lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20100110052508.GG9044@linux.vnet.ibm.com>
Date:	Sat, 9 Jan 2010 21:25:08 -0800
From:	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
To:	Steven Rostedt <rostedt@...dmis.org>
Cc:	Mathieu Desnoyers <mathieu.desnoyers@...ymtl.ca>,
	Oleg Nesterov <oleg@...hat.com>,
	Peter Zijlstra <peterz@...radead.org>,
	linux-kernel@...r.kernel.org, Ingo Molnar <mingo@...e.hu>,
	akpm@...ux-foundation.org, josh@...htriplett.org,
	tglx@...utronix.de, Valdis.Kletnieks@...edu, dhowells@...hat.com,
	laijs@...fujitsu.com, dipankar@...ibm.com
Subject: Re: [RFC PATCH] introduce sys_membarrier(): process-wide memory
	barrier

On Sat, Jan 09, 2010 at 09:12:58PM -0500, Steven Rostedt wrote:
> On Sat, 2010-01-09 at 20:44 -0500, Mathieu Desnoyers wrote:
> 
> > > So what if we have a linear decrease in performance with the number of
> > > threads on the write side?
> > 
> > Hrm, looking at arch/x86/include/asm/mmu_context.h
> > 
> > switch_mm(), which is basically called each time the scheduler needs to
> > change the current task, does a
> > 
> > cpumask_clear_cpu(cpu, mm_cpumask(prev));
> > 
> > and
> > 
> > cpumask_set_cpu(cpu, mm_cpumask(next));
> > 
> > which precise goal is to stop the flush ipis for the previous mm. The
> > 100$ question is : why do we have to confirm that the thread is indeed
> > on the runqueue (taking locks and everything) when we could simply just
> > bluntly use the mm_cpumask for our own IPIs ?
> 
> I was just looking at that code, and was thinking the same thing ;-)
> 
> > cpumask_clear_cpu and cpumask_set_cpu translate into clear_bit/set_bit.
> > cpumask_next does a find_next_bit on the cpumask.
> > 
> > clear_bit/set_bit are atomic and not reordered on x86. PowerPC also uses
> > ll/sc loops in bitops.h, so I think it should be pretty safe to assume
> > that mm_cpumask is, by design, made to be used as cpumask to send a
> > broadcast IPI to all CPUs which run threads belonging to a given
> > process.
> > 
> > So, how about just using mm_cpumask(current) for the broadcast ? Then we
> > don't even need to allocate our own cpumask neither.
> > 
> > Or am I missing something ? I just sounds too simple.
> 
> I think we can use it. If for some reason it does not satisfy what you
> need then I also think the TLB flushing is also broken.
> 
> IIRC, (Paul help me out on this), what Paul said earlier, we are trying
> to protect against this scenario:
> 
> (from Paul's email:)
> 
> 
> > 
> >         CPU 1                           CPU 2
> >      -----------                    -------------
> > 
> >         <user space>                    <kernel space, switching to task>
> > 
> >                                         ->curr updated
> > 
> >                                         <long code path, maybe mb?>
> > 
> >                                         <user space>
> > 
> >                                         rcu_read_lock(); [load only]
> > 
> >                                         obj = list->next
> > 
> >         list_del(obj)
> > 
> >         sys_membarrier();
> >         < kernel space >
> > 
> >         if (task_rq(task)->curr != task)
> >         < but load to obj reordered before store to ->curr >
> > 
> >         < user space >
> > 
> >         < misses that CPU 2 is in rcu section >
> 
> 
> If the TLB flush misses that CPU 2 has a threaded task, and does not
> flush CPU 2s TLB, it can also risk the same type of crash.

But isn't the VM's locking helping us out in that case?

> >         [CPU 2's ->curr update now visible]
> > 
> >         [CPU 2's rcu_read_lock() store now visible]
> > 
> >         free(obj);
> > 
> >                                         use_object(obj); <=== crash!
> > 
> 
> Think about it. If you change a process mmap, say you updated a mmap of
> a file by flushing out one page and replacing it with another. If the
> above missed sending to CPU 2, then CPU 2 may still be accessing the old
> page of the file, and not the new one.
> 
> I think this may be the safe bet.

You might well be correct that we can access that bitmap locklessly,
but there are additional things (like the loading of the arch-specific
page-table register) that are likely to be helping in the VM case, but
not necessarily helping in this case.

							Thanx, Paul
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