Re: [PATCH 0/5] Add READ_ONCE and WRITE_ONCE to Rust
2 views
Skip to first unread message
Paul E. McKenney
Jan 6, 2026, 1:18:38 PM (12 days ago) Jan 6
to Peter Zijlstra, Boqun Feng, Andreas Hindborg, Alice Ryhl, Gary Guo, Will Deacon, Richard Henderson, Matt Turner, Magnus Lindholm, Catalin Marinas, Miguel Ojeda, Björn Roy Baron, Benno Lossin, Trevor Gross, Danilo Krummrich, Mark Rutland, FUJITA Tomonori, Frederic Weisbecker, Lyude Paul, Thomas Gleixner, Anna-Maria Behnsen, John Stultz, Stephen Boyd, Alexander Viro, Christian Brauner, Jan Kara, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-ar...@lists.infradead.org, rust-fo...@vger.kernel.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
>
> > Some C code believes a plain write to a properly aligned location is
> > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > it's recommended to assume such), and I guess that's the case for
> > hrtimer, if it's not much a trouble you can replace the plain write with
> > WRITE_ONCE() on C side ;-)
>
> GCC used to provide this guarantee, some of the older code was written
> on that. GCC no longer provides that guarantee (there are known cases
> where it breaks and all that) and newer code should not rely on this.
>
> All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
Agreed!
In that vein, any objections to the patch shown below?
Thanx, Paul
------------------------------------------------------------------------
diff --git a/lib/Kconfig.kcsan b/lib/Kconfig.kcsan
index 4ce4b0c0109cb..e827e24ab5d42 100644
--- a/lib/Kconfig.kcsan
+++ b/lib/Kconfig.kcsan
@@ -199,7 +199,7 @@ config KCSAN_WEAK_MEMORY
config KCSAN_REPORT_VALUE_CHANGE_ONLY
bool "Only report races where watcher observed a data value change"
- default y
+ default n
depends on !KCSAN_STRICT
help
If enabled and a conflicting write is observed via a watchpoint, but
@@ -208,7 +208,7 @@ config KCSAN_REPORT_VALUE_CHANGE_ONLY
config KCSAN_ASSUME_PLAIN_WRITES_ATOMIC
bool "Assume that plain aligned writes up to word size are atomic"
- default y
+ default n
depends on !KCSAN_STRICT
help
Assume that plain aligned writes up to word size are atomic by
> On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
>
> > Some C code believes a plain write to a properly aligned location is
> > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > it's recommended to assume such), and I guess that's the case for
> > hrtimer, if it's not much a trouble you can replace the plain write with
> > WRITE_ONCE() on C side ;-)
>
> GCC used to provide this guarantee, some of the older code was written
> on that. GCC no longer provides that guarantee (there are known cases
> where it breaks and all that) and newer code should not rely on this.
>
> All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
Agreed!
In that vein, any objections to the patch shown below?
Thanx, Paul
------------------------------------------------------------------------
diff --git a/lib/Kconfig.kcsan b/lib/Kconfig.kcsan
index 4ce4b0c0109cb..e827e24ab5d42 100644
--- a/lib/Kconfig.kcsan
+++ b/lib/Kconfig.kcsan
@@ -199,7 +199,7 @@ config KCSAN_WEAK_MEMORY
config KCSAN_REPORT_VALUE_CHANGE_ONLY
bool "Only report races where watcher observed a data value change"
- default y
+ default n
depends on !KCSAN_STRICT
help
If enabled and a conflicting write is observed via a watchpoint, but
@@ -208,7 +208,7 @@ config KCSAN_REPORT_VALUE_CHANGE_ONLY
config KCSAN_ASSUME_PLAIN_WRITES_ATOMIC
bool "Assume that plain aligned writes up to word size are atomic"
- default y
+ default n
depends on !KCSAN_STRICT
help
Assume that plain aligned writes up to word size are atomic by
Marco Elver
Jan 6, 2026, 2:29:20 PM (12 days ago) Jan 6
to pau...@kernel.org, Peter Zijlstra, Boqun Feng, Andreas Hindborg, Alice Ryhl, Gary Guo, Will Deacon, Richard Henderson, Matt Turner, Magnus Lindholm, Catalin Marinas, Miguel Ojeda, Björn Roy Baron, Benno Lossin, Trevor Gross, Danilo Krummrich, Mark Rutland, FUJITA Tomonori, Frederic Weisbecker, Lyude Paul, Thomas Gleixner, Anna-Maria Behnsen, John Stultz, Stephen Boyd, Alexander Viro, Christian Brauner, Jan Kara, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-ar...@lists.infradead.org, rust-fo...@vger.kernel.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
On Tue, 6 Jan 2026 at 19:18, 'Paul E. McKenney' via kasan-dev
<kasa...@googlegroups.com> wrote:
> On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> >
> > > Some C code believes a plain write to a properly aligned location is
> > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > it's recommended to assume such), and I guess that's the case for
> > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > WRITE_ONCE() on C side ;-)
> >
> > GCC used to provide this guarantee, some of the older code was written
> > on that. GCC no longer provides that guarantee (there are known cases
> > where it breaks and all that) and newer code should not rely on this.
