racy memory accesses. None
0004  * of the rules here imply that such data races are generally safe!
0005  *
0006  * All rules in this file can be configured via CONFIG_KCSAN_PERMISSIVE. Keep
0007  * them separate from core code to make it easier to audit.
0008  *
0009  * Copyright (C) 2019, Google LLC.
0010  */
0011
0012 #ifndef _KERNEL_KCSAN_PERMISSIVE_H
0013 #define _KERNEL_KCSAN_PERMISSIVE_H
0014
0015 #include <linux/bitops.h>
0016 #include <linux/sched.h>
0017 #include <linux/types.h>
0018
0019 /*
0020  * Access ignore rules based on address.
0021  */
0022 static __always_inline bool kcsan_ignore_address(const volatile void *ptr)
0023 {
0024     if (!IS_ENABLED(CONFIG_KCSAN_PERMISSIVE))
0025         return false;
0026
0027     /*
0028      * Data-racy bitops on current->flags are too common, ignore completely
0029      * for now.
0030      */
0031     return ptr == &current->flags;
0032 }
0033
0034 /*
0035  * Data race ignore rules based on access type and value change patterns.
0036  */
0037 static bool
0038 kcsan_ignore_data_race(size_t size, int type, u64 old, u64 new, u64 diff)
0039 {
0040     if (!IS_ENABLED(CONFIG_KCSAN_PERMISSIVE))
0041         return false;
0042
0043     /*
0044      * Rules here are only for plain read accesses, so that we still report
0045      * data races between plain read-write accesses.
0046      */
0047     if (type || size > sizeof(long))
0048         return false;
0049
0050     /*
0051      * A common pattern is checking/setting just 1 bit in a variable; for
0052      * example:
0053      *
0054      *  if (flags & SOME_FLAG) { ... }
0055      *
0056      * and elsewhere flags is updated concurrently:
0057      *
0058      *  flags |= SOME_OTHER_FLAG; // just 1 bit
0059      *
0060      * While it is still recommended that such accesses be marked
0061      * appropriately, in many cases these types of data races are so common
0062      * that marking them all is often unrealistic and left to maintainer
0063      * preference.
0064      *
0065      * The assumption in all cases is that with all known compiler
0066      * optimizations (including those that tear accesses), because no more
0067      * than 1 bit changed, the plain accesses are safe despite the presence
0068      * of data races.
0069      *
0070      * The rules here will ignore the data races if we observe no more than
0071      * 1 bit changed.
0072      *
0073      * Of course many operations can effecively change just 1 bit, but the
0074      * general assuption that data races involving 1-bit changes can be
0075      * tolerated still applies.
0076      *
0077      * And in case a true bug is missed, the bug likely manifests as a
0078      * reportable data race elsewhere.
0079      */
0080     if (hweight64(diff) == 1) {
0081         /*
0082          * Exception: Report data races where the values look like
0083          * ordinary booleans (one of them was 0 and the 0th bit was
0084          * changed) More often than not, they come with interesting
0085          * memory ordering requirements, so let's report them.
0086          */
0087         if (!((!old || !new) && diff == 1))
0088             return true;
0089     }
0090
0091     return false;
0092 }
0093
0094 #endif /* _KERNEL_KCSAN_PERMISSIVE_H */