[PATCH v2 0/2] virtio: silence KCSAN warnings

[PATCH v2 0/2] virtio: silence KCSAN warnings

[Johannes Thumshirn]

When booting a Qemu VM whith KCSAN to debug filesystem races I
encountered a bunch of KCSAN splats in virtio.

All of them are false positives, as the racy unknown origin is the
hypervisor.

Alex suggested to annotate the vring structure as racy for KCSAN, but
the __data_racy annotation turns into "volatile" and as such it cannot
be used to annotate the whole structure. Annotating every structure
embedding a pointer to the vring turned out to be way more invasive than
annotating only the few sites consumers.

Changes to v1:
- Annotate the return of more_used_split() as racy so both call sites
  are covered
- Annotate vring_avail_event() as racy so we can condense two patches
  into one.

Link to v1:
https://lore.kernel.org/virtualization/20260127083926.865555-1-johannes.thumshirn@wdc.com/

Johannes Thumshirn (2):
  virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split
  virtio: silence KCSAN warning in virtqueue_kick_prepare

 drivers/virtio/virtio_ring.c     | 4 ++--
 include/uapi/linux/virtio_ring.h | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

-- 
2.52.0

[PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Johannes Thumshirn]

When booting a Qemu VM with virtio-blk and KCSAN enabled, KCSAN emits
the following warning about a data-race in virtqueue_get_buf_ctx_split().

 ==================================================================
 BUG: KCSAN: data-race in virtqueue_get_buf_ctx_split+0x6e/0x260

 race at unknown origin, with read to 0xffff8881020f1942 of 2 bytes by task 1 on cpu 7:
  virtqueue_get_buf_ctx_split+0x6e/0x260
  virtqueue_get_buf+0x4b/0x60
  __send_to_port+0x156/0x170
  put_chars+0xcb/0x110
  hvc_console_print+0x1d6/0x2a0
  console_flush_one_record+0x3dd/0x510
  console_unlock+0x8c/0x160
  vprintk_emit+0x2fe/0x380
  vprintk_default+0x1d/0x30
  vprintk+0xe/0x20
  _printk+0x4c/0x60
  btrfs_test_raid_stripe_tree+0x25/0x90
  btrfs_run_sanity_tests.cold+0xf1/0x13b
  init_btrfs_fs+0x73/0x110
  do_one_initcall+0x5b/0x2d0
  kernel_init_freeable+0x2a2/0x340
  kernel_init+0x1e/0x1b0
  ret_from_fork+0x137/0x1b0
  ret_from_fork_asm+0x1a/0x30

 value changed: 0x0160 -> 0x0161

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 7 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-rc7+ #219 PREEMPT(none)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-9.fc43 06/10/2025
 ==================================================================

This warning is likely a false positive as the change happens on the
virtio vring.

Annotate the return of more_used_split() with data_race() to silence
the warning.

Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
---
 drivers/virtio/virtio_ring.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index ddab68959671..1db27ee2d89f 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -808,8 +808,8 @@ static void detach_buf_split(struct vring_virtqueue *vq, unsigned int head,
 
 static bool more_used_split(const struct vring_virtqueue *vq)
 {
-	return vq->last_used_idx != virtio16_to_cpu(vq->vq.vdev,
-			vq->split.vring.used->idx);
+	return data_race(vq->last_used_idx != virtio16_to_cpu(vq->vq.vdev,
+				vq->split.vring.used->idx));
 }
 
 static void *virtqueue_get_buf_ctx_split(struct virtqueue *_vq,
-- 
2.52.0

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Alexander Graf]

