Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp118705imm; Thu, 21 Jun 2018 15:03:50 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK42lR6vN/BMfjSQJhoAI/QS8Xu95bHz9Vg1m0hgInuHcBcnkZvt9gO5Vg2qeEW1XtPE2gw X-Received: by 2002:a62:50d6:: with SMTP id g83-v6mr29020302pfj.31.1529618629953; Thu, 21 Jun 2018 15:03:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529618629; cv=none; d=google.com; s=arc-20160816; b=k3W1tAKrzIzd1MgL/LOg4snTmzaH6v3kuev2Akefd4k7ya4nB12VE9fIDDAfZu/6fv gEQxaQ7fcyE2H6Ylc9BrKv/1yoUz8xGQyZfC/91D4gKhMLswrjhvhGGGw9HE8Boqolqy oWSNNRpvxkqCC8B/07IZzk0QWV1xnuToEIPgB7HJ//wL/9Yt1kbEUFzqBOnZLJDJBK9K s2YlUvSTn9Uv3Y+WE8nuDbAKDhssxPqiUshItsXFlGlclrxmxR7vjnYixzOcyxwF5PdU seXKBLMC46moIfdOn4gLWQQj3TwRM6iKpr0N/GrBsvfr6IxDDyJg2hBsm3c4P/koQ421 Jz2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=7AWWU6BLeKKPEtu9zaMcxB5wTvxiCX0v2GFxA5XG570=; b=exvL3rbCQc6m+r4HVUFm14G9IExJrGnhDjG1uFqePLh2RDjEQVlq68ZvYGRgoVjs27 UOKdZJW+qQ0sFwpdHeuhpyP0aRC0XUXD9vZX65bStcAZWy8MosX4Au0G2bnsluiS5ASe FDKYZycRTMfLda1n1XkWU/k4r6vp9V0Mdj27v643HjBFjb6dIepkC98GSGi7u6qv16uN wU1wOpb87MV7Na9ZLkwYRQG6NxmJc6OcTe19/c+TJHQJmKJTWXwwqEXyhrOZhg7SXN15 afIiit1HBo3mDt9VQxC1GCzR4H8mOB69AfUkLz3/BdBm0ysONoe54guOXL0AGDkU7TI6 W9/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t20-v6si999386ply.146.2018.06.21.15.03.35; Thu, 21 Jun 2018 15:03:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933741AbeFUWAe (ORCPT + 99 others); Thu, 21 Jun 2018 18:00:34 -0400 Received: from mga03.intel.com ([134.134.136.65]:29546 "EHLO mga03.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933705AbeFUWAd (ORCPT ); Thu, 21 Jun 2018 18:00:33 -0400 X-Amp-Result: UNSCANNABLE X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Jun 2018 15:00:32 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.51,253,1526367600"; d="scan'208";a="68973792" Received: from romley-ivt3.sc.intel.com ([172.25.110.60]) by orsmga002.jf.intel.com with ESMTP; 21 Jun 2018 15:00:32 -0700 Date: Thu, 21 Jun 2018 15:00:03 -0700 From: Fenghua Yu To: Thomas Gleixner Cc: Fenghua Yu , Peter Zijlstra , Ingo Molnar , "H. Peter Anvin" , Ashok Raj , Dave Hansen , Rafael Wysocki , Tony Luck , Alan Cox , Ravi V Shankar , Arjan van de Ven , linux-kernel , x86 Subject: Re: [RFC PATCH 00/16] x86/split_lock: Enable #AC exception for split locked accesses Message-ID: <20180621220003.GD114883@romley-ivt3.sc.intel.com> References: <1527435965-202085-1-git-send-email-fenghua.yu@intel.com> <20180621193738.GA13636@worktop.programming.kicks-ass.net> <20180621201851.GC114883@romley-ivt3.sc.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 21, 2018 at 10:32:57PM +0200, Thomas Gleixner wrote: > On Thu, 21 Jun 2018, Fenghua Yu wrote: > > On Thu, Jun 21, 2018 at 09:37:38PM +0200, Peter Zijlstra wrote: > > > On Sun, May 27, 2018 at 08:45:49AM -0700, Fenghua Yu wrote: > > > > Currently we can trace split lock event counter for debug purpose. But > > > > > > How? A while ago I actually tried that, but I could not find a suitable > > > perf event. > > > > The event name is called sq_misc.split_lock. It's been supported in perf > > already. > > So the obvious question is why not simply use that counter and capture the > IP which triggers the event? > The sq_misc.split_lock event is AFTER the fact and insufficient to capture split lock before the instruction is executed for system deployed in the field. #AC for split lock is triggered BEFORE the instruction is executed. For example, on a consolidated real-time machine, some cores are running hard real time workloads while the rest of cores are running "untrusted" user processes. One untrusted user process may execute an instruction that accesses split locked data and causes bus locking on the whole machine to block real time workloads to access memory. In this case, capturing split lock perf event won't immediately help the real time workloads. With #AC for split lock, the split lock is detected before the instruction hurts hard real time workloads and the untrusted process can be killed or system admin gets warning depending on policy. Without #AC for split lock feature, such consolidated real-time design is impossible. Another example, in a public cloud deployed in the field, a user process in a guest can execute an instruction with split lock to slow down overall performance of other guests and host. This process could be a misdesigned process or a malware. #AC for split lock can kill the process or provide warning before harm. On the other hand, the perf event needs perf to run to monitor the event on the public cloud and doesn't really prevent the split lock from hurting system performance. And perf cannot count split lock events in firmware. In real time, even split lock in firmware (reboot, run time services, etc) may not be tolerant and need to be detected and prevented. Do the examples make sense? > I can see that this wont cover the early boot process, but there it's > enough to catch #AC once, yell loudly and then disable the thing. I'm not > seing the value of adding 1000 lines of code with lots of control knobs. > > I might be missing something though and am happy to be educated. > Right. Code won't cover the early boot process. It only covers boot process after the feature is enabled. After disabling #AC split lock after catching #AC once, any future split lock will not generate #AC any more. The control knobs allow sysadmin to handle #AC for split lock in different scenarios and usages. The control knob for kernel is to choose re-executing the faulting instruction (default) or kernel panic. Kernel panic may be useful in hard real time which has less tolerant to bad performance. The control knob for user is to choose killing the process (default) or re-executing the faulting instruction without blocking the process. Re-executing the instruction maybe be useful in platforms that run well controlled apps with less split locks. The control knob for firmware is to choose continuing firmware execution by disabling #AC split lock (default) or stopping firmware execution by enabling #AC for split lock. Stopping firmware execution may be useful in hard real time system to identify any split lock issue on the platform. So the control knobs may be useful for different scenarios, right? Thanks. -Fenghua