@@ -37,7 +37,9 @@ compiler's use of code-motion and common-subexpression optimizations.
3737Therefore, if a given access is involved in an intentional data race,
3838using READ_ONCE() for loads and WRITE_ONCE() for stores is usually
3939preferable to data_race(), which in turn is usually preferable to plain
40- C-language accesses.
40+ C-language accesses. It is permissible to combine #2 and #3, for example,
41+ data_race(READ_ONCE(a)), which will both restrict compiler optimizations
42+ and disable KCSAN diagnostics.
4143
4244KCSAN will complain about many types of data races involving plain
4345C-language accesses, but marking all accesses involved in a given data
@@ -86,6 +88,10 @@ that fail to exclude the updates. In this case, it is important to use
8688data_race() for the diagnostic reads because otherwise KCSAN would give
8789false-positive warnings about these diagnostic reads.
8890
91+ If it is necessary to both restrict compiler optimizations and disable
92+ KCSAN diagnostics, use both data_race() and READ_ONCE(), for example,
93+ data_race(READ_ONCE(a)).
94+
8995In theory, plain C-language loads can also be used for this use case.
9096However, in practice this will have the disadvantage of causing KCSAN
9197to generate false positives because KCSAN will have no way of knowing
@@ -279,19 +285,34 @@ tells KCSAN that data races are expected, and should be silently
279285ignored. This data_race() also tells the human reading the code that
280286read_foo_diagnostic() might sometimes return a bogus value.
281287
282- However, please note that your kernel must be built with
283- CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n in order for KCSAN to
284- detect a buggy lockless write. If you need KCSAN to detect such a
285- write even if that write did not change the value of foo, you also
286- need CONFIG_KCSAN_REPORT_VALUE_CHANGE_ONLY=n. If you need KCSAN to
287- detect such a write happening in an interrupt handler running on the
288- same CPU doing the legitimate lock-protected write, you also need
289- CONFIG_KCSAN_INTERRUPT_WATCHER=y. With some or all of these Kconfig
290- options set properly, KCSAN can be quite helpful, although it is not
291- necessarily a full replacement for hardware watchpoints. On the other
292- hand, neither are hardware watchpoints a full replacement for KCSAN
293- because it is not always easy to tell hardware watchpoint to conditionally
294- trap on accesses.
288+ If it is necessary to suppress compiler optimization and also detect
289+ buggy lockless writes, read_foo_diagnostic() can be updated as follows:
290+
291+ void read_foo_diagnostic(void)
292+ {
293+ pr_info("Current value of foo: %d\n", data_race(READ_ONCE(foo)));
294+ }
295+
296+ Alternatively, given that KCSAN is to ignore all accesses in this function,
297+ this function can be marked __no_kcsan and the data_race() can be dropped:
298+
299+ void __no_kcsan read_foo_diagnostic(void)
300+ {
301+ pr_info("Current value of foo: %d\n", READ_ONCE(foo));
302+ }
303+
304+ However, in order for KCSAN to detect buggy lockless writes, your kernel
305+ must be built with CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC=n. If you
306+ need KCSAN to detect such a write even if that write did not change
307+ the value of foo, you also need CONFIG_KCSAN_REPORT_VALUE_CHANGE_ONLY=n.
308+ If you need KCSAN to detect such a write happening in an interrupt handler
309+ running on the same CPU doing the legitimate lock-protected write, you
310+ also need CONFIG_KCSAN_INTERRUPT_WATCHER=y. With some or all of these
311+ Kconfig options set properly, KCSAN can be quite helpful, although
312+ it is not necessarily a full replacement for hardware watchpoints.
313+ On the other hand, neither are hardware watchpoints a full replacement
314+ for KCSAN because it is not always easy to tell hardware watchpoint to
315+ conditionally trap on accesses.
295316
296317
297318Lock-Protected Writes With Lockless Reads
0 commit comments