On 27.01.26 16:25, Johannes Thumshirn wrote:
> When booting a Qemu VM with virtio-blk and KCSAN enabled, KCSAN emits
> the following warning about a data-race in virtqueue_get_buf_ctx_split().
>
>   ==================================================================
>   BUG: KCSAN: data-race in virtqueue_get_buf_ctx_split+0x6e/0x260
>
>   race at unknown origin, with read to 0xffff8881020f1942 of 2 bytes by task 1 on cpu 7:
>    virtqueue_get_buf_ctx_split+0x6e/0x260
>    virtqueue_get_buf+0x4b/0x60
>    __send_to_port+0x156/0x170
>    put_chars+0xcb/0x110
>    hvc_console_print+0x1d6/0x2a0
>    console_flush_one_record+0x3dd/0x510
>    console_unlock+0x8c/0x160
>    vprintk_emit+0x2fe/0x380
>    vprintk_default+0x1d/0x30
>    vprintk+0xe/0x20
>    _printk+0x4c/0x60
>    btrfs_test_raid_stripe_tree+0x25/0x90
>    btrfs_run_sanity_tests.cold+0xf1/0x13b
>    init_btrfs_fs+0x73/0x110
>    do_one_initcall+0x5b/0x2d0
>    kernel_init_freeable+0x2a2/0x340
>    kernel_init+0x1e/0x1b0
>    ret_from_fork+0x137/0x1b0
>    ret_from_fork_asm+0x1a/0x30
>
>   value changed: 0x0160 -> 0x0161
>
>   Reported by Kernel Concurrency Sanitizer on:
>   CPU: 7 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.19.0-rc7+ #219 PREEMPT(none)
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-9.fc43 06/10/2025
>   ==================================================================
>
> This warning is likely a false positive as the change happens on the
> virtio vring.
>
> Annotate the return of more_used_split() with data_race() to silence
> the warning.
>
> Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
> ---
>   drivers/virtio/virtio_ring.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> index ddab68959671..1db27ee2d89f 100644
> --- a/drivers/virtio/virtio_ring.c
> +++ b/drivers/virtio/virtio_ring.c
> @@ -808,8 +808,8 @@ static void detach_buf_split(struct vring_virtqueue *vq, unsigned int head,
>
>   static bool more_used_split(const struct vring_virtqueue *vq)


This patches the split vring format, but does not touch the packed one. 
What happens if you run the same test with the packed format? You can do 
so by passing "packed=on" as argument to your -device parameter.


Alex





Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Johannes Thumshirn]

On 1/27/26 5:30 PM, Alexander Graf wrote:
> This patches the split vring format, but does not touch the packed one.
> What happens if you run the same test with the packed format? You can do
> so by passing "packed=on" as argument to your -device parameter.

This opened up a whole new can of worms... :(

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Alexander Graf]

On 28.01.26 09:47, Johannes Thumshirn wrote:
> On 1/27/26 5:30 PM, Alexander Graf wrote:
>> This patches the split vring format, but does not touch the packed one.
>> What happens if you run the same test with the packed format? You can do
>> so by passing "packed=on" as argument to your -device parameter.
> This opened up a whole new can of worms... :(


That's what I expected :).

How do other DMA based devices handle this? Is the real problem that 
virtio by default does not use the DMA API and so it confuses generic 
KCSAN logic that would otherwise track DMA regions as "can be modified 
by DMA at any time"?

If that is the case, maybe what we really want is to force enable use of 
the DMA API when KCSAN is active. Does something like the (whitespace 
broken) patch below work?

Alex

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index ddab68959671..b1dd790ce622 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -284,6 +284,13 @@ static bool vring_use_map_api(const struct 
virtio_device *vdev)
      if (xen_domain())
          return true;

+    /*
+     * KCSAN needs to track who can modify memory. DMA API gets
+     * us that, so always use it.
+     */
+    if (IS_ENABLED(CONFIG_KCSAN))
+        return true;
+
      return false;
  }




Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Johannes Thumshirn]

On 1/28/26 10:03 AM, Alexander Graf wrote:
> On 28.01.26 09:47, Johannes Thumshirn wrote:
>> On 1/27/26 5:30 PM, Alexander Graf wrote:
>>> This patches the split vring format, but does not touch the packed one.
>>> What happens if you run the same test with the packed format? You can do
>>> so by passing "packed=on" as argument to your -device parameter.
>> This opened up a whole new can of worms... :(
>
> That's what I expected :).
>
> How do other DMA based devices handle this? Is the real problem that
> virtio by default does not use the DMA API and so it confuses generic
> KCSAN logic that would otherwise track DMA regions as "can be modified
> by DMA at any time"?
>
> If that is the case, maybe what we really want is to force enable use of
> the DMA API when KCSAN is active. Does something like the (whitespace
> broken) patch below work?
>
> Alex
>
> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> index ddab68959671..b1dd790ce622 100644
> --- a/drivers/virtio/virtio_ring.c
> +++ b/drivers/virtio/virtio_ring.c
> @@ -284,6 +284,13 @@ static bool vring_use_map_api(const struct
> virtio_device *vdev)
>        if (xen_domain())
>            return true;
>
> +    /*
> +     * KCSAN needs to track who can modify memory. DMA API gets
> +     * us that, so always use it.
> +     */
> +    if (IS_ENABLED(CONFIG_KCSAN))
> +        return true;
> +
>        return false;
>    }


Unfortunately this doesn't get us any further (I'd love though, it looks 
way cleaner!)

