Loading...
Note: File does not exist in v4.6.
1// SPDX-License-Identifier: GPL-2.0
2/*
3 * KCSAN core runtime.
4 *
5 * Copyright (C) 2019, Google LLC.
6 */
7
8#define pr_fmt(fmt) "kcsan: " fmt
9
10#include <linux/atomic.h>
11#include <linux/bug.h>
12#include <linux/delay.h>
13#include <linux/export.h>
14#include <linux/init.h>
15#include <linux/kernel.h>
16#include <linux/list.h>
17#include <linux/moduleparam.h>
18#include <linux/percpu.h>
19#include <linux/preempt.h>
20#include <linux/sched.h>
21#include <linux/uaccess.h>
22
23#include "atomic.h"
24#include "encoding.h"
25#include "kcsan.h"
26
27static bool kcsan_early_enable = IS_ENABLED(CONFIG_KCSAN_EARLY_ENABLE);
28unsigned int kcsan_udelay_task = CONFIG_KCSAN_UDELAY_TASK;
29unsigned int kcsan_udelay_interrupt = CONFIG_KCSAN_UDELAY_INTERRUPT;
30static long kcsan_skip_watch = CONFIG_KCSAN_SKIP_WATCH;
31static bool kcsan_interrupt_watcher = IS_ENABLED(CONFIG_KCSAN_INTERRUPT_WATCHER);
32
33#ifdef MODULE_PARAM_PREFIX
34#undef MODULE_PARAM_PREFIX
35#endif
36#define MODULE_PARAM_PREFIX "kcsan."
37module_param_named(early_enable, kcsan_early_enable, bool, 0);
38module_param_named(udelay_task, kcsan_udelay_task, uint, 0644);
39module_param_named(udelay_interrupt, kcsan_udelay_interrupt, uint, 0644);
40module_param_named(skip_watch, kcsan_skip_watch, long, 0644);
41module_param_named(interrupt_watcher, kcsan_interrupt_watcher, bool, 0444);
42
43bool kcsan_enabled;
44
45/* Per-CPU kcsan_ctx for interrupts */
46static DEFINE_PER_CPU(struct kcsan_ctx, kcsan_cpu_ctx) = {
47 .disable_count = 0,
48 .atomic_next = 0,
49 .atomic_nest_count = 0,
50 .in_flat_atomic = false,
51 .access_mask = 0,
52 .scoped_accesses = {LIST_POISON1, NULL},
53};
54
55/*
56 * Helper macros to index into adjacent slots, starting from address slot
57 * itself, followed by the right and left slots.
58 *
59 * The purpose is 2-fold:
60 *
61 * 1. if during insertion the address slot is already occupied, check if
62 * any adjacent slots are free;
63 * 2. accesses that straddle a slot boundary due to size that exceeds a
64 * slot's range may check adjacent slots if any watchpoint matches.
65 *
66 * Note that accesses with very large size may still miss a watchpoint; however,
67 * given this should be rare, this is a reasonable trade-off to make, since this
68 * will avoid:
69 *
70 * 1. excessive contention between watchpoint checks and setup;
71 * 2. larger number of simultaneous watchpoints without sacrificing
72 * performance.
73 *
74 * Example: SLOT_IDX values for KCSAN_CHECK_ADJACENT=1, where i is [0, 1, 2]:
75 *
76 * slot=0: [ 1, 2, 0]
77 * slot=9: [10, 11, 9]
78 * slot=63: [64, 65, 63]
79 */
80#define SLOT_IDX(slot, i) (slot + ((i + KCSAN_CHECK_ADJACENT) % NUM_SLOTS))
81
82/*
83 * SLOT_IDX_FAST is used in the fast-path. Not first checking the address's primary
84 * slot (middle) is fine if we assume that races occur rarely. The set of
85 * indices {SLOT_IDX(slot, i) | i in [0, NUM_SLOTS)} is equivalent to
86 * {SLOT_IDX_FAST(slot, i) | i in [0, NUM_SLOTS)}.
87 */
88#define SLOT_IDX_FAST(slot, i) (slot + i)
89
90/*
91 * Watchpoints, with each entry encoded as defined in encoding.h: in order to be
92 * able to safely update and access a watchpoint without introducing locking
93 * overhead, we encode each watchpoint as a single atomic long. The initial
94 * zero-initialized state matches INVALID_WATCHPOINT.
95 *
96 * Add NUM_SLOTS-1 entries to account for overflow; this helps avoid having to
97 * use more complicated SLOT_IDX_FAST calculation with modulo in the fast-path.
98 */
99static atomic_long_t watchpoints[CONFIG_KCSAN_NUM_WATCHPOINTS + NUM_SLOTS-1];
100
101/*
102 * Instructions to skip watching counter, used in should_watch(). We use a
103 * per-CPU counter to avoid excessive contention.
