lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAEXW_YSxGb3ph-bBiWsOJS-C2XvW9FUuwtoM1eFVxPomMKUd5A@mail.gmail.com>
Date: Mon, 27 Jan 2025 13:45:34 -0500
From: Joel Fernandes <joel@...lfernandes.org>
To: paulmck@...nel.org
Cc: Frederic Weisbecker <frederic@...nel.org>, rcu@...r.kernel.org, linux-kernel@...r.kernel.org, 
	kernel-team@...a.com, rostedt@...dmis.org
Subject: Re: [PATCH RFC v2 rcu] Fix get_state_synchronize_rcu_full() GP-start detection

On Mon, Jan 27, 2025 at 11:49 AM Paul E. McKenney <paulmck@...nel.org> wrote:
>
> On Sun, Jan 26, 2025 at 09:58:11PM -0500, Joel Fernandes wrote:
> > On Sun, Jan 26, 2025 at 9:55 PM Joel Fernandes <joel@...lfernandes.org> wrote:
> > >
> > > On Sun, Jan 26, 2025 at 9:03 PM Paul E. McKenney <paulmck@...nel.org> wrote:
> > > >
> > > > On Sun, Jan 26, 2025 at 08:22:23PM -0500, Joel Fernandes wrote:
> > > > > On Sun, Jan 26, 2025 at 8:13 PM Joel Fernandes <joel@...lfernandes.org> wrote:
> > > > > >
> > > > > > Hi, Paul and Frederic,
> > > > > >
> > > > > > [...]
> > > > > > > > > On Sat, Jan 25, 2025 at 12:03:58AM +0100, Frederic Weisbecker wrote:
> > > > > > > > > > Le Fri, Dec 13, 2024 at 11:49:49AM -0800, Paul E. McKenney a écrit :
> > > > > > > > > > > diff --git a/kernel/rcu/rcu.h b/kernel/rcu/rcu.h
> > > > > > > > > > > index 2f9c9272cd486..d2a91f705a4ab 100644
> > > > > > > > > > > --- a/kernel/rcu/rcu.h
> > > > > > > > > > > +++ b/kernel/rcu/rcu.h
> > > > > > > > > > > @@ -162,7 +162,7 @@ static inline bool rcu_seq_done_exact(unsigned long *sp, unsigned long s)
> > > > > > > > > > >  {
> > > > > > > > > > >         unsigned long cur_s = READ_ONCE(*sp);
> > > > > > > > > > >
> > > > > > > > > > > -       return ULONG_CMP_GE(cur_s, s) || ULONG_CMP_LT(cur_s, s - (2 * RCU_SEQ_STATE_MASK + 1));
> > > > > > > > > > > +       return ULONG_CMP_GE(cur_s, s) || ULONG_CMP_LT(cur_s, s - (3 * RCU_SEQ_STATE_MASK + 1));
> > > > > > > > > >
> > > > > > [...]
> > > > > > > > > > The way I understand it is that rcu_state.gp_seq might be seen started while
> > > > > > > > > > root_rnp->gp_seq is not. So rcu_seq_snap() on the started rcu_state.gp_seq
> > > > > > > > > > may return maximum 2 full GPs ahead of root_rnp->gp_seq. And therefore it takes below
> > > > > > > > > > 2 GPs to safely deduce we wrapped around.
> > > > > > > > >
> > > > > > > > > Exactly!
> > > > > > > > >
> > > > > > > > > > Should it be ULONG_CMP_LT(cur_s, s - (2 * (RCU_SEQ_STATE_MASK + 1))) ?
> > > > > > > > >
> > > > > > > > > Quite possibly.  I freely admit that I allowed a bit of slop because
> > > > > > > > > time was of the essence (holidays and all that) and also it does not
> > > > > > > > > hurt much to lose a couple of counts out of a 2^32 cycle, to say nothing
> > > > > > > > > of the common-case 2^64 cycle.  It would not hurt to be exact, but it
> > > > > > > > > would be necessary to convince ourselves that we were not off by one in
> > > > > > > > > the wrong direction.
> > > > > > > > >
> > > > > > > > > I would be happy to see a patch, as long as it was sufficiently
> > > > > > > > > convincing.
> > > > > > > >
> > > > > > > > I'm not so much concerned about being exact but rather about making
> > > > > > > > sure we still understand what we did within one year. We can leave one
> > > > > > > > more grace period than what we expect out of paranoia but, the most
> > > > > > > > important is that we comment about what we expect and why. Let me