I still see the KCSAN messages even on boot.

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Alexander Graf]

On 28.01.26 10:13, Johannes Thumshirn wrote:
> On 1/28/26 10:03 AM, Alexander Graf wrote:
>> On 28.01.26 09:47, Johannes Thumshirn wrote:
>>> On 1/27/26 5:30 PM, Alexander Graf wrote:
>>>> This patches the split vring format, but does not touch the packed one.
>>>> What happens if you run the same test with the packed format? You can do
>>>> so by passing "packed=on" as argument to your -device parameter.
>>> This opened up a whole new can of worms... :(
>> That's what I expected :).
>>
>> How do other DMA based devices handle this? Is the real problem that
>> virtio by default does not use the DMA API and so it confuses generic
>> KCSAN logic that would otherwise track DMA regions as "can be modified
>> by DMA at any time"?
>>
>> If that is the case, maybe what we really want is to force enable use of
>> the DMA API when KCSAN is active. Does something like the (whitespace
>> broken) patch below work?
>>
>> Alex
>>
>> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
>> index ddab68959671..b1dd790ce622 100644
>> --- a/drivers/virtio/virtio_ring.c
>> +++ b/drivers/virtio/virtio_ring.c
>> @@ -284,6 +284,13 @@ static bool vring_use_map_api(const struct
>> virtio_device *vdev)
>>         if (xen_domain())
>>             return true;
>>
>> +    /*
>> +     * KCSAN needs to track who can modify memory. DMA API gets
>> +     * us that, so always use it.
>> +     */
>> +    if (IS_ENABLED(CONFIG_KCSAN))
>> +        return true;
>> +
>>         return false;
>>     }
>
> Unfortunately this doesn't get us any further (I'd love though, it looks
> way cleaner!)
>
> I still see the KCSAN messages even on boot.


Ah, looks like the important bit for KCSAN is not the mapping mechanism, 
it's the actual compiler annotation for the read. So these virtio ring 
reads should all be annotated as READ_ONCE() to make sure KCSAN knows 
the read itself is atomic.

Alex




Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Michael S. Tsirkin]

On Wed, Jan 28, 2026 at 11:30:20AM +0100, Alexander Graf wrote:
> 
> On 28.01.26 10:13, Johannes Thumshirn wrote:
> > On 1/28/26 10:03 AM, Alexander Graf wrote:
> > > On 28.01.26 09:47, Johannes Thumshirn wrote:
> > > > On 1/27/26 5:30 PM, Alexander Graf wrote:
> > > > > This patches the split vring format, but does not touch the packed one.
> > > > > What happens if you run the same test with the packed format? You can do
> > > > > so by passing "packed=on" as argument to your -device parameter.
> > > > This opened up a whole new can of worms... :(
> > > That's what I expected :).
> > > 
> > > How do other DMA based devices handle this? Is the real problem that
> > > virtio by default does not use the DMA API and so it confuses generic
> > > KCSAN logic that would otherwise track DMA regions as "can be modified
> > > by DMA at any time"?
> > > 
> > > If that is the case, maybe what we really want is to force enable use of
> > > the DMA API when KCSAN is active. Does something like the (whitespace
> > > broken) patch below work?
> > > 
> > > Alex
> > > 
> > > diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> > > index ddab68959671..b1dd790ce622 100644
> > > --- a/drivers/virtio/virtio_ring.c
> > > +++ b/drivers/virtio/virtio_ring.c
> > > @@ -284,6 +284,13 @@ static bool vring_use_map_api(const struct
> > > virtio_device *vdev)
> > >         if (xen_domain())
> > >             return true;
> > > 
> > > +    /*
> > > +     * KCSAN needs to track who can modify memory. DMA API gets
> > > +     * us that, so always use it.
> > > +     */
> > > +    if (IS_ENABLED(CONFIG_KCSAN))
> > > +        return true;
> > > +
> > >         return false;
> > >     }
> > 
> > Unfortunately this doesn't get us any further (I'd love though, it looks
> > way cleaner!)
> > 
> > I still see the KCSAN messages even on boot.
> 
> 
> Ah, looks like the important bit for KCSAN is not the mapping mechanism,
> it's the actual compiler annotation for the read. So these virtio ring reads
> should all be annotated as READ_ONCE() to make sure KCSAN knows the read
> itself is atomic.
> 
> Alex
> 

so then:

       return vq->last_used_idx != virtio16_to_cpu(vq->vq.vdev,
                       READ_ONCE(vq->split.vring.used->idx));


?