104 */
105static DEFINE_PER_CPU(long, kcsan_skip);
106
107/* For kcsan_prandom_u32_max(). */
108static DEFINE_PER_CPU(u32, kcsan_rand_state);
109
110static __always_inline atomic_long_t *find_watchpoint(unsigned long addr,
111 size_t size,
112 bool expect_write,
113 long *encoded_watchpoint)
114{
115 const int slot = watchpoint_slot(addr);
116 const unsigned long addr_masked = addr & WATCHPOINT_ADDR_MASK;
117 atomic_long_t *watchpoint;
118 unsigned long wp_addr_masked;
119 size_t wp_size;
120 bool is_write;
121 int i;
122
123 BUILD_BUG_ON(CONFIG_KCSAN_NUM_WATCHPOINTS < NUM_SLOTS);
124
125 for (i = 0; i < NUM_SLOTS; ++i) {
126 watchpoint = &watchpoints[SLOT_IDX_FAST(slot, i)];
127 *encoded_watchpoint = atomic_long_read(watchpoint);
128 if (!decode_watchpoint(*encoded_watchpoint, &wp_addr_masked,
129 &wp_size, &is_write))
130 continue;
131
132 if (expect_write && !is_write)
133 continue;
134
135 /* Check if the watchpoint matches the access. */
136 if (matching_access(wp_addr_masked, wp_size, addr_masked, size))
137 return watchpoint;
138 }
139
140 return NULL;
141}
142
143static inline atomic_long_t *
144insert_watchpoint(unsigned long addr, size_t size, bool is_write)
145{
146 const int slot = watchpoint_slot(addr);
147 const long encoded_watchpoint = encode_watchpoint(addr, size, is_write);
148 atomic_long_t *watchpoint;
149 int i;
150
151 /* Check slot index logic, ensuring we stay within array bounds. */
152 BUILD_BUG_ON(SLOT_IDX(0, 0) != KCSAN_CHECK_ADJACENT);
153 BUILD_BUG_ON(SLOT_IDX(0, KCSAN_CHECK_ADJACENT+1) != 0);
154 BUILD_BUG_ON(SLOT_IDX(CONFIG_KCSAN_NUM_WATCHPOINTS-1, KCSAN_CHECK_ADJACENT) != ARRAY_SIZE(watchpoints)-1);
155 BUILD_BUG_ON(SLOT_IDX(CONFIG_KCSAN_NUM_WATCHPOINTS-1, KCSAN_CHECK_ADJACENT+1) != ARRAY_SIZE(watchpoints) - NUM_SLOTS);
156
157 for (i = 0; i < NUM_SLOTS; ++i) {
158 long expect_val = INVALID_WATCHPOINT;
159
160 /* Try to acquire this slot. */
161 watchpoint = &watchpoints[SLOT_IDX(slot, i)];
162 if (atomic_long_try_cmpxchg_relaxed(watchpoint, &expect_val, encoded_watchpoint))
163 return watchpoint;
164 }
165
166 return NULL;
167}
168
169/*
170 * Return true if watchpoint was successfully consumed, false otherwise.
171 *
172 * This may return false if:
173 *
174 * 1. another thread already consumed the watchpoint;
175 * 2. the thread that set up the watchpoint already removed it;
176 * 3. the watchpoint was removed and then re-used.
177 */
178static __always_inline bool
179try_consume_watchpoint(atomic_long_t *watchpoint, long encoded_watchpoint)
180{
181 return atomic_long_try_cmpxchg_relaxed(watchpoint, &encoded_watchpoint, CONSUMED_WATCHPOINT);
182}
183
184/* Return true if watchpoint was not touched, false if already consumed. */
185static inline bool consume_watchpoint(atomic_long_t *watchpoint)
186{
187 return atomic_long_xchg_relaxed(watchpoint, CONSUMED_WATCHPOINT) != CONSUMED_WATCHPOINT;
188}
189
190/* Remove the watchpoint -- its slot may be reused after. */
191static inline void remove_watchpoint(atomic_long_t *watchpoint)
192{
193 atomic_long_set(watchpoint, INVALID_WATCHPOINT);
194}
195
196static __always_inline struct kcsan_ctx *get_ctx(void)
197{
198 /*
199 * In interrupts, use raw_cpu_ptr to avoid unnecessary checks, that would
200 * also result in calls that generate warnings in uaccess regions.
201 */
202 return in_task() ? ¤t->kcsan_ctx : raw_cpu_ptr(&kcsan_cpu_ctx);
203}
204
205/* Check scoped accesses; never inline because this is a slow-path! */
206static noinline void kcsan_check_scoped_accesses(void)
207{
208 struct kcsan_ctx *ctx = get_ctx();
209 struct list_head *prev_save = ctx->scoped_accesses.prev;
210 struct kcsan_scoped_access *scoped_access;
211
212 ctx->scoped_accesses.prev = NULL; /* Avoid recursion. */
213 list_for_each_entry(scoped_access, &ctx->scoped_accesses, list)
214 __kcsan_check_access(scoped_access->ptr, scoped_access->size, scoped_access->type);
215 ctx->scoped_accesses.prev = prev_save;
216}
217
218/* Rules for generic atomic accesses. Called from fast-path. */
219static __always_inline bool
220is_atomic(const volatile void *ptr, size_t size, int type, struct kcsan_ctx *ctx)
221{
222 if (type & KCSAN_ACCESS_ATOMIC)
223 return true;
224
225 /*
226 * Unless explicitly declared atomic, never consider an assertion access
227 * as atomic. This allows using them also in atomic regions, such as
228 * seqlocks, without implicitly changing their semantics.
