| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Jul 2020 21:26:35 +0000
From: "Bshara, Nafea" <nafea@...zon.com>
To: "Agroskin, Shay" <shayagr@...zon.com>,
Eric Dumazet <eric.dumazet@...il.com>
CC: "Kiyanovski, Arthur" <akiyano@...zon.com>,
"davem@...emloft.net" <davem@...emloft.net>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"Woodhouse, David" <dwmw@...zon.co.uk>,
"Machulsky, Zorik" <zorik@...zon.com>,
"Matushevsky, Alexander" <matua@...zon.com>,
"Bshara, Saeed" <saeedb@...zon.com>,
"Wilson, Matt" <msw@...zon.com>,
"Liguori, Anthony" <aliguori@...zon.com>,
"Tzalik, Guy" <gtzalik@...zon.com>,
"Belgazal, Netanel" <netanel@...zon.com>,
"Saidi, Ali" <alisaidi@...zon.com>,
"Herrenschmidt, Benjamin" <benh@...zon.com>,
"Dagan, Noam" <ndagan@...zon.com>,
"Jubran, Samih" <sameehj@...zon.com>
Subject: Re: [PATCH V2 net-next 1/7] net: ena: avoid unnecessary rearming of
interrupt vector when busy-polling
>>
>> As explained, a busy-poll session exists for a specified timeout
>> value, after which it exits the busy-poll mode and re-enters it later.
>> This leads to many invocations of the napi handler where
>> napi_complete_done() false indicates that interrupts should be
>> re-enabled.
>> This creates a bug in which the interrupts are re-enabled
>> unnecessarily.
>> To reproduce this bug:
>> 1) echo 50 | sudo tee /proc/sys/net/core/busy_poll
>> 2) echo 50 | sudo tee /proc/sys/net/core/busy_read
>> 3) Add counters that check whether
>> 'ena_unmask_interrupt(tx_ring, rx_ring);'
>> is called without disabling the interrupts in the first
>> place (i.e. with calling the interrupt routine
>> ena_intr_msix_io())
>>
>> Steps 1+2 enable busy-poll as the default mode for new connections.
>>
>> The busy poll routine rearms the interrupts after every session by
>> design, and so we need to add an extra check that the interrupts were
>> masked in the first place.
>>
>> Signed-off-by: Shay Agroskin <shayagr@...zon.com>
>> Signed-off-by: Arthur Kiyanovski <akiyano@...zon.com>
>> ---
>> drivers/net/ethernet/amazon/ena/ena_netdev.c | 7 ++++++-
>> drivers/net/ethernet/amazon/ena/ena_netdev.h | 1 +
>> 2 files changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.c b/drivers/net/ethernet/amazon/ena/ena_netdev.c
>> index 91be3ffa1c5c..90c0fe15cd23 100644
>> --- a/drivers/net/ethernet/amazon/ena/ena_netdev.c
>> +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c
>> @@ -1913,7 +1913,9 @@ static int ena_io_poll(struct napi_struct *napi, int budget)
>> /* Update numa and unmask the interrupt only when schedule
>> * from the interrupt context (vs from sk_busy_loop)
>> */
>> - if (napi_complete_done(napi, rx_work_done)) {
>> + if (napi_complete_done(napi, rx_work_done) &&
>> + READ_ONCE(ena_napi->interrupts_masked)) {
>> + WRITE_ONCE(ena_napi->interrupts_masked, false);
>> /* We apply adaptive moderation on Rx path only.
>> * Tx uses static interrupt moderation.
>> */
>> @@ -1961,6 +1963,9 @@ static irqreturn_t ena_intr_msix_io(int irq, void *data)
>>
>> ena_napi->first_interrupt = true;
>>
>> + WRITE_ONCE(ena_napi->interrupts_masked, true);
>> + smp_wmb(); /* write interrupts_masked before calling napi */
>
> It is not clear where is the paired smp_wmb()
>
Can you please explain what you mean ? The idea of adding the store barrier here is to ensure that the WRITE_ONCE(…) invocation is executed before
[NB] There are two aspects . if we doing smp_wmb() when WRITE_ONCE(...true), then u need to so smp_wmb() in the place u do WRITE_ONCE(...false)
[NB] Eric also highlighted need for smp_rmb(). That's not needed here in my opinion
[NB] as the main objective is to make the write observable across all the cores in CPUs that have weaker consistency model and don’t guarantee write observability across all cores (like arm and ppc)
invoking the napi soft irq. From what I gathered using this command would result in compiler barrier (which would prevent it from executing the bool store after napi scheduling) on x86
and a memory barrier on ARM64 machines which have a weaker consistency model.
>> +
>> napi_schedule_irqoff(&ena_napi->napi);
>>
>> return IRQ_HANDLED;
>> diff --git a/drivers/net/ethernet/amazon/ena/ena_netdev.h b/drivers/net/ethernet/amazon/ena/ena_netdev.h
>> index ba030d260940..89304b403995 100644
>> --- a/drivers/net/ethernet/amazon/ena/ena_netdev.h
>> +++ b/drivers/net/ethernet/amazon/ena/ena_netdev.h
>> @@ -167,6 +167,7 @@ struct ena_napi {
>> struct ena_ring *rx_ring;
>> struct ena_ring *xdp_ring;
>> bool first_interrupt;
>> + bool interrupts_masked;
>> u32 qid;
>> struct dim dim;
>> };
>>
>
> Note that writing/reading over bool fields from hard irq context without proper sync is not generally allowed.
>
> Compiler could perform RMW over plain 32bit words.
Doesn't the READ/WRITE_ONCE macros prevent the compiler from reordering these instructions ? Also from what I researched (please correct me if I'm wrong here)
both x86 and ARM don't allow reordering LOAD and STORE when they access
the same variable (register or memory address).
[NB] that is true within the same core. But if store is in interrupt routine, and load is in napi, they could be running on different cores hence you use smp_wmb to make it observable
[NB] the key in this design that u set the bit, send smp_wmb(), before waking up napi, or ordering and observability is guaranteed
>
> Sometimes we accept the races, but in this context this might be bad.
As long a the writing of the flag is atomic in the sense that the value in memory isn't some hybrid value of two parallel stores, the existing race cannot result in a dead lock or
leaving the interrupt vector masked. Am I missing something ?
[NB] the race would exist if napi was running in same time interrupt routine is running
[NB] but in ENA design, that wont happen, and it is guarantee that only one of them is running at same time, as the interrupt is unmasked only at the end of napi() job
[NB] as Eric mention, this should be documented
Thank you for taking the time to look at this patch.
Shay
Powered by blists - more mailing lists