> 
> 
> Amazon Web Services Development Center Germany GmbH
> Tamara-Danz-Str. 13
> 10243 Berlin
> Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
> Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
> Sitz: Berlin
> Ust-ID: DE 365 538 597

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Alexander Graf]

On 28.01.26 11:34, Michael S. Tsirkin wrote:
> On Wed, Jan 28, 2026 at 11:30:20AM +0100, Alexander Graf wrote:
>> On 28.01.26 10:13, Johannes Thumshirn wrote:
>>> On 1/28/26 10:03 AM, Alexander Graf wrote:
>>>> On 28.01.26 09:47, Johannes Thumshirn wrote:
>>>>> On 1/27/26 5:30 PM, Alexander Graf wrote:
>>>>>> This patches the split vring format, but does not touch the packed one.
>>>>>> What happens if you run the same test with the packed format? You can do
>>>>>> so by passing "packed=on" as argument to your -device parameter.
>>>>> This opened up a whole new can of worms... :(
>>>> That's what I expected :).
>>>>
>>>> How do other DMA based devices handle this? Is the real problem that
>>>> virtio by default does not use the DMA API and so it confuses generic
>>>> KCSAN logic that would otherwise track DMA regions as "can be modified
>>>> by DMA at any time"?
>>>>
>>>> If that is the case, maybe what we really want is to force enable use of
>>>> the DMA API when KCSAN is active. Does something like the (whitespace
>>>> broken) patch below work?
>>>>
>>>> Alex
>>>>
>>>> diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
>>>> index ddab68959671..b1dd790ce622 100644
>>>> --- a/drivers/virtio/virtio_ring.c
>>>> +++ b/drivers/virtio/virtio_ring.c
>>>> @@ -284,6 +284,13 @@ static bool vring_use_map_api(const struct
>>>> virtio_device *vdev)
>>>>          if (xen_domain())
>>>>              return true;
>>>>
>>>> +    /*
>>>> +     * KCSAN needs to track who can modify memory. DMA API gets
>>>> +     * us that, so always use it.
>>>> +     */
>>>> +    if (IS_ENABLED(CONFIG_KCSAN))
>>>> +        return true;
>>>> +
>>>>          return false;
>>>>      }
>>> Unfortunately this doesn't get us any further (I'd love though, it looks
>>> way cleaner!)
>>>
>>> I still see the KCSAN messages even on boot.
>>
>> Ah, looks like the important bit for KCSAN is not the mapping mechanism,
>> it's the actual compiler annotation for the read. So these virtio ring reads
>> should all be annotated as READ_ONCE() to make sure KCSAN knows the read
>> itself is atomic.
>>
>> Alex
>>
> so then:
>
>         return vq->last_used_idx != virtio16_to_cpu(vq->vq.vdev,
>                         READ_ONCE(vq->split.vring.used->idx));


Yes, which is on the verge of getting unreadable. I'll work with 
Johannes on v3. We'll play with ways to make it a bit more maintainable. 
Please discard the current patches for now.


Alex




Amazon Web Services Development Center Germany GmbH
Tamara-Danz-Str. 13
10243 Berlin
Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
Sitz: Berlin
Ust-ID: DE 365 538 597

Re: [PATCH v2 1/2] virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split

[Michael S. Tsirkin]