229 */
230 if (type & KCSAN_ACCESS_ASSERT)
231 return false;
232
233 if (IS_ENABLED(CONFIG_KCSAN_ASSUME_PLAIN_WRITES_ATOMIC) &&
234 (type & KCSAN_ACCESS_WRITE) && size <= sizeof(long) &&
235 !(type & KCSAN_ACCESS_COMPOUND) && IS_ALIGNED((unsigned long)ptr, size))
236 return true; /* Assume aligned writes up to word size are atomic. */
237
238 if (ctx->atomic_next > 0) {
239 /*
240 * Because we do not have separate contexts for nested
241 * interrupts, in case atomic_next is set, we simply assume that
242 * the outer interrupt set atomic_next. In the worst case, we
243 * will conservatively consider operations as atomic. This is a
244 * reasonable trade-off to make, since this case should be
245 * extremely rare; however, even if extremely rare, it could
246 * lead to false positives otherwise.
247 */
248 if ((hardirq_count() >> HARDIRQ_SHIFT) < 2)
249 --ctx->atomic_next; /* in task, or outer interrupt */
250 return true;
251 }
252
253 return ctx->atomic_nest_count > 0 || ctx->in_flat_atomic;
254}
255
256static __always_inline bool
257should_watch(const volatile void *ptr, size_t size, int type, struct kcsan_ctx *ctx)
258{
259 /*
260 * Never set up watchpoints when memory operations are atomic.
261 *
262 * Need to check this first, before kcsan_skip check below: (1) atomics
263 * should not count towards skipped instructions, and (2) to actually
264 * decrement kcsan_atomic_next for consecutive instruction stream.
265 */
266 if (is_atomic(ptr, size, type, ctx))
267 return false;
268
269 if (this_cpu_dec_return(kcsan_skip) >= 0)
270 return false;
271
272 /*
273 * NOTE: If we get here, kcsan_skip must always be reset in slow path
274 * via reset_kcsan_skip() to avoid underflow.
275 */
276
277 /* this operation should be watched */
278 return true;
279}
280
281/*
282 * Returns a pseudo-random number in interval [0, ep_ro). Simple linear
283 * congruential generator, using constants from "Numerical Recipes".
284 */
285static u32 kcsan_prandom_u32_max(u32 ep_ro)
286{
287 u32 state = this_cpu_read(kcsan_rand_state);
288
289 state = 1664525 * state + 1013904223;
290 this_cpu_write(kcsan_rand_state, state);
291
292 return state % ep_ro;
293}
294
295static inline void reset_kcsan_skip(void)
296{
297 long skip_count = kcsan_skip_watch -
298 (IS_ENABLED(CONFIG_KCSAN_SKIP_WATCH_RANDOMIZE) ?
299 kcsan_prandom_u32_max(kcsan_skip_watch) :
300 0);
301 this_cpu_write(kcsan_skip, skip_count);
302}
303
304static __always_inline bool kcsan_is_enabled(void)
305{
306 return READ_ONCE(kcsan_enabled) && get_ctx()->disable_count == 0;
307}
308
309/* Introduce delay depending on context and configuration. */
310static void delay_access(int type)
311{
312 unsigned int delay = in_task() ? kcsan_udelay_task : kcsan_udelay_interrupt;
313 /* For certain access types, skew the random delay to be longer. */
314 unsigned int skew_delay_order =
315 (type & (KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_ASSERT)) ? 1 : 0;
316
317 delay -= IS_ENABLED(CONFIG_KCSAN_DELAY_RANDOMIZE) ?
318 kcsan_prandom_u32_max(delay >> skew_delay_order) :
319 0;
320 udelay(delay);
321}
322
323void kcsan_save_irqtrace(struct task_struct *task)
324{
325#ifdef CONFIG_TRACE_IRQFLAGS
326 task->kcsan_save_irqtrace = task->irqtrace;
327#endif
328}
329
330void kcsan_restore_irqtrace(struct task_struct *task)
331{
332#ifdef CONFIG_TRACE_IRQFLAGS
333 task->irqtrace = task->kcsan_save_irqtrace;
334#endif
335}
336
337/*
338 * Pull everything together: check_access() below contains the performance
339 * critical operations; the fast-path (including check_access) functions should
340 * all be inlinable by the instrumentation functions.
341 *
342 * The slow-path (kcsan_found_watchpoint, kcsan_setup_watchpoint) are
343 * non-inlinable -- note that, we prefix these with "kcsan_" to ensure they can
344 * be filtered from the stacktrace, as well as give them unique names for the
345 * UACCESS whitelist of objtool. Each function uses user_access_save/restore(),
346 * since they do not access any user memory, but instrumentation is still
347 * emitted in UACCESS regions.
348 */
349
350static noinline void kcsan_found_watchpoint(const volatile void *ptr,
351 size_t size,
352 int type,
353 atomic_long_t *watchpoint,
354 long encoded_watchpoint)
355{
356 unsigned long flags;
357 bool consumed;
358
359 if (!kcsan_is_enabled())
360 return;
361
362 /*
363 * The access_mask check relies on value-change comparison. To avoid
364 * reporting a race where e.g. the writer set up the watchpoint, but the
365 * reader has access_mask!=0, we have to ignore the found watchpoint.
366 */
367 if (get_ctx()->access_mask != 0)
368 return;
369
370 /*
371 * Consume the watchpoint as soon as possible, to minimize the chances
372 * of !consumed. Consuming the watchpoint must always be guarded by
373 * kcsan_is_enabled() check, as otherwise we might erroneously
374 * triggering reports when disabled.
