lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Feb 2019 10:22:32 -0500 (EST)
From:   Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
To:     Rich Felker <dalias@...c.org>
Cc:     linux-kernel <linux-kernel@...r.kernel.org>,
        "Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
        Peter Zijlstra <peterz@...radead.org>,
        Ingo Molnar <mingo@...hat.com>,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Thomas Gleixner <tglx@...utronix.de>,
        Benjamin Herrenschmidt <benh@...nel.crashing.org>,
        Paul Mackerras <paulus@...ba.org>,
        Michael Ellerman <mpe@...erman.id.au>
Subject: Re: Regression in SYS_membarrier expedited

----- On Feb 17, 2019, at 5:08 PM, Rich Felker dalias@...c.org wrote:

> On Sun, Feb 17, 2019 at 04:52:35PM -0500, Rich Felker wrote:
>> On Sun, Feb 17, 2019 at 04:34:45PM -0500, Mathieu Desnoyers wrote:
>> > ----- On Feb 17, 2019, at 1:48 PM, Rich Felker dalias@...c.org wrote:
>> > 
>> > > commit a961e40917fb14614d368d8bc9782ca4d6a8cd11 made it so that the
>> > > MEMBARRIER_CMD_PRIVATE_EXPEDITED command cannot be used without first
>> > > registering intent to use it. However, registration is an expensive
>> > > operation since commit 3ccfebedd8cf54e291c809c838d8ad5cc00f5688, which
>> > > added synchronize_sched() to it; this means it's no longer possible to
>> > > lazily register intent at first use, and it's unreasonably expensive
>> > > to preemptively register intent for possibly extremely-short-lived
>> > > processes that will never use it. (My usage case is in libc (musl),
>> > > where I can't know if the process will be short- or long-lived;
>> > > unnecessary and potentially expensive syscalls can't be made
>> > > preemptively, only lazily at first use.)
>> > > 
>> > > Can we restore the functionality of MEMBARRIER_CMD_PRIVATE_EXPEDITED
>> > > to work even without registration? The motivation of requiring
>> > > registration seems to be:
>> > > 
>> > >    "Registering at this time removes the need to interrupt each and
>> > >    every thread in that process at the first expedited
>> > >    sys_membarrier() system call."
>> > > 
>> > > but interrupting every thread in the process is exactly what I expect,
>> > > and is not a problem. What does seem like a big problem is waiting for
>> > > synchronize_sched() to synchronize with an unboundedly large number of
>> > > cores (vs only a few threads in the process), especially in the
>> > > presence of full_nohz, where it seems like latency would be at least a
>> > > few ms and possibly unbounded.
>> > > 
>> > > Short of a working SYS_membarrier that doesn't require expensive
>> > > pre-registration, I'm stuck just implementing it in userspace with
>> > > signals...
>> > 
>> > Hi Rich,
>> > 
>> > Let me try to understand the scenario first.
>> > 
>> > musl libc support for using membarrier private expedited
>> > would require to first register membarrier private expedited for
>> > the process at musl library init (typically after exec). At that stage, the
>> > process is still single-threaded, right ? So there is no reason
>> > to issue a synchronize_sched() (or now synchronize_rcu() in newer
>> > kernels):
>> > 
>> > membarrier_register_private_expedited()
>> > 
>> >         if (!(atomic_read(&mm->mm_users) == 1 && get_nr_threads(p) == 1)) {
>> >                 /*
>> >                  * Ensure all future scheduler executions will observe the
>> >                  * new thread flag state for this process.
>> >                  */
>> >                 synchronize_rcu();
>> >         }
>> > 
>> > So considering that pre-registration carefully done before the process
>> > becomes multi-threaded just costs a system call (and not a synchronize_sched()),
>> > does it make the pre-registration approach more acceptable ?
>> 
>> It does get rid of the extreme cost, but I don't think it would be
>> well-received by users who don't like random unnecessary syscalls at
>> init time (each adding a few us of startup time cost). If it's so
>> cheap, why isn't it just the default at kernel-side process creation?
>> Why is there any requirement of registration to begin with? Reading
>> the code, it looks like all it does is set a flag, and all this flag
>> is used for is erroring-out if it's not set.
> 
> On further thought, pre-registration could be done at first
> pthread_create rather than process entry, which would probably be
> acceptable. But the question remains why it's needed at all, and
> neither of these approaches is available to code that doesn't have the
> privilege of being part of libc. For example, library code that might
> be loaded via dlopen can't safely use SYS_membarrier without
> introducing unbounded latency before the first use.

For membarrier private expedited, the need for pre-registration is currently
there because of powerpc not wanting to slow down switch_mm() for processes
not needing that command.

That's the only reason I see for it. If we would have accepted to add
a smp_mb() to the powerpc switch_mm() scheduler path, we could have done
so without registration for the private expedited membarrier command.

commit a961e40917fb hints at the sync_core private expedited membarrier
commands (which was being actively designed at that time) which may
require pre-registration. However, things did not turn out that way: we
ended up adding the required core serializing barriers unconditionally
into each architecture.

Considering that sync_core private expedited membarrier ended up not needing
pre-registration, I think this pre-registration optimization may have been
somewhat counter-productive, since I doubt the overhead of smp_mb() in a
switch_mm() for powerpc is that high, but I don't have the hardware handy
to provide numbers. So we end up slowing down everyone by requiring a
registration system call after exec. :-(

One possible way out of this would be to make MEMBARRIER_CMD_PRIVATE_EXPEDITED
and MEMBARRIER_CMD_PRIVATE_EXPEDITED_SYNC_CORE work fine without pre-registration
in future kernels. Therefore, the application could try using them without
registration. If it works, all is fine, else it would treat the error how it
sees fit, either through explicit registration and trying again, or returning
the error to the caller.

The only change I see we would require to make this work is to turn
arch/powerpc/include/asm/membarrier.h membarrier_arch_switch_mm() into
an unconditional smp_mb().

Thoughts ?

Thanks,

Mathieu


-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

Powered by blists - more mailing lists