On Wed, Jan 28, 2026 at 11:38:48AM +0100, Alexander Graf wrote:
> 
> On 28.01.26 11:34, Michael S. Tsirkin wrote:
> > On Wed, Jan 28, 2026 at 11:30:20AM +0100, Alexander Graf wrote:
> > > On 28.01.26 10:13, Johannes Thumshirn wrote:
> > > > On 1/28/26 10:03 AM, Alexander Graf wrote:
> > > > > On 28.01.26 09:47, Johannes Thumshirn wrote:
> > > > > > On 1/27/26 5:30 PM, Alexander Graf wrote:
> > > > > > > This patches the split vring format, but does not touch the packed one.
> > > > > > > What happens if you run the same test with the packed format? You can do
> > > > > > > so by passing "packed=on" as argument to your -device parameter.
> > > > > > This opened up a whole new can of worms... :(
> > > > > That's what I expected :).
> > > > > 
> > > > > How do other DMA based devices handle this? Is the real problem that
> > > > > virtio by default does not use the DMA API and so it confuses generic
> > > > > KCSAN logic that would otherwise track DMA regions as "can be modified
> > > > > by DMA at any time"?
> > > > > 
> > > > > If that is the case, maybe what we really want is to force enable use of
> > > > > the DMA API when KCSAN is active. Does something like the (whitespace
> > > > > broken) patch below work?
> > > > > 
> > > > > Alex
> > > > > 
> > > > > diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
> > > > > index ddab68959671..b1dd790ce622 100644
> > > > > --- a/drivers/virtio/virtio_ring.c
> > > > > +++ b/drivers/virtio/virtio_ring.c
> > > > > @@ -284,6 +284,13 @@ static bool vring_use_map_api(const struct
> > > > > virtio_device *vdev)
> > > > >          if (xen_domain())
> > > > >              return true;
> > > > > 
> > > > > +    /*
> > > > > +     * KCSAN needs to track who can modify memory. DMA API gets
> > > > > +     * us that, so always use it.
> > > > > +     */
> > > > > +    if (IS_ENABLED(CONFIG_KCSAN))
> > > > > +        return true;
> > > > > +
> > > > >          return false;
> > > > >      }
> > > > Unfortunately this doesn't get us any further (I'd love though, it looks
> > > > way cleaner!)
> > > > 
> > > > I still see the KCSAN messages even on boot.
> > > 
> > > Ah, looks like the important bit for KCSAN is not the mapping mechanism,
> > > it's the actual compiler annotation for the read. So these virtio ring reads
> > > should all be annotated as READ_ONCE() to make sure KCSAN knows the read
> > > itself is atomic.
> > > 
> > > Alex
> > > 
> > so then:
> > 
> >         return vq->last_used_idx != virtio16_to_cpu(vq->vq.vdev,
> >                         READ_ONCE(vq->split.vring.used->idx));
> 
> 
> Yes, which is on the verge of getting unreadable.

Well we can wrap virtio16_to_cpu and READ_ONCE in a single macro
if you like.  VIRTIO16_READ ?


> I'll work with Johannes on
> v3. We'll play with ways to make it a bit more maintainable. Please discard
> the current patches for now.

Sure.

> 
> Alex
> 
> 
> 
> 
> Amazon Web Services Development Center Germany GmbH
> Tamara-Danz-Str. 13
> 10243 Berlin
> Geschaeftsfuehrung: Christof Hellmis, Andreas Stieger
> Eingetragen am Amtsgericht Charlottenburg unter HRB 257764 B
> Sitz: Berlin
> Ust-ID: DE 365 538 597

[PATCH v2 2/2] virtio: silence KCSAN warning in virtqueue_kick_prepare

[Johannes Thumshirn]

When booting a Qemu VM with virtio-blk and KCSAN enabled, KCSAN emits
the following warning about a data-race in virtqueue_kick_prepare().

 ==================================================================
 BUG: KCSAN: data-race in virtqueue_kick_prepare+0x14d/0x200

 race at unknown origin, with read to 0xffff888101c9cd44 of 2 bytes by task 224 on cpu 2:
  virtqueue_kick_prepare+0x14d/0x200
  virtio_fs_enqueue_req+0x664/0x7d0
  virtio_fs_send_req+0xac/0x230
  flush_bg_queue+0x1a8/0x1f0
  fuse_simple_background+0x312/0x490
  fuse_file_put+0xcf/0x190
  fuse_file_release+0xd3/0xf0
  fuse_release+0x91/0xb0
  __fput+0x200/0x4f0
  ____fput+0x15/0x20
  task_work_run+0xda/0x140
  do_exit+0x414/0x11a0
  do_group_exit+0x53/0xf0
  __x64_sys_exit_group+0x25/0x30
  x64_sys_call+0x1c23/0x1c30
  do_syscall_64+0x5d/0x240
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

 value changed: 0x1ab0 -> 0x1ab3

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 2 UID: 0 PID: 224 Comm: grepconf.sh Not tainted 6.19.0-rc7+ #230 PREEMPT(none)
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-9.fc43 06/10/2025
 ==================================================================

 This warning is likely a false positive as the change happens on the
 virtio vring.

 Annotate the return of vring_avail_event() with data_race() to silence
 the warning.

