Re: [tip:timers/core] [timekeeping] 5aa6c43eca: BUG:KCSAN:data-race_in_timekeeping_debug_get_ns/timekeeping_update_from_shadow
From: Marco Elver
Date: Wed Oct 30 2024 - 05:46:58 EST
On Wed, 30 Oct 2024 at 09:50, Thomas Gleixner <tglx@xxxxxxxxxxxxx> wrote:
>
> On Wed, Oct 30 2024 at 13:47, kernel test robot wrote:
> > this is another report about BUG:KCSAN, the change does not introduce new KCSAN
> > issue, but causes stats changes as below.
> >
> > [ 70.265411][ C1] BUG: KCSAN: data-race in timekeeping_debug_get_ns / timekeeping_update_from_shadow
> > [ 70.265430][ C1]
> > [ 70.265433][ C1] write to 0xffffffff8483fef8 of 296 bytes by interrupt on cpu 0:
> > [ 70.265440][ C1] timekeeping_update_from_shadow+0x8e/0x140
> > [ 70.265452][ C1] timekeeping_advance (kernel/time/timekeeping.c:2394)
> > [ 70.265462][ C1] update_wall_time (kernel/time/timekeeping.c:2403)
>
> timekeeping_update_from_shadow() holds the sequence count write.
>
> > [ 70.265642][ C1] timekeeping_debug_get_ns (kernel/time/timekeeping.c:415 kernel/time/timekeeping.c:399 kernel/time/timekeeping.c:307)
> > [ 70.265653][ C1] ktime_get (kernel/time/timekeeping.c:431 (discriminator 4) kernel/time/timekeeping.c:897 (discriminator 4))
> > [ 70.265660][ C1] tick_nohz_lowres_handler (kernel/time/tick-sched.c:220 kernel/time/tick-sched.c:290 kernel/time/tick-sched.c:1486)
>
> ktime_get()
>
> do {
> seq = read_seqcount_begin(&tk_core.seq);
> timekeeping_debug_get_ns();
> } while (read_seqcount_retry(&tk_core.seq, seq));
>
> So this should be safe against concurreny. I assume the issue here is
> that timekeeping_debug_get_ns() has a nested
>
> do {
> seq = read_seqcount_begin(&tk_core.seq);
> ....
> } while (read_seqcount_retry(&tk_core.seq, seq));
>
> inside. Which is still correct, but confuses KCSAN. Marco?
Right... Nested seqlocks have always been tricky for KCSAN, because
any racing access (vs. writer) after the inner read_seqcount_retry()
(after the loop) may end up being reported as a data race. The inner
read_seqcount_retry() will tell KCSAN "kcsan_atomic_next(0)", ending
the critical section, but at this point it's also forgotten the outer
one. The main problem with seqlocks has always been that there's no
requirement to cleanly denote a critical section with one
read_seqcount_begin() and a matching read_seqcount_retry(). Which is
why we opted for the kcsan_atomic_next(..) approach for seqlocks, so
that it can recover if the begin/retry calls are imbalanced. If the
seqlock interface were to change to require balanced
read_seqcount_begin/retry, then we could use
kcsan_nestable_atomic_begin/end().
I think for the few seqlock anomalies which KCSAN cannot deal with
today, it would be fair to mark such functions as __no_kcsan (or
surround with kcsan_disable_current()/kcsan_enable_current() to
include callees).
I'm also trying to figure out the seqcount_latch thing right now,
which is causing similar headaches:
https://lore.kernel.org/all/20241029083658.1096492-1-elver@xxxxxxxxxx/T/#u