| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Sep 2021 15:31:29 +1000
From: Nicholas Piggin <npiggin@...il.com>
To: "Paul E. McKenney" <paulmck@...nel.org>,
Will Deacon <will@...nel.org>
Cc: Arnaldo Carvalho de Melo <acme@...hat.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
dlustig@...dia.com, Stephane Eranian <eranian@...gle.com>,
Peter Anvin <hpa@...or.com>, Jiri Olsa <jolsa@...hat.com>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-tip-commits@...r.kernel.org, Ingo Molnar <mingo@...nel.org>,
mpe@...erman.id.au, palmer@...belt.com,
Andrea Parri <parri.andrea@...il.com>,
paul.walmsley@...ive.com, Peter Zijlstra <peterz@...radead.org>,
Alan Stern <stern@...land.harvard.edu>,
Thomas Gleixner <tglx@...utronix.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Vince Weaver <vincent.weaver@...ne.edu>
Subject: Re: [tip:locking/core] tools/memory-model: Add extra ordering for
locks and remove it for ordinary release/acquire
Excerpts from Nicholas Piggin's message of September 17, 2021 1:21 pm:
> Excerpts from Will Deacon's message of September 10, 2021 9:08 pm:
>> Hi Paul,
>>
>> On Thu, Sep 09, 2021 at 10:46:35AM -0700, Paul E. McKenney wrote:
>>> On Thu, Sep 09, 2021 at 02:35:36PM +0100, Will Deacon wrote:
>>> > On Thu, Sep 09, 2021 at 09:25:30AM +0200, Peter Zijlstra wrote:
>>> > > On Wed, Sep 08, 2021 at 09:08:33AM -0700, Linus Torvalds wrote:
>>> > > > then I think it's entirely reasonable to
>>> > > >
>>> > > > spin_unlock(&r);
>>> > > > spin_lock(&s);
>>> > > >
>>> > > > cannot be reordered.
>>> > >
>>> > > I'm obviously completely in favour of that :-)
>>> >
>>> > I don't think we should require the accesses to the actual lockwords to
>>> > be ordered here, as it becomes pretty onerous for relaxed LL/SC
>>> > architectures where you'd end up with an extra barrier either after the
>>> > unlock() or before the lock() operation. However, I remain absolutely in
>>> > favour of strengthening the ordering of the _critical sections_ guarded by
>>> > the locks to be RCsc.
>>>
>>> If by this you mean the critical sections when observed only by other
>>> critical sections for a given lock, then everyone is already there.
>>
>> No, I mean the case where somebody without the lock (but using memory
>> barriers) can observe the critical sections out of order (i.e. W -> R
>> order is not maintained).
>
> This is a sincere question, why is this important? I mean _any_
> restriction on reordering makes things easier by definition I can't
> argue with that, but why is this one in particular seen as a problem?
> It just seems disproportionate.
>
> We naturally think of accesses within locks as atomic as a whole
> (provided the other parties are doing the proper locking too). So like
> atomic operations, aligned stores, etc can be reordered, I don't see why
> these should have any particular ordering either, or why a unlock()
> should pair with a later lock() of an unrelated lock to provide some
> ordering.
>
> It gives the idea that individual lock operations in isolation should be
> or do something special, but I think that's the wrong way to think about
> it, the lock and the unlock operate on a specific lock word and protect
> specific data vs other processors that access the same data under the
> same locks.
>
> If you don't know what you're doing or don't want to think about
> ordering, perform accesses under locks. If you don't lock, you get to
> think about ordering. At which point sure two sets of operations from
> different critical sections could go out of order, but so can any two
> stores. Or two stores from inside the one critical section if you are
> not holding the correct lock.
It doesn't actually really relieve the burden of thinking about barriers
mcuh at all, come to think of it.
spin_lock(&foo);
x = 1;
spin_unlock(&foo);
spin_lock(&bar);
y = 1;
spin_unlock(&bar);
vs
if (READ_ONCE(y) == 1)
// spin_unlock(&foo)+spin_lock(&bar) provides store ordering
smp_rmb();
BUG_ON(READ_ONCE(x) == 0);
Then if you didn't comment the store ordering requirement in the first
code, then you patch things to simplify or add functionality:
spin_lock(&foo);
x = 1;
spin_lock(&bar);
y = 1;
spin_unlock(&bar);
z = 1;
spin_unlock(&foo);
or
spin_lock(&baz);
x = 1;
y = 1;
spin_unlock(&baz);
Then you broke it. Because you thought being clever and avoiding
thinking about or talking about ordering in your code which performs
memory accesses outside of locks was improving the situation.
It's not good practice. If there is *any* unlocked memory access, you
should always think about and comment *all* memory orderings. Locking
should not ever be relied on to give you some kind of implicit semantics
that you think should be obvious. All the accesses always need thought
and they always need comments.
spin_lock(&foo);
// The spin_unlock+spin_lock orders this store before the store to y,
// the corresponding smp_rmb is at function().
x = 1;
spin_unlock(&foo);
spin_lock(&bar);
// See x
y = 1;
spin_unlock(&bar);
Once you do that, does it *really* break the bank to add a line of code?
spin_lock(&foo);
// See smp_unlock_lock_mb() below
x = 1;
spin_unlock(&foo);
// This orders this store of x above before the
// store to y below.
smp_unlock_lock_mb();
spin_lock(&bar);
// See smp_unlock_lock_mb() above
y = 1;
spin_unlock(&bar);
I can't see how that line of code created a fundamentally a bigger
problem.
If you don't need the performance and don't want to deal with ordering,
*always use locks*. If you absolutely can't always use locks, *always
document important memory accesses ordering that is or can affect
unlocked memory accesses*. We are all agreed on this rule, right? So
what am I missing?
Thanks,
Nick
Powered by blists - more mailing lists