| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250323072511.2353342-1-edumazet@google.com>
Date: Sun, 23 Mar 2025 07:25:11 +0000
From: Eric Dumazet <edumazet@...gle.com>
To: Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, "H . Peter Anvin" <hpa@...or.com>,
Peter Zijlstra <peterz@...radead.org>, Steven Rostedt <rostedt@...dmis.org>
Cc: linux-kernel <linux-kernel@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, Masami Hiramatsu <mhiramat@...nel.org>, x86@...nel.org,
bpf@...r.kernel.org, Eric Dumazet <eric.dumazet@...il.com>,
Greg Thelen <gthelen@...gle.com>, Stephane Eranian <eranian@...gle.com>,
Eric Dumazet <edumazet@...gle.com>
Subject: [PATCH] x86/alternatives: remove false sharing in poke_int3_handler()
eBPF programs can be run 20,000,000+ times per second on busy servers.
Whenever /proc/sys/kernel/bpf_stats_enabled is turned off,
hundreds of calls sites are patched from text_poke_bp_batch()
and we see a critical loss of performance due to false sharing
on bp_desc.refs lasting up to three seconds.
51.30% server_bin [kernel.kallsyms] [k] poke_int3_handler
|
|--46.45%--poke_int3_handler
| exc_int3
| asm_exc_int3
| |
| |--24.26%--cls_bpf_classify
| | tcf_classify
| | __dev_queue_xmit
| | ip6_finish_output2
| | ip6_output
| | ip6_xmit
| | inet6_csk_xmit
| | __tcp_transmit_skb
| | |
| | |--9.00%--tcp_v6_do_rcv
| | | tcp_v6_rcv
| | | ip6_protocol_deliver_rcu
| | | ip6_rcv_finish
| | | ipv6_rcv
| | | __netif_receive_skb
| | | process_backlog
| | | __napi_poll
| | | net_rx_action
| | | __softirqentry_text_start
| | | asm_call_sysvec_on_stack
| | | do_softirq_own_stack
Fix this by replacing bp_desc.refs with a per-cpu bp_refs.
Before the patch, on a host with 240 cpus (480 threads):
echo 0 >/proc/sys/kernel/bpf_stats_enabled
text_poke_bp_batch(nr_entries=2)
text_poke_bp_batch+1
text_poke_finish+27
arch_jump_label_transform_apply+22
jump_label_update+98
__static_key_slow_dec_cpuslocked+64
static_key_slow_dec+31
bpf_stats_handler+236
proc_sys_call_handler+396
vfs_write+761
ksys_write+102
do_syscall_64+107
entry_SYSCALL_64_after_hwframe+103
Took 324 usec
text_poke_bp_batch(nr_entries=164)
text_poke_bp_batch+1
text_poke_finish+27
arch_jump_label_transform_apply+22
jump_label_update+98
__static_key_slow_dec_cpuslocked+64
static_key_slow_dec+31
bpf_stats_handler+236
proc_sys_call_handler+396
vfs_write+761
ksys_write+102
do_syscall_64+107
entry_SYSCALL_64_after_hwframe+103
Took 2655300 usec
After this patch:
echo 0 >/proc/sys/kernecho 0 >/proc/sys/kernel/bpf_stats_enabled
text_poke_bp_batch(nr_entries=2)
text_poke_bp_batch+1
text_poke_finish+27
arch_jump_label_transform_apply+22
jump_label_update+98
__static_key_slow_dec_cpuslocked+64
static_key_slow_dec+31
bpf_stats_handler+236
proc_sys_call_handler+396
vfs_write+761
ksys_write+102
do_syscall_64+107
entry_SYSCALL_64_after_hwframe+103
Took 519 usec
text_poke_bp_batch(nr_entries=164)
text_poke_bp_batch+1
text_poke_finish+27
arch_jump_label_transform_apply+22
jump_label_update+98
__static_key_slow_dec_cpuslocked+64
static_key_slow_dec+31
bpf_stats_handler+236
proc_sys_call_handler+396
vfs_write+761
ksys_write+102
do_syscall_64+107
entry_SYSCALL_64_after_hwframe+103
Took 702 usec
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
---
arch/x86/kernel/alternative.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
index c71b575bf229..d7afbf822c45 100644
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -2137,28 +2137,29 @@ struct text_poke_loc {
struct bp_patching_desc {
struct text_poke_loc *vec;
int nr_entries;
- atomic_t refs;
};
+static DEFINE_PER_CPU(atomic_t, bp_refs);
+
static struct bp_patching_desc bp_desc;
static __always_inline
struct bp_patching_desc *try_get_desc(void)
{
- struct bp_patching_desc *desc = &bp_desc;
+ atomic_t *refs = this_cpu_ptr(&bp_refs);
- if (!raw_atomic_inc_not_zero(&desc->refs))
+ if (!raw_atomic_inc_not_zero(refs))
return NULL;
- return desc;
+ return &bp_desc;
}
static __always_inline void put_desc(void)
{
- struct bp_patching_desc *desc = &bp_desc;
+ atomic_t *refs = this_cpu_ptr(&bp_refs);
smp_mb__before_atomic();
- raw_atomic_dec(&desc->refs);
+ raw_atomic_dec(refs);
}
static __always_inline void *text_poke_addr(struct text_poke_loc *tp)
@@ -2191,9 +2192,9 @@ noinstr int poke_int3_handler(struct pt_regs *regs)
* Having observed our INT3 instruction, we now must observe
* bp_desc with non-zero refcount:
*
- * bp_desc.refs = 1 INT3
- * WMB RMB
- * write INT3 if (bp_desc.refs != 0)
+ * bp_refs = 1 INT3
+ * WMB RMB
+ * write INT3 if (bp_refs != 0)
*/
smp_rmb();
@@ -2299,7 +2300,8 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries
* Corresponds to the implicit memory barrier in try_get_desc() to
* ensure reading a non-zero refcount provides up to date bp_desc data.
*/
- atomic_set_release(&bp_desc.refs, 1);
+ for_each_possible_cpu(i)
+ atomic_set_release(per_cpu_ptr(&bp_refs, i), 1);
/*
* Function tracing can enable thousands of places that need to be
@@ -2413,8 +2415,12 @@ static void text_poke_bp_batch(struct text_poke_loc *tp, unsigned int nr_entries
/*
* Remove and wait for refs to be zero.
*/
- if (!atomic_dec_and_test(&bp_desc.refs))
- atomic_cond_read_acquire(&bp_desc.refs, !VAL);
+ for_each_possible_cpu(i) {
+ atomic_t *refs = per_cpu_ptr(&bp_refs, i);
+
+ if (!atomic_dec_and_test(refs))
+ atomic_cond_read_acquire(refs, !VAL);
+ }
}
static void text_poke_loc_init(struct text_poke_loc *tp, void *addr,
--
2.49.0.395.g12beb8f557-goog
Powered by blists - more mailing lists