> >
> > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
>
> Agreed!
>
> In that vein, any objections to the patch shown below?
I'd be in favor, as that's what we did in the very initial version of
<kasa...@googlegroups.com> wrote:
> On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> >
> > > Some C code believes a plain write to a properly aligned location is
> > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > it's recommended to assume such), and I guess that's the case for
> > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > WRITE_ONCE() on C side ;-)
> >
> > GCC used to provide this guarantee, some of the older code was written
> > on that. GCC no longer provides that guarantee (there are known cases
> > where it breaks and all that) and newer code should not rely on this.
> >
> > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
>
> Agreed!
>
> In that vein, any objections to the patch shown below?
KCSAN (we started strict and then loosened things up).
However, the fallout will be even more perceived "noise", despite
being legitimate data races. These config knobs were added after much
discussion in 2019/2020, somewhere around this discussion (I think
that's the one that spawned KCSAN_REPORT_VALUE_CHANGE_ONLY, can't find
the source for KCSAN_ASSUME_PLAIN_WRITES_ATOMIC):
https://lore.kernel.org/all/CAHk-=wgu-QXU83ai4XBnh7JJUo2NBW41XhLWf=7wrydR4=ZP...@mail.gmail.com/
While the situation has gotten better since 2020, we still have latent
data races that need some thought (given papering over things blindly
with *ONCE is not right either). My recommendation these days is to
just set CONFIG_KCSAN_STRICT=y for those who care (although I'd wish
everyone cared the same amount :-)).
Should you feel the below change is appropriate for 2026, feel free to
carry it (consider this my Ack).
However, I wasn't thinking of tightening the screws until the current
set of known data races has gotten to a manageable amount (say below
50)
https://syzkaller.appspot.com/upstream?manager=ci2-upstream-kcsan-gce
Then again, on syzbot the config can remain unchanged.
Thanks,
-- Marco
Peter Zijlstra
Jan 7, 2026, 3:43:29 AM (11 days ago) Jan 7
to Paul E. McKenney, Boqun Feng, Andreas Hindborg, Alice Ryhl, Gary Guo, Will Deacon, Richard Henderson, Matt Turner, Magnus Lindholm, Catalin Marinas, Miguel Ojeda, Björn Roy Baron, Benno Lossin, Trevor Gross, Danilo Krummrich, Mark Rutland, FUJITA Tomonori, Frederic Weisbecker, Lyude Paul, Thomas Gleixner, Anna-Maria Behnsen, John Stultz, Stephen Boyd, Alexander Viro, Christian Brauner, Jan Kara, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-ar...@lists.infradead.org, rust-fo...@vger.kernel.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
On Tue, Jan 06, 2026 at 10:18:35AM -0800, Paul E. McKenney wrote:
> On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> >
> > > Some C code believes a plain write to a properly aligned location is
> > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > it's recommended to assume such), and I guess that's the case for
> > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > WRITE_ONCE() on C side ;-)
> >
> > GCC used to provide this guarantee, some of the older code was written
> > on that. GCC no longer provides that guarantee (there are known cases
> > where it breaks and all that) and newer code should not rely on this.
> >
> > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
>
> Agreed!
>
> In that vein, any objections to the patch shown below?
Not really; although it would of course be nice if that were accompanied
> On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> >
> > > Some C code believes a plain write to a properly aligned location is
> > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > it's recommended to assume such), and I guess that's the case for
> > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > WRITE_ONCE() on C side ;-)
> >
> > GCC used to provide this guarantee, some of the older code was written
> > on that. GCC no longer provides that guarantee (there are known cases
> > where it breaks and all that) and newer code should not rely on this.