Signed-off-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
---
 include/uapi/linux/virtio_ring.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/uapi/linux/virtio_ring.h b/include/uapi/linux/virtio_ring.h
index f8c20d3de8da..32568cfa1c63 100644
--- a/include/uapi/linux/virtio_ring.h
+++ b/include/uapi/linux/virtio_ring.h
@@ -194,7 +194,7 @@ struct vring {
 /* We publish the used event index at the end of the available ring, and vice
  * versa. They are at the end for backwards compatibility. */
 #define vring_used_event(vr) ((vr)->avail->ring[(vr)->num])
-#define vring_avail_event(vr) (*(__virtio16 *)&(vr)->used->ring[(vr)->num])
+#define vring_avail_event(vr) (data_race(*(__virtio16 *)&(vr)->used->ring[(vr)->num]))
 
 static inline void vring_init(struct vring *vr, unsigned int num, void *p,
 			      unsigned long align)
-- 
2.52.0

Re: [PATCH v2 2/2] virtio: silence KCSAN warning in virtqueue_kick_prepare

[kernel test robot]

Hi Johannes,

kernel test robot noticed the following build errors:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.19-rc7]
[cannot apply to mst-vhost/linux-next next-20260127]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Johannes-Thumshirn/virtio-silence-KCSAN-warning-in-virtqueue_get_buf_ctx_split/20260127-235023
base:   linus/master
patch link:    https://lore.kernel.org/r/20260127152524.200465-3-johannes.thumshirn%40wdc.com
patch subject: [PATCH v2 2/2] virtio: silence KCSAN warning in virtqueue_kick_prepare
config: sh-allmodconfig (https://download.01.org/0day-ci/archive/20260128/202601282030.CWdibo9B-lkp@intel.com/config)
compiler: sh4-linux-gcc (GCC) 15.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260128/202601282030.CWdibo9B-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202601282030.CWdibo9B-lkp@intel.com/

All errors (new ones prefixed by >>):

   drivers/vhost/vringh.c: In function '__vringh_notify_enable':
>> drivers/vhost/vringh.c:559:33: error: lvalue required as unary '&' operand
     559 |                 if (putu16(vrh, &vring_avail_event(&vrh->vring),
         |                                 ^
   drivers/vhost/vringh.c:562:36: error: lvalue required as unary '&' operand
     562 |                                    &vring_avail_event(&vrh->vring));
         |                                    ^


vim +559 drivers/vhost/vringh.c

f87d0fbb579818f Rusty Russell      2013-03-20  542  
f87d0fbb579818f Rusty Russell      2013-03-20  543  static inline bool __vringh_notify_enable(struct vringh *vrh,
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12  544  					  int (*getu16)(const struct vringh *vrh,
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12  545  							u16 *val, const __virtio16 *p),
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12  546  					  int (*putu16)(const struct vringh *vrh,
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12  547  							__virtio16 *p, u16 val))
f87d0fbb579818f Rusty Russell      2013-03-20  548  {
f87d0fbb579818f Rusty Russell      2013-03-20  549  	u16 avail;
f87d0fbb579818f Rusty Russell      2013-03-20  550  
f87d0fbb579818f Rusty Russell      2013-03-20  551  	if (!vrh->event_indices) {
f87d0fbb579818f Rusty Russell      2013-03-20  552  		/* Old-school; update flags. */
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12  553  		if (putu16(vrh, &vrh->vring.used->flags, 0) != 0) {
f87d0fbb579818f Rusty Russell      2013-03-20  554  			vringh_bad("Clearing used flags %p",
f87d0fbb579818f Rusty Russell      2013-03-20  555  				   &vrh->vring.used->flags);
f87d0fbb579818f Rusty Russell      2013-03-20  556  			return true;
f87d0fbb579818f Rusty Russell      2013-03-20  557  		}
f87d0fbb579818f Rusty Russell      2013-03-20  558  	} else {
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12 @559  		if (putu16(vrh, &vring_avail_event(&vrh->vring),
f87d0fbb579818f Rusty Russell      2013-03-20  560  			   vrh->last_avail_idx) != 0) {
f87d0fbb579818f Rusty Russell      2013-03-20  561  			vringh_bad("Updating avail event index %p",
f87d0fbb579818f Rusty Russell      2013-03-20  562  				   &vring_avail_event(&vrh->vring));
f87d0fbb579818f Rusty Russell      2013-03-20  563  			return true;
f87d0fbb579818f Rusty Russell      2013-03-20  564  		}
f87d0fbb579818f Rusty Russell      2013-03-20  565  	}
f87d0fbb579818f Rusty Russell      2013-03-20  566  
f87d0fbb579818f Rusty Russell      2013-03-20  567  	/* They could have slipped one in as we were doing that: make
f87d0fbb579818f Rusty Russell      2013-03-20  568  	 * sure it's written, then check again. */
f87d0fbb579818f Rusty Russell      2013-03-20  569  	virtio_mb(vrh->weak_barriers);
f87d0fbb579818f Rusty Russell      2013-03-20  570  
b9f7ac8c72894c1 Michael S. Tsirkin 2014-12-12  571  	if (getu16(vrh, &avail, &vrh->vring.avail->idx) != 0) {
f87d0fbb579818f Rusty Russell      2013-03-20  572  		vringh_bad("Failed to check avail idx at %p",
f87d0fbb579818f Rusty Russell      2013-03-20  573  			   &vrh->vring.avail->idx);
f87d0fbb579818f Rusty Russell      2013-03-20  574  		return true;
f87d0fbb579818f Rusty Russell      2013-03-20  575  	}
f87d0fbb579818f Rusty Russell      2013-03-20  576  
f87d0fbb579818f Rusty Russell      2013-03-20  577  	/* This is unlikely, so we just leave notifications enabled
f87d0fbb579818f Rusty Russell      2013-03-20  578  	 * (if we're using event_indices, we'll only get one
f87d0fbb579818f Rusty Russell      2013-03-20  579  	 * notification anyway). */
f87d0fbb579818f Rusty Russell      2013-03-20  580  	return avail == vrh->last_avail_idx;
f87d0fbb579818f Rusty Russell      2013-03-20  581  }
f87d0fbb579818f Rusty Russell      2013-03-20  582  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v2 2/2] virtio: silence KCSAN warning in virtqueue_kick_prepare