375 */
376 consumed = try_consume_watchpoint(watchpoint, encoded_watchpoint);
377
378 /* keep this after try_consume_watchpoint */
379 flags = user_access_save();
380
381 if (consumed) {
382 kcsan_save_irqtrace(current);
383 kcsan_report_set_info(ptr, size, type, watchpoint - watchpoints);
384 kcsan_restore_irqtrace(current);
385 } else {
386 /*
387 * The other thread may not print any diagnostics, as it has
388 * already removed the watchpoint, or another thread consumed
389 * the watchpoint before this thread.
390 */
391 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_REPORT_RACES]);
392 }
393
394 if ((type & KCSAN_ACCESS_ASSERT) != 0)
395 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_ASSERT_FAILURES]);
396 else
397 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_DATA_RACES]);
398
399 user_access_restore(flags);
400}
401
402static noinline void
403kcsan_setup_watchpoint(const volatile void *ptr, size_t size, int type)
404{
405 const bool is_write = (type & KCSAN_ACCESS_WRITE) != 0;
406 const bool is_assert = (type & KCSAN_ACCESS_ASSERT) != 0;
407 atomic_long_t *watchpoint;
408 u64 old, new, diff;
409 unsigned long access_mask;
410 enum kcsan_value_change value_change = KCSAN_VALUE_CHANGE_MAYBE;
411 unsigned long ua_flags = user_access_save();
412 unsigned long irq_flags = 0;
413
414 /*
415 * Always reset kcsan_skip counter in slow-path to avoid underflow; see
416 * should_watch().
417 */
418 reset_kcsan_skip();
419
420 if (!kcsan_is_enabled())
421 goto out;
422
423 /*
424 * Special atomic rules: unlikely to be true, so we check them here in
425 * the slow-path, and not in the fast-path in is_atomic(). Call after
426 * kcsan_is_enabled(), as we may access memory that is not yet
427 * initialized during early boot.
428 */
429 if (!is_assert && kcsan_is_atomic_special(ptr))
430 goto out;
431
432 if (!check_encodable((unsigned long)ptr, size)) {
433 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_UNENCODABLE_ACCESSES]);
434 goto out;
435 }
436
437 /*
438 * Save and restore the IRQ state trace touched by KCSAN, since KCSAN's
439 * runtime is entered for every memory access, and potentially useful
440 * information is lost if dirtied by KCSAN.
441 */
442 kcsan_save_irqtrace(current);
443 if (!kcsan_interrupt_watcher)
444 local_irq_save(irq_flags);
445
446 watchpoint = insert_watchpoint((unsigned long)ptr, size, is_write);
447 if (watchpoint == NULL) {
448 /*
449 * Out of capacity: the size of 'watchpoints', and the frequency
450 * with which should_watch() returns true should be tweaked so
451 * that this case happens very rarely.
452 */
453 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_NO_CAPACITY]);
454 goto out_unlock;
455 }
456
457 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_SETUP_WATCHPOINTS]);
458 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_USED_WATCHPOINTS]);
459
460 /*
461 * Read the current value, to later check and infer a race if the data
462 * was modified via a non-instrumented access, e.g. from a device.
463 */
464 old = 0;
465 switch (size) {
466 case 1:
467 old = READ_ONCE(*(const u8 *)ptr);
468 break;
469 case 2:
470 old = READ_ONCE(*(const u16 *)ptr);
471 break;
472 case 4:
473 old = READ_ONCE(*(const u32 *)ptr);
474 break;
475 case 8:
476 old = READ_ONCE(*(const u64 *)ptr);
477 break;
478 default:
479 break; /* ignore; we do not diff the values */
480 }
481
482 if (IS_ENABLED(CONFIG_KCSAN_DEBUG)) {
483 kcsan_disable_current();
484 pr_err("watching %s, size: %zu, addr: %px [slot: %d, encoded: %lx]\n",
485 is_write ? "write" : "read", size, ptr,
486 watchpoint_slot((unsigned long)ptr),
487 encode_watchpoint((unsigned long)ptr, size, is_write));
488 kcsan_enable_current();
489 }
490
491 /*
492 * Delay this thread, to increase probability of observing a racy
493 * conflicting access.
494 */
495 delay_access(type);
496
497 /*
498 * Re-read value, and check if it is as expected; if not, we infer a
499 * racy access.
500 */
501 access_mask = get_ctx()->access_mask;
502 new = 0;
503 switch (size) {
504 case 1:
505 new = READ_ONCE(*(const u8 *)ptr);
506 break;
507 case 2:
508 new = READ_ONCE(*(const u16 *)ptr);
509 break;
510 case 4:
511 new = READ_ONCE(*(const u32 *)ptr);
512 break;
513 case 8:
514 new = READ_ONCE(*(const u64 *)ptr);
515 break;
516 default:
517 break; /* ignore; we do not diff the values */
518 }
519
520 diff = old ^ new;
521 if (access_mask)
522 diff &= access_mask;
523
524 /* Were we able to observe a value-change? */
525 if (diff != 0)
526 value_change = KCSAN_VALUE_CHANGE_TRUE;
527
528 /* Check if this access raced with another. */
529 if (!consume_watchpoint(watchpoint)) {
530 /*
531 * Depending on the access type, map a value_change of MAYBE to
532 * TRUE (always report) or FALSE (never report).
533 */
534 if (value_change == KCSAN_VALUE_CHANGE_MAYBE) {
535 if (access_mask != 0) {
536 /*
537 * For access with access_mask, we require a
538 * value-change, as it is likely that races on
539 * ~access_mask bits are expected.