> >
> > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
>
> Agreed!
>
> In that vein, any objections to the patch shown below?
with a pile of cleanup patches taking out the worst offenders or
somesuch ;-)
Paul E. McKenney
Jan 7, 2026, 2:17:51 PM (11 days ago) Jan 7
to Peter Zijlstra, Boqun Feng, Andreas Hindborg, Alice Ryhl, Gary Guo, Will Deacon, Richard Henderson, Matt Turner, Magnus Lindholm, Catalin Marinas, Miguel Ojeda, Björn Roy Baron, Benno Lossin, Trevor Gross, Danilo Krummrich, Mark Rutland, FUJITA Tomonori, Frederic Weisbecker, Lyude Paul, Thomas Gleixner, Anna-Maria Behnsen, John Stultz, Stephen Boyd, Alexander Viro, Christian Brauner, Jan Kara, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-ar...@lists.infradead.org, rust-fo...@vger.kernel.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
On Wed, Jan 07, 2026 at 09:43:22AM +0100, Peter Zijlstra wrote:
> On Tue, Jan 06, 2026 at 10:18:35AM -0800, Paul E. McKenney wrote:
> > On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> > >
> > > > Some C code believes a plain write to a properly aligned location is
> > > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > > it's recommended to assume such), and I guess that's the case for
> > > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > > WRITE_ONCE() on C side ;-)
> > >
> > > GCC used to provide this guarantee, some of the older code was written
> > > on that. GCC no longer provides that guarantee (there are known cases
> > > where it breaks and all that) and newer code should not rely on this.
> > >
> > > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
> >
> > Agreed!
> >
> > In that vein, any objections to the patch shown below?
>
> Not really; although it would of course be nice if that were accompanied
> with a pile of cleanup patches taking out the worst offenders or
> somesuch ;-)
Careful what you ask for. You might get it... ;-)
> On Tue, Jan 06, 2026 at 10:18:35AM -0800, Paul E. McKenney wrote:
> > On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> > >
> > > > Some C code believes a plain write to a properly aligned location is
> > > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > > it's recommended to assume such), and I guess that's the case for
> > > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > > WRITE_ONCE() on C side ;-)
> > >
> > > GCC used to provide this guarantee, some of the older code was written
> > > on that. GCC no longer provides that guarantee (there are known cases
> > > where it breaks and all that) and newer code should not rely on this.
> > >
> > > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
> >
> > Agreed!
> >
> > In that vein, any objections to the patch shown below?
>
> Not really; although it would of course be nice if that were accompanied
> with a pile of cleanup patches taking out the worst offenders or
> somesuch ;-)
Thanx, Paul
Paul E. McKenney
Jan 8, 2026, 9:09:39 PM (10 days ago) Jan 8
to Marco Elver, Peter Zijlstra, Boqun Feng, Andreas Hindborg, Alice Ryhl, Gary Guo, Will Deacon, Richard Henderson, Matt Turner, Magnus Lindholm, Catalin Marinas, Miguel Ojeda, Björn Roy Baron, Benno Lossin, Trevor Gross, Danilo Krummrich, Mark Rutland, FUJITA Tomonori, Frederic Weisbecker, Lyude Paul, Thomas Gleixner, Anna-Maria Behnsen, John Stultz, Stephen Boyd, Alexander Viro, Christian Brauner, Jan Kara, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-ar...@lists.infradead.org, rust-fo...@vger.kernel.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
On Tue, Jan 06, 2026 at 08:28:41PM +0100, Marco Elver wrote:
> On Tue, 6 Jan 2026 at 19:18, 'Paul E. McKenney' via kasan-dev
> <kasa...@googlegroups.com> wrote:
> > On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> > >
> > > > Some C code believes a plain write to a properly aligned location is
> > > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > > it's recommended to assume such), and I guess that's the case for
> > > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > > WRITE_ONCE() on C side ;-)
> > >
> > > GCC used to provide this guarantee, some of the older code was written
> > > on that. GCC no longer provides that guarantee (there are known cases
> > > where it breaks and all that) and newer code should not rely on this.
> > >
> > > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
> >
> > Agreed!