[kernel test robot]

Hi Johannes,

kernel test robot noticed the following build errors:

[auto build test ERROR on linus/master]
[also build test ERROR on v6.19-rc7]
[cannot apply to mst-vhost/linux-next next-20260127]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Johannes-Thumshirn/virtio-silence-KCSAN-warning-in-virtqueue_get_buf_ctx_split/20260127-235023
base:   linus/master
patch link:    https://lore.kernel.org/r/20260127152524.200465-3-johannes.thumshirn%40wdc.com
patch subject: [PATCH v2 2/2] virtio: silence KCSAN warning in virtqueue_kick_prepare
config: hexagon-allmodconfig (https://download.01.org/0day-ci/archive/20260129/202601290632.9LWUgtlM-lkp@intel.com/config)
compiler: clang version 17.0.6 (https://github.com/llvm/llvm-project 6009708b4367171ccdbf4b5905cb6a803753fe18)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20260129/202601290632.9LWUgtlM-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202601290632.9LWUgtlM-lkp@intel.com/

All errors (new ones prefixed by >>):

>> drivers/vhost/vringh.c:559:19: error: cannot take the address of an rvalue of type '__virtio16' (aka 'unsigned short')
     559 |                 if (putu16(vrh, &vring_avail_event(&vrh->vring),
         |                                 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   drivers/vhost/vringh.c:562:8: error: cannot take the address of an rvalue of type '__virtio16' (aka 'unsigned short')
     562 |                                    &vring_avail_event(&vrh->vring));
         |                                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   2 errors generated.