540 */
541 value_change = KCSAN_VALUE_CHANGE_FALSE;
542 } else if (size > 8 || is_assert) {
543 /* Always assume a value-change. */
544 value_change = KCSAN_VALUE_CHANGE_TRUE;
545 }
546 }
547
548 /*
549 * No need to increment 'data_races' counter, as the racing
550 * thread already did.
551 *
552 * Count 'assert_failures' for each failed ASSERT access,
553 * therefore both this thread and the racing thread may
554 * increment this counter.
555 */
556 if (is_assert && value_change == KCSAN_VALUE_CHANGE_TRUE)
557 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_ASSERT_FAILURES]);
558
559 kcsan_report_known_origin(ptr, size, type, value_change,
560 watchpoint - watchpoints,
561 old, new, access_mask);
562 } else if (value_change == KCSAN_VALUE_CHANGE_TRUE) {
563 /* Inferring a race, since the value should not have changed. */
564
565 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_RACES_UNKNOWN_ORIGIN]);
566 if (is_assert)
567 atomic_long_inc(&kcsan_counters[KCSAN_COUNTER_ASSERT_FAILURES]);
568
569 if (IS_ENABLED(CONFIG_KCSAN_REPORT_RACE_UNKNOWN_ORIGIN) || is_assert)
570 kcsan_report_unknown_origin(ptr, size, type, old, new, access_mask);
571 }
572
573 /*
574 * Remove watchpoint; must be after reporting, since the slot may be
575 * reused after this point.
576 */
577 remove_watchpoint(watchpoint);
578 atomic_long_dec(&kcsan_counters[KCSAN_COUNTER_USED_WATCHPOINTS]);
579out_unlock:
580 if (!kcsan_interrupt_watcher)
581 local_irq_restore(irq_flags);
582 kcsan_restore_irqtrace(current);
583out:
584 user_access_restore(ua_flags);
585}
586
587static __always_inline void check_access(const volatile void *ptr, size_t size,
588 int type)
589{
590 const bool is_write = (type & KCSAN_ACCESS_WRITE) != 0;
591 atomic_long_t *watchpoint;
592 long encoded_watchpoint;
593
594 /*
595 * Do nothing for 0 sized check; this comparison will be optimized out
596 * for constant sized instrumentation (__tsan_{read,write}N).
597 */
598 if (unlikely(size == 0))
599 return;
600
601 /*
602 * Avoid user_access_save in fast-path: find_watchpoint is safe without
603 * user_access_save, as the address that ptr points to is only used to
604 * check if a watchpoint exists; ptr is never dereferenced.
605 */
606 watchpoint = find_watchpoint((unsigned long)ptr, size, !is_write,
607 &encoded_watchpoint);
608 /*
609 * It is safe to check kcsan_is_enabled() after find_watchpoint in the
610 * slow-path, as long as no state changes that cause a race to be
611 * detected and reported have occurred until kcsan_is_enabled() is
612 * checked.
613 */
614
615 if (unlikely(watchpoint != NULL))
616 kcsan_found_watchpoint(ptr, size, type, watchpoint,
617 encoded_watchpoint);
618 else {
619 struct kcsan_ctx *ctx = get_ctx(); /* Call only once in fast-path. */
620
621 if (unlikely(should_watch(ptr, size, type, ctx)))
622 kcsan_setup_watchpoint(ptr, size, type);
623 else if (unlikely(ctx->scoped_accesses.prev))
624 kcsan_check_scoped_accesses();
625 }
626}
627
628/* === Public interface ===================================================== */
629
630void __init kcsan_init(void)
631{
632 int cpu;
633
634 BUG_ON(!in_task());
635
636 for_each_possible_cpu(cpu)
637 per_cpu(kcsan_rand_state, cpu) = (u32)get_cycles();
638
639 /*
640 * We are in the init task, and no other tasks should be running;
641 * WRITE_ONCE without memory barrier is sufficient.
642 */
643 if (kcsan_early_enable) {
644 pr_info("enabled early\n");
645 WRITE_ONCE(kcsan_enabled, true);
646 }
647}
648
649/* === Exported interface =================================================== */
650
651void kcsan_disable_current(void)
652{
653 ++get_ctx()->disable_count;
654}
655EXPORT_SYMBOL(kcsan_disable_current);
656
657void kcsan_enable_current(void)
658{
659 if (get_ctx()->disable_count-- == 0) {
660 /*
661 * Warn if kcsan_enable_current() calls are unbalanced with
662 * kcsan_disable_current() calls, which causes disable_count to
663 * become negative and should not happen.
664 */
665 kcsan_disable_current(); /* restore to 0, KCSAN still enabled */
666 kcsan_disable_current(); /* disable to generate warning */
667 WARN(1, "Unbalanced %s()", __func__);
668 kcsan_enable_current();
669 }
670}
671EXPORT_SYMBOL(kcsan_enable_current);
672
673void kcsan_enable_current_nowarn(void)
674{
675 if (get_ctx()->disable_count-- == 0)
676 kcsan_disable_current();
677}
678EXPORT_SYMBOL(kcsan_enable_current_nowarn);
679
680void kcsan_nestable_atomic_begin(void)
681{
682 /*
683 * Do *not* check and warn if we are in a flat atomic region: nestable
684 * and flat atomic regions are independent from each other.
685 * See include/linux/kcsan.h: struct kcsan_ctx comments for more
686 * comments.