> >
> > In that vein, any objections to the patch shown below?
>
> I'd be in favor, as that's what we did in the very initial version of
> KCSAN (we started strict and then loosened things up).
>
> However, the fallout will be even more perceived "noise", despite
> being legitimate data races. These config knobs were added after much
> discussion in 2019/2020, somewhere around this discussion (I think
> that's the one that spawned KCSAN_REPORT_VALUE_CHANGE_ONLY, can't find
> the source for KCSAN_ASSUME_PLAIN_WRITES_ATOMIC):
> https://lore.kernel.org/all/CAHk-=wgu-QXU83ai4XBnh7JJUo2NBW41XhLWf=7wrydR4=ZP...@mail.gmail.com/
Fair point!
> On Tue, 6 Jan 2026 at 19:18, 'Paul E. McKenney' via kasan-dev
> <kasa...@googlegroups.com> wrote:
> > On Tue, Jan 06, 2026 at 03:56:22PM +0100, Peter Zijlstra wrote:
> > > On Tue, Jan 06, 2026 at 09:09:37PM +0800, Boqun Feng wrote:
> > >
> > > > Some C code believes a plain write to a properly aligned location is
> > > > atomic (see KCSAN_ASSUME_PLAIN_WRITES_ATOMIC, and no, this doesn't mean
> > > > it's recommended to assume such), and I guess that's the case for
> > > > hrtimer, if it's not much a trouble you can replace the plain write with
> > > > WRITE_ONCE() on C side ;-)
> > >
> > > GCC used to provide this guarantee, some of the older code was written
> > > on that. GCC no longer provides that guarantee (there are known cases
> > > where it breaks and all that) and newer code should not rely on this.
> > >
> > > All such places *SHOULD* be updated to use READ_ONCE/WRITE_ONCE.
> >
> > Agreed!
> >
> > In that vein, any objections to the patch shown below?
>
> I'd be in favor, as that's what we did in the very initial version of
> KCSAN (we started strict and then loosened things up).
>
> However, the fallout will be even more perceived "noise", despite
> being legitimate data races. These config knobs were added after much
> discussion in 2019/2020, somewhere around this discussion (I think
> that's the one that spawned KCSAN_REPORT_VALUE_CHANGE_ONLY, can't find
> the source for KCSAN_ASSUME_PLAIN_WRITES_ATOMIC):
> https://lore.kernel.org/all/CAHk-=wgu-QXU83ai4XBnh7JJUo2NBW41XhLWf=7wrydR4=ZP...@mail.gmail.com/
> While the situation has gotten better since 2020, we still have latent
> data races that need some thought (given papering over things blindly
> with *ONCE is not right either). My recommendation these days is to
> just set CONFIG_KCSAN_STRICT=y for those who care (although I'd wish
> everyone cared the same amount :-)).
>
> Should you feel the below change is appropriate for 2026, feel free to
> carry it (consider this my Ack).
>
> However, I wasn't thinking of tightening the screws until the current
> set of known data races has gotten to a manageable amount (say below
> 50)
> https://syzkaller.appspot.com/upstream?manager=ci2-upstream-kcsan-gce
> Then again, on syzbot the config can remain unchanged.
corresponding test ran against? Probably me being blind, but I am not
seeing it. Though I do very much like the symbolic names in those
stack traces!
Thanx, Paul
Marco Elver
Jan 9, 2026, 7:00:59 AM (9 days ago) Jan 9
to pau...@kernel.org, Peter Zijlstra, Boqun Feng, Andreas Hindborg, Alice Ryhl, Gary Guo, Will Deacon, Richard Henderson, Matt Turner, Magnus Lindholm, Catalin Marinas, Miguel Ojeda, Björn Roy Baron, Benno Lossin, Trevor Gross, Danilo Krummrich, Mark Rutland, FUJITA Tomonori, Frederic Weisbecker, Lyude Paul, Thomas Gleixner, Anna-Maria Behnsen, John Stultz, Stephen Boyd, Alexander Viro, Christian Brauner, Jan Kara, linux-...@vger.kernel.org, linux...@vger.kernel.org, linux-ar...@lists.infradead.org, rust-fo...@vger.kernel.org, linux-...@vger.kernel.org, kasa...@googlegroups.com
in the "Commit" column.
Reply all
Reply to author
Forward
0 new messages