vim +559 drivers/vhost/vringh.c

f87d0fbb579818 Rusty Russell      2013-03-20  542  
f87d0fbb579818 Rusty Russell      2013-03-20  543  static inline bool __vringh_notify_enable(struct vringh *vrh,
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12  544  					  int (*getu16)(const struct vringh *vrh,
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12  545  							u16 *val, const __virtio16 *p),
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12  546  					  int (*putu16)(const struct vringh *vrh,
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12  547  							__virtio16 *p, u16 val))
f87d0fbb579818 Rusty Russell      2013-03-20  548  {
f87d0fbb579818 Rusty Russell      2013-03-20  549  	u16 avail;
f87d0fbb579818 Rusty Russell      2013-03-20  550  
f87d0fbb579818 Rusty Russell      2013-03-20  551  	if (!vrh->event_indices) {
f87d0fbb579818 Rusty Russell      2013-03-20  552  		/* Old-school; update flags. */
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12  553  		if (putu16(vrh, &vrh->vring.used->flags, 0) != 0) {
f87d0fbb579818 Rusty Russell      2013-03-20  554  			vringh_bad("Clearing used flags %p",
f87d0fbb579818 Rusty Russell      2013-03-20  555  				   &vrh->vring.used->flags);
f87d0fbb579818 Rusty Russell      2013-03-20  556  			return true;
f87d0fbb579818 Rusty Russell      2013-03-20  557  		}
f87d0fbb579818 Rusty Russell      2013-03-20  558  	} else {
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12 @559  		if (putu16(vrh, &vring_avail_event(&vrh->vring),
f87d0fbb579818 Rusty Russell      2013-03-20  560  			   vrh->last_avail_idx) != 0) {
f87d0fbb579818 Rusty Russell      2013-03-20  561  			vringh_bad("Updating avail event index %p",
f87d0fbb579818 Rusty Russell      2013-03-20  562  				   &vring_avail_event(&vrh->vring));
f87d0fbb579818 Rusty Russell      2013-03-20  563  			return true;
f87d0fbb579818 Rusty Russell      2013-03-20  564  		}
f87d0fbb579818 Rusty Russell      2013-03-20  565  	}
f87d0fbb579818 Rusty Russell      2013-03-20  566  
f87d0fbb579818 Rusty Russell      2013-03-20  567  	/* They could have slipped one in as we were doing that: make
f87d0fbb579818 Rusty Russell      2013-03-20  568  	 * sure it's written, then check again. */
f87d0fbb579818 Rusty Russell      2013-03-20  569  	virtio_mb(vrh->weak_barriers);
f87d0fbb579818 Rusty Russell      2013-03-20  570  
b9f7ac8c72894c Michael S. Tsirkin 2014-12-12  571  	if (getu16(vrh, &avail, &vrh->vring.avail->idx) != 0) {
f87d0fbb579818 Rusty Russell      2013-03-20  572  		vringh_bad("Failed to check avail idx at %p",
f87d0fbb579818 Rusty Russell      2013-03-20  573  			   &vrh->vring.avail->idx);
f87d0fbb579818 Rusty Russell      2013-03-20  574  		return true;
f87d0fbb579818 Rusty Russell      2013-03-20  575  	}
f87d0fbb579818 Rusty Russell      2013-03-20  576  
f87d0fbb579818 Rusty Russell      2013-03-20  577  	/* This is unlikely, so we just leave notifications enabled
f87d0fbb579818 Rusty Russell      2013-03-20  578  	 * (if we're using event_indices, we'll only get one
f87d0fbb579818 Rusty Russell      2013-03-20  579  	 * notification anyway). */
f87d0fbb579818 Rusty Russell      2013-03-20  580  	return avail == vrh->last_avail_idx;
f87d0fbb579818 Rusty Russell      2013-03-20  581  }
f87d0fbb579818 Rusty Russell      2013-03-20  582  

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v2 0/2] virtio: silence KCSAN warnings

[Michael S. Tsirkin]

On Tue, Jan 27, 2026 at 04:25:21PM +0100, Johannes Thumshirn wrote:
> When booting a Qemu VM whith KCSAN to debug filesystem races I
> encountered a bunch of KCSAN splats in virtio.
> 
> All of them are false positives, as the racy unknown origin is the
> hypervisor.
> 
> Alex suggested to annotate the vring structure as racy for KCSAN, but
> the __data_racy annotation turns into "volatile" and as such it cannot
> be used to annotate the whole structure. Annotating every structure
> embedding a pointer to the vring turned out to be way more invasive than
> annotating only the few sites consumers.

Oh wow and I learned Linux has

# define auto __auto_type

which then allows auto in G11:

#define data_race(expr)                                                 \
({                                                                      \
        __kcsan_disable_current();                                      \
        auto __v = (expr);                                              \
        __kcsan_enable_current();                                       \
        __v;                                                            \
})




> Changes to v1:
> - Annotate the return of more_used_split() as racy so both call sites
>   are covered
> - Annotate vring_avail_event() as racy so we can condense two patches
>   into one.

Acked-by: Michael S. Tsirkin <mst@redhat.com>

I will pick this up.

> Link to v1:
> https://lore.kernel.org/virtualization/20260127083926.865555-1-johannes.thumshirn@wdc.com/
> 
> Johannes Thumshirn (2):
>   virtio: silence KCSAN warning in virtqueue_get_buf_ctx_split
>   virtio: silence KCSAN warning in virtqueue_kick_prepare
> 
>  drivers/virtio/virtio_ring.c     | 4 ++--
>  include/uapi/linux/virtio_ring.h | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> -- 
> 2.52.0