687 */
688
689 ++get_ctx()->atomic_nest_count;
690}
691EXPORT_SYMBOL(kcsan_nestable_atomic_begin);
692
693void kcsan_nestable_atomic_end(void)
694{
695 if (get_ctx()->atomic_nest_count-- == 0) {
696 /*
697 * Warn if kcsan_nestable_atomic_end() calls are unbalanced with
698 * kcsan_nestable_atomic_begin() calls, which causes
699 * atomic_nest_count to become negative and should not happen.
700 */
701 kcsan_nestable_atomic_begin(); /* restore to 0 */
702 kcsan_disable_current(); /* disable to generate warning */
703 WARN(1, "Unbalanced %s()", __func__);
704 kcsan_enable_current();
705 }
706}
707EXPORT_SYMBOL(kcsan_nestable_atomic_end);
708
709void kcsan_flat_atomic_begin(void)
710{
711 get_ctx()->in_flat_atomic = true;
712}
713EXPORT_SYMBOL(kcsan_flat_atomic_begin);
714
715void kcsan_flat_atomic_end(void)
716{
717 get_ctx()->in_flat_atomic = false;
718}
719EXPORT_SYMBOL(kcsan_flat_atomic_end);
720
721void kcsan_atomic_next(int n)
722{
723 get_ctx()->atomic_next = n;
724}
725EXPORT_SYMBOL(kcsan_atomic_next);
726
727void kcsan_set_access_mask(unsigned long mask)
728{
729 get_ctx()->access_mask = mask;
730}
731EXPORT_SYMBOL(kcsan_set_access_mask);
732
733struct kcsan_scoped_access *
734kcsan_begin_scoped_access(const volatile void *ptr, size_t size, int type,
735 struct kcsan_scoped_access *sa)
736{
737 struct kcsan_ctx *ctx = get_ctx();
738
739 __kcsan_check_access(ptr, size, type);
740
741 ctx->disable_count++; /* Disable KCSAN, in case list debugging is on. */
742
743 INIT_LIST_HEAD(&sa->list);
744 sa->ptr = ptr;
745 sa->size = size;
746 sa->type = type;
747
748 if (!ctx->scoped_accesses.prev) /* Lazy initialize list head. */
749 INIT_LIST_HEAD(&ctx->scoped_accesses);
750 list_add(&sa->list, &ctx->scoped_accesses);
751
752 ctx->disable_count--;
753 return sa;
754}
755EXPORT_SYMBOL(kcsan_begin_scoped_access);
756
757void kcsan_end_scoped_access(struct kcsan_scoped_access *sa)
758{
759 struct kcsan_ctx *ctx = get_ctx();
760
761 if (WARN(!ctx->scoped_accesses.prev, "Unbalanced %s()?", __func__))
762 return;
763
764 ctx->disable_count++; /* Disable KCSAN, in case list debugging is on. */
765
766 list_del(&sa->list);
767 if (list_empty(&ctx->scoped_accesses))
768 /*
769 * Ensure we do not enter kcsan_check_scoped_accesses()
770 * slow-path if unnecessary, and avoids requiring list_empty()
771 * in the fast-path (to avoid a READ_ONCE() and potential
772 * uaccess warning).
773 */
774 ctx->scoped_accesses.prev = NULL;
775
776 ctx->disable_count--;
777
778 __kcsan_check_access(sa->ptr, sa->size, sa->type);
779}
780EXPORT_SYMBOL(kcsan_end_scoped_access);
781
782void __kcsan_check_access(const volatile void *ptr, size_t size, int type)
783{
784 check_access(ptr, size, type);
785}
786EXPORT_SYMBOL(__kcsan_check_access);
787
788/*
789 * KCSAN uses the same instrumentation that is emitted by supported compilers
790 * for ThreadSanitizer (TSAN).
791 *
792 * When enabled, the compiler emits instrumentation calls (the functions
793 * prefixed with "__tsan" below) for all loads and stores that it generated;
794 * inline asm is not instrumented.
795 *
796 * Note that, not all supported compiler versions distinguish aligned/unaligned
797 * accesses, but e.g. recent versions of Clang do. We simply alias the unaligned
798 * version to the generic version, which can handle both.
799 */
800
801#define DEFINE_TSAN_READ_WRITE(size) \
802 void __tsan_read##size(void *ptr); \
803 void __tsan_read##size(void *ptr) \
804 { \
805 check_access(ptr, size, 0); \
806 } \
807 EXPORT_SYMBOL(__tsan_read##size); \
808 void __tsan_unaligned_read##size(void *ptr) \
809 __alias(__tsan_read##size); \
810 EXPORT_SYMBOL(__tsan_unaligned_read##size); \
811 void __tsan_write##size(void *ptr); \
812 void __tsan_write##size(void *ptr) \
813 { \
814 check_access(ptr, size, KCSAN_ACCESS_WRITE); \
815 } \
816 EXPORT_SYMBOL(__tsan_write##size); \
817 void __tsan_unaligned_write##size(void *ptr) \
818 __alias(__tsan_write##size); \
819 EXPORT_SYMBOL(__tsan_unaligned_write##size); \
820 void __tsan_read_write##size(void *ptr); \
821 void __tsan_read_write##size(void *ptr) \
822 { \
823 check_access(ptr, size, \
824 KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE); \
825 } \
826 EXPORT_SYMBOL(__tsan_read_write##size); \
827 void __tsan_unaligned_read_write##size(void *ptr) \
828 __alias(__tsan_read_write##size); \
829 EXPORT_SYMBOL(__tsan_unaligned_read_write##size)
830
831DEFINE_TSAN_READ_WRITE(1);
832DEFINE_TSAN_READ_WRITE(2);
833DEFINE_TSAN_READ_WRITE(4);
834DEFINE_TSAN_READ_WRITE(8);
835DEFINE_TSAN_READ_WRITE(16);
836
837void __tsan_read_range(void *ptr, size_t size);
838void __tsan_read_range(void *ptr, size_t size)
839{
840 check_access(ptr, size, 0);
841}
842EXPORT_SYMBOL(__tsan_read_range);
843
844void __tsan_write_range(void *ptr, size_t size);
845void __tsan_write_range(void *ptr, size_t size)
846{
847 check_access(ptr, size, KCSAN_ACCESS_WRITE);
848}
849EXPORT_SYMBOL(__tsan_write_range);
850
851/*
852 * Use of explicit volatile is generally disallowed [1], however, volatile is
853 * still used in various concurrent context, whether in low-level
854 * synchronization primitives or for legacy reasons.