> > > > > > > > prepare a patch for that.
> > > > > > >
> > > > > > > Even better!
> > > > > >
> > > > > > Do we really have users who could pass such a huge delta wrapped
> > > > > > around value to poll() i.e > ULONG_MAX/2 ?  For 32-bit, that would be
> > > > > > 2 billion count since the get() (500 million GPs on 32-bit?). I am
> > > > > > curious if such a scenario should be a WARN() because also: If more
> > > > > > than ULONG_MAX/2 values are possible after get(), then a full or
> > > > > > multiple ULONG_MAX wraparound is also possible. This means then both
> > > > > > rcu_seq_done() and rcu_seq_done_exact() become unreliable anyway for
> > > > > > such stale get() values.
> > > > > >
> > > > > > I do agree with both your points on the side effect of the patch to
> > > > > > rcu_seq_done_exact(), but I am not fully convinced myself about
> > > > > > utility of rcu_seq_done_exact() versus the rcu_seq_done() but I could
> > > > > > be missing something.
> > > > >
> > > > > I want to modify my comment on reliability. rcu_seq_done_exact() is
> > > > > certainly more "reliable" than rcu_seq_done() for wraparound delta  >
> > > > > ULONG_MAX/2. Still with such a huge wrap around it is not fail proof
> > > > > if it lands within the "3 Grace period" window, so if it is not super
> > > > > reliable and if the user should not rely on it, then I wonder if it is
> > > > > better to not do it and instead warn the user they are playing with
> > > > > fire. But a counter-argument might be, landing within the 3 GP window
> > > > > is quite low probability...
> > > >
> > > > It is also a harmless false negative.  And another poll within a few
> > > > hundred milliseconds will set things straight.  In contrast, if we
> > > > used rcu_seq_done(), it would be a good long time before we got out of
> > > > false-negative territory.
> > >
> > > True!
> > >
> > > > On a 32-bit system, if there was an expedited grace period every 10
> > > > microseconds (just barely possible on small systems), then a 32-bit
> > > > counter would wrap in about 12 hours.  So there would be a six-hour
> > > > false-negative zone.
> > > >
> > > > So an expedited grace period every 10 microseconds combined with
> > > > a six-hour polling delay is unlikely, but not out of the realm of
> > > > possibility.
> > >
> > > Assuming that every 10 microsecond of the entire 6 hours is used for
> > > an expedited GP, but I agree with your point.
> > >
> > > > Please feel free to nominate a comment.
> > >
> > > Ok thanks, I'll see what Frederic comes up with and can take it from there.
> >
> > I forgot to ask is the reason for keeping rcu_seq_done_exact() to have
> > more complexity only when needed, or does it make sense to rename
> > rcu_seq_done_exact() as rcu_seq_done_done() and get rid of the old
> > rcu_seq_done()?
>
> We might well be able to use the rcu_seq_done_exact() algorithm for
> all the uses, but that will require very careful review and testing.
> Please keep in mind that there are quite a few uses, that the benefit
> is small, and I was lazy.  ;-)
>
> The difference with the polling APIs is that a user might well
> legitimately hang onto a cookie for six hours, for example, by having
> used it to tag a data structure in a block cache or similar.

Thanks for clarification. I will work on a patch along these lines and
see if it is worth doing.

 - Joel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