From: Nadav Amit <nadav.amit@gmail.com>
To: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Jérôme Glisse" <jglisse@redhat.com>,
"Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>,
"open list:MEMORY MANAGEMENT" <linux-mm@kvack.org>,
"Dan Williams" <dan.j.williams@intel.com>,
"Ross Zwisler" <ross.zwisler@linux.intel.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Bernhard Held" <berny156@gmx.de>,
"Adam Borowski" <kilobyte@angband.pl>,
"Radim Krčmář" <rkrcmar@redhat.com>,
"Wanpeng Li" <kernellwp@gmail.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Takashi Iwai" <tiwai@suse.de>, "Mike Galbraith" <efault@gmx.de>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
axie <axie@amd.com>, "Andrew Morton" <akpm@linux-foundation.org>,
"Joerg Roedel" <joro@8bytes.org>,
iommu <iommu@lists.linux-foundation.org>
Subject: Re: [PATCH 02/13] mm/rmap: update to new mmu_notifier semantic
Date: Wed, 30 Aug 2017 16:25:54 -0700 [thread overview]
Message-ID: <75825BFF-8ACC-4CAB-93EB-AD9673747518@gmail.com> (raw)
In-Reply-To: <20170830212514.GI13559@redhat.com>
[cc’ing IOMMU people, which for some reason are not cc’d]
Andrea Arcangeli <aarcange@redhat.com> wrote:
> On Wed, Aug 30, 2017 at 11:00:32AM -0700, Nadav Amit wrote:
>> It is not trivial to flush TLBs (primary or secondary) without holding the
>> page-table lock, and as we recently encountered this resulted in several
>> bugs [1]. The main problem is that even if you perform the TLB flush
>> immediately after the PT-lock is released, you cause a situation in which
>> other threads may make decisions based on the updated PTE value, without
>> being aware that a TLB flush is needed.
>>
>> For example, we recently encountered a Linux bug when two threads run
>> MADV_DONTNEED concurrently on the same address range [2]. One of the threads
>> may update a PTE, setting it as non-present, and then deferring the TLB
>> flush (for batching). As a result, however, it would cause the second
>> thread, which also changes the PTEs to assume that the PTE is already
>> non-present and TLB flush is not necessary. As a result the second core may
>> still hold stale PTEs in its TLB following MADV_DONTNEED.
>
> The source of those complex races that requires taking into account
> nested tlb gather to solve it, originates from skipping primary MMU
> tlb flushes depending on the value of the pagetables (as an
> optimization).
>
> For mmu_notifier_invalidate_range_end we always ignore the value of
> the pagetables and mmu_notifier_invalidate_range_end always runs
> unconditionally invalidating the secondary MMU for the whole range
> under consideration. There are no optimizations that attempts to skip
> mmu_notifier_invalidate_range_end depending on the pagetable value and
> there's no TLB gather for secondary MMUs either. That is to keep it
> simple of course.
>
> As long as those mmu_notifier_invalidate_range_end stay unconditional,
> I don't see how those races you linked, can be possibly relevant in
> evaluating if ->invalidate_range (again only for iommuv2 and
> intel-svm) has to run inside the PT lock or not.
Thanks for the clarifications. It now makes much more sense.
>
>> There is a swarm of such problems, and some are not too trivial. Deferring
>> TLB flushes needs to be done in a very careful manner.
>
> I agree it's not trivial, but I don't think any complexity comes from
> above.
>
> The only complexity is about, what if the page is copied to some other
> page and replaced, because the copy is the only case where coherency
> could be retained by the primary MMU. What if the primary MMU starts
> working on the new page in between PT lock release and
> mmu_notifier_invalidate_range_end, while the secondary MMU is stuck on
> the old page? That is the only problem we deal with here, the copy to
> other page and replace. Any other case that doesn't involve the copy
> seems non coherent by definition, and you couldn't measure it.
>
> I can't think of a scenario that requires the explicit
> mmu_notifier_invalidate_range call before releasing the PT lock, at
> least for try_to_unmap_one.