855 * [1] https://lwn.net/Articles/233479/
856 *
857 * We only consider volatile accesses atomic if they are aligned and would pass
858 * the size-check of compiletime_assert_rwonce_type().
859 */
860#define DEFINE_TSAN_VOLATILE_READ_WRITE(size) \
861 void __tsan_volatile_read##size(void *ptr); \
862 void __tsan_volatile_read##size(void *ptr) \
863 { \
864 const bool is_atomic = size <= sizeof(long long) && \
865 IS_ALIGNED((unsigned long)ptr, size); \
866 if (IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS) && is_atomic) \
867 return; \
868 check_access(ptr, size, is_atomic ? KCSAN_ACCESS_ATOMIC : 0); \
869 } \
870 EXPORT_SYMBOL(__tsan_volatile_read##size); \
871 void __tsan_unaligned_volatile_read##size(void *ptr) \
872 __alias(__tsan_volatile_read##size); \
873 EXPORT_SYMBOL(__tsan_unaligned_volatile_read##size); \
874 void __tsan_volatile_write##size(void *ptr); \
875 void __tsan_volatile_write##size(void *ptr) \
876 { \
877 const bool is_atomic = size <= sizeof(long long) && \
878 IS_ALIGNED((unsigned long)ptr, size); \
879 if (IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS) && is_atomic) \
880 return; \
881 check_access(ptr, size, \
882 KCSAN_ACCESS_WRITE | \
883 (is_atomic ? KCSAN_ACCESS_ATOMIC : 0)); \
884 } \
885 EXPORT_SYMBOL(__tsan_volatile_write##size); \
886 void __tsan_unaligned_volatile_write##size(void *ptr) \
887 __alias(__tsan_volatile_write##size); \
888 EXPORT_SYMBOL(__tsan_unaligned_volatile_write##size)
889
890DEFINE_TSAN_VOLATILE_READ_WRITE(1);
891DEFINE_TSAN_VOLATILE_READ_WRITE(2);
892DEFINE_TSAN_VOLATILE_READ_WRITE(4);
893DEFINE_TSAN_VOLATILE_READ_WRITE(8);
894DEFINE_TSAN_VOLATILE_READ_WRITE(16);
895
896/*
897 * The below are not required by KCSAN, but can still be emitted by the
898 * compiler.
899 */
900void __tsan_func_entry(void *call_pc);
901void __tsan_func_entry(void *call_pc)
902{
903}
904EXPORT_SYMBOL(__tsan_func_entry);
905void __tsan_func_exit(void);
906void __tsan_func_exit(void)
907{
908}
909EXPORT_SYMBOL(__tsan_func_exit);
910void __tsan_init(void);
911void __tsan_init(void)
912{
913}
914EXPORT_SYMBOL(__tsan_init);
915
916/*
917 * Instrumentation for atomic builtins (__atomic_*, __sync_*).
918 *
919 * Normal kernel code _should not_ be using them directly, but some
920 * architectures may implement some or all atomics using the compilers'
921 * builtins.
922 *
923 * Note: If an architecture decides to fully implement atomics using the
924 * builtins, because they are implicitly instrumented by KCSAN (and KASAN,
925 * etc.), implementing the ARCH_ATOMIC interface (to get instrumentation via
926 * atomic-instrumented) is no longer necessary.
927 *
928 * TSAN instrumentation replaces atomic accesses with calls to any of the below
929 * functions, whose job is to also execute the operation itself.
930 */
931
932#define DEFINE_TSAN_ATOMIC_LOAD_STORE(bits) \
933 u##bits __tsan_atomic##bits##_load(const u##bits *ptr, int memorder); \
934 u##bits __tsan_atomic##bits##_load(const u##bits *ptr, int memorder) \
935 { \
936 if (!IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS)) { \
937 check_access(ptr, bits / BITS_PER_BYTE, KCSAN_ACCESS_ATOMIC); \
938 } \
939 return __atomic_load_n(ptr, memorder); \
940 } \
941 EXPORT_SYMBOL(__tsan_atomic##bits##_load); \
942 void __tsan_atomic##bits##_store(u##bits *ptr, u##bits v, int memorder); \
943 void __tsan_atomic##bits##_store(u##bits *ptr, u##bits v, int memorder) \
944 { \
945 if (!IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS)) { \
946 check_access(ptr, bits / BITS_PER_BYTE, \
947 KCSAN_ACCESS_WRITE | KCSAN_ACCESS_ATOMIC); \
948 } \
949 __atomic_store_n(ptr, v, memorder); \
950 } \
951 EXPORT_SYMBOL(__tsan_atomic##bits##_store)
952
953#define DEFINE_TSAN_ATOMIC_RMW(op, bits, suffix) \
954 u##bits __tsan_atomic##bits##_##op(u##bits *ptr, u##bits v, int memorder); \
955 u##bits __tsan_atomic##bits##_##op(u##bits *ptr, u##bits v, int memorder) \
956 { \
957 if (!IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS)) { \
958 check_access(ptr, bits / BITS_PER_BYTE, \
959 KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE | \
960 KCSAN_ACCESS_ATOMIC); \
961 } \
962 return __atomic_##op##suffix(ptr, v, memorder); \
963 } \
964 EXPORT_SYMBOL(__tsan_atomic##bits##_##op)
965
966/*
967 * Note: CAS operations are always classified as write, even in case they
968 * fail. We cannot perform check_access() after a write, as it might lead to
969 * false positives, in cases such as:
970 *
971 * T0: __atomic_compare_exchange_n(&p->flag, &old, 1, ...)
972 *
973 * T1: if (__atomic_load_n(&p->flag, ...)) {
974 * modify *p;
975 * p->flag = 0;
976 * }
977 *
978 * The only downside is that, if there are 3 threads, with one CAS that
979 * succeeds, another CAS that fails, and an unmarked racing operation, we may
980 * point at the wrong CAS as the source of the race. However, if we assume that
981 * all CAS can succeed in some other execution, the data race is still valid.
982 */
983#define DEFINE_TSAN_ATOMIC_CMPXCHG(bits, strength, weak) \
984 int __tsan_atomic##bits##_compare_exchange_##strength(u##bits *ptr, u##bits *exp, \
985 u##bits val, int mo, int fail_mo); \
986 int __tsan_atomic##bits##_compare_exchange_##strength(u##bits *ptr, u##bits *exp, \
987 u##bits val, int mo, int fail_mo) \
988 { \
989 if (!IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS)) { \
990 check_access(ptr, bits / BITS_PER_BYTE, \
991 KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE | \
992 KCSAN_ACCESS_ATOMIC); \
993 } \
994 return __atomic_compare_exchange_n(ptr, exp, val, weak, mo, fail_mo); \
995 } \
996 EXPORT_SYMBOL(__tsan_atomic##bits##_compare_exchange_##strength)
997
998#define DEFINE_TSAN_ATOMIC_CMPXCHG_VAL(bits) \
999 u##bits __tsan_atomic##bits##_compare_exchange_val(u##bits *ptr, u##bits exp, u##bits val, \
1000 int mo, int fail_mo); \
1001 u##bits __tsan_atomic##bits##_compare_exchange_val(u##bits *ptr, u##bits exp, u##bits val, \
1002 int mo, int fail_mo) \
1003 { \
1004 if (!IS_ENABLED(CONFIG_KCSAN_IGNORE_ATOMICS)) { \
1005 check_access(ptr, bits / BITS_PER_BYTE, \
1006 KCSAN_ACCESS_COMPOUND | KCSAN_ACCESS_WRITE | \
1007 KCSAN_ACCESS_ATOMIC); \
1008 } \
1009 __atomic_compare_exchange_n(ptr, &exp, val, 0, mo, fail_mo); \
1010 return exp; \
1011 } \
1012 EXPORT_SYMBOL(__tsan_atomic##bits##_compare_exchange_val)
1013
1014#define DEFINE_TSAN_ATOMIC_OPS(bits) \
1015 DEFINE_TSAN_ATOMIC_LOAD_STORE(bits); \
1016 DEFINE_TSAN_ATOMIC_RMW(exchange, bits, _n); \
1017 DEFINE_TSAN_ATOMIC_RMW(fetch_add, bits, ); \
1018 DEFINE_TSAN_ATOMIC_RMW(fetch_sub, bits, ); \
1019 DEFINE_TSAN_ATOMIC_RMW(fetch_and, bits, ); \
1020 DEFINE_TSAN_ATOMIC_RMW(fetch_or, bits, ); \
1021 DEFINE_TSAN_ATOMIC_RMW(fetch_xor, bits, ); \
1022 DEFINE_TSAN_ATOMIC_RMW(fetch_nand, bits, ); \
1023 DEFINE_TSAN_ATOMIC_CMPXCHG(bits, strong, 0); \
1024 DEFINE_TSAN_ATOMIC_CMPXCHG(bits, weak, 1); \
1025 DEFINE_TSAN_ATOMIC_CMPXCHG_VAL(bits)
1026
1027DEFINE_TSAN_ATOMIC_OPS(8);
1028DEFINE_TSAN_ATOMIC_OPS(16);
1029DEFINE_TSAN_ATOMIC_OPS(32);
1030DEFINE_TSAN_ATOMIC_OPS(64);
1031
1032void __tsan_atomic_thread_fence(int memorder);
1033void __tsan_atomic_thread_fence(int memorder)
1034{
1035 __atomic_thread_fence(memorder);
1036}
1037EXPORT_SYMBOL(__tsan_atomic_thread_fence);
1038
1039void __tsan_atomic_signal_fence(int memorder);
1040void __tsan_atomic_signal_fence(int memorder) { }
1041EXPORT_SYMBOL(__tsan_atomic_signal_fence);