>
> Could you think of a scenario where calling ->invalidate_range inside
> mmu_notifier_invalidate_range_end post PT lock breaks iommuv2 or
> intel-svm? Those two are the only ones requiring
> ->invalidate_range calls, all other mmu notifier users are safe
> without running mmu_notifier_invalidate_range_end under PT lock thanks
> to mmu_notifier_invalidate_range_start blocking the secondary MMU.
>
> Could you post a tangible scenario that invalidates my theory that
> those mmu_notifier_invalidate_range calls inside PT lock would be
> superfluous?
>
> Some of the scenarios under consideration:
>
> 1) migration entry -> migration_entry_wait -> page lock, plus
> migrate_pages taking the lock so it can't race with try_to_unmap
> from other places
> 2) swap entry -> lookup_swap_cache -> page lock (page not really replaced)
> 3) CoW -> do_wp_page -> page lock on old page
> 4) KSM -> replace_page -> page lock on old page
> 5) if the pte is zapped as in MADV_DONTNEED, no coherency possible so
> it's not measurable that we let the guest run a bit longer on the
> old page past PT lock release
For both CoW and KSM, the correctness is maintained by calling
ptep_clear_flush_notify(). If you defer the secondary MMU invalidation
(i.e., replacing ptep_clear_flush_notify() with ptep_clear_flush() ), you
will cause memory corruption, and page-lock would not be enough.
BTW: I see some calls to ptep_clear_flush_notify() which are followed
immediately after by set_pte_at_notify(). I do not understand why it makes
sense, as both notifications end up doing the same thing - invalidating the
secondary MMU. The set_pte_at_notify() in these cases can be changed to
set_pte(). No?
> If you could post a multi CPU trace that shows how iommuv2 or
> intel-svm are broken if ->invalidate_range is run inside
> mmu_notifier_invalidate_range_end post PT lock in try_to_unmap_one it
> would help.
>
> Of course if we run mmu_notifier_invalidate_range inside PT lock and
> we remove ->invalidate_range from mmu_notifier_invalidate_range_stop
> all will be obviously safe, so we could just do it to avoid thinking
> about the above, but the resulting code will be uglier and less
> optimal (even when disarmed there will be dummy branches I wouldn't
> love) and I currently can't see why it wouldn't be safe.
>
> Replacing a page completely without any relation to the old page
> content allows no coherency anyway, so even if it breaks you cannot
> measure it because it's undefined.
>
> If the page has a relation with the old contents and coherency has to
> be provided for both primary MMU and secondary MMUs, this relation
> between old and new page during the replacement, is enforced by some
> other mean besides the PT lock, migration entry on locked old page
> with migration_entry_wait and page lock in migrate_pages etc..
I think that basically you are correct, and assuming that you always
notify/invalidate unconditionally any PTE range you read/write, you are
safe. Yet, I want to have another look at the code. Anyhow, just deferring
all the TLB flushes, including those of set_pte_at_notify(), is likely to
result in errors.
Regards,
Nadav
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-08-30 23:25 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-29 23:54 [PATCH 00/13] mmu_notifier kill invalidate_page callback Jérôme Glisse
2017-08-29 23:54 ` [PATCH 01/13] dax: update to new mmu_notifier semantic Jérôme Glisse
2017-08-29 23:54 ` [PATCH 02/13] mm/rmap: " Jérôme Glisse
2017-08-30 2:46 ` Nadav Amit
2017-08-30 2:59 ` Jerome Glisse
2017-08-30 3:16 ` Nadav Amit
2017-08-30 3:18 ` Nadav Amit
2017-08-30 17:27 ` Andrea Arcangeli
2017-08-30 18:00 ` Nadav Amit
2017-08-30 21:25 ` Andrea Arcangeli
2017-08-30 23:25 ` Nadav Amit [this message]
2017-08-31 0:47 ` Jerome Glisse
2017-08-31 17:12 ` Andrea Arcangeli
2017-08-31 19:15 ` Nadav Amit
2017-08-30 18:20 ` Jerome Glisse
2017-08-30 18:40 ` Nadav Amit
2017-08-30 20:45 ` Jerome Glisse
2017-08-30 22:17 ` Andrea Arcangeli
2017-08-30 20:55 ` Andrea Arcangeli
2017-08-30 16:52 ` Andrea Arcangeli
2017-08-30 17:48 ` Jerome Glisse
2017-08-30 21:53 ` Linus Torvalds
2017-08-30 23:01 ` Andrea Arcangeli
2017-08-31 18:25 ` Jerome Glisse
2017-08-31 19:40 ` Linus Torvalds
2017-08-29 23:54 ` [PATCH 03/13] powerpc/powernv: " Jérôme Glisse
2017-08-29 23:54 ` [PATCH 04/13] drm/amdgpu: " Jérôme Glisse
2017-08-30 6:18 ` Christian König
2017-08-29 23:54 ` [PATCH 05/13] IB/umem: " Jérôme Glisse
2017-08-30 6:13 ` Leon Romanovsky
2017-08-29 23:54 ` [PATCH 06/13] IB/hfi1: " Jérôme Glisse
2017-09-06 14:08 ` Arumugam, Kamenee
2017-08-29 23:54 ` [PATCH 07/13] iommu/amd: " Jérôme Glisse
2017-08-29 23:54 ` [PATCH 08/13] iommu/intel: " Jérôme Glisse
2017-08-29 23:54 ` [PATCH 09/13] misc/mic/scif: " Jérôme Glisse
2017-08-29 23:54 ` [PATCH 10/13] sgi-gru: " Jérôme Glisse
2017-08-29 23:54 ` [PATCH 11/13] xen/gntdev: " Jérôme Glisse
2017-08-30 19:32 ` Boris Ostrovsky
2017-08-29 23:54 ` [PATCH 12/13] KVM: " Jérôme Glisse
2017-08-29 23:54 ` [PATCH 13/13] mm/mmu_notifier: kill invalidate_page Jérôme Glisse
2017-08-30 0:11 ` [PATCH 00/13] mmu_notifier kill invalidate_page callback Linus Torvalds
2017-08-30 0:56 ` Jerome Glisse
2017-08-30 8:40 ` Mike Galbraith
2017-08-30 14:57 ` Adam Borowski
2017-09-01 14:47 ` Jeff Cook
2017-09-01 14:50 ` taskboxtester
2017-11-30 9:33 ` BSOD with " Fabian Grünbichler
2017-11-30 11:20 ` Paolo Bonzini
2017-11-30 16:19 ` Radim Krčmář
2017-11-30 18:05 ` [PATCH 1/2] KVM: x86: fix APIC page invalidation Radim Krčmář
2017-11-30 18:05 ` [PATCH 2/2] TESTING! KVM: x86: add invalidate_range mmu notifier Radim Krčmář
2017-12-01 15:15 ` Paolo Bonzini
2017-12-03 17:24 ` Andrea Arcangeli
2017-12-01 12:21 ` [PATCH 1/2] KVM: x86: fix APIC page invalidation Fabian Grünbichler
2017-12-01 15:27 ` Paolo Bonzini
2017-12-03 17:28 ` Andrea Arcangeli
2017-12-06 2:32 ` Wanpeng Li
2017-12-06 9:50 ` 王金浦
2017-12-06 10:00 ` Paolo Bonzini
2017-12-06 8:15 ` Fabian Grünbichler
2017-12-13 12:54 ` Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75825BFF-8ACC-4CAB-93EB-AD9673747518@gmail.com \
--to=nadav.amit@gmail.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=axie@amd.com \
--cc=berny156@gmx.de \
--cc=dan.j.williams@intel.com \
--cc=efault@gmx.de \
--cc=iommu@lists.linux-foundation.org \
--cc=jglisse@redhat.com \
--cc=joro@8bytes.org \
--cc=kernellwp@gmail.com \
--cc=kilobyte@angband.pl \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=ross.zwisler@linux.intel.com \
--cc=tiwai@suse.de \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox