Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp491473ybt; Wed, 1 Jul 2020 03:28:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJysIGHa+yIxhP651aGU+04K3w8y4Yhh4D4NvaFu4YE63XtUVbwMVTKG6nxp/7tELNLAIsAx X-Received: by 2002:a17:906:1d5b:: with SMTP id o27mr17590851ejh.367.1593599287300; Wed, 01 Jul 2020 03:28:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593599287; cv=none; d=google.com; s=arc-20160816; b=QoVS7ei4Ik7rOYRHR/Z4vug+0FLMYvEv1ghz/1JzZ/JT62L7mU5kcpiuQiPAfNFOfI q0GHCDx24wmF/zijLi+UUP5UgzoeC5xntHxRuUp1FrKwpYsgfLaWkfKZ/N2Mi5L2bpze YjypqSGV7Ir/V1qiwqCyw7xtmQ4htbtpPRjUXl/naow+l7C5ckra+QrtAxjviJDg/ekg PhMmyXttQ80ny8PQLwnfKU1R41XRyG/4mEnbKjWWvH7tNqJMqHqb1CZvKkBRCXpeP8FU kCzYwAxw2RW/koaiK2KOe2LvMOOmyi4U5GHQQU8a5vZAgnjlUPGLiwx1MZtgzlwb6g+Q 8+YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=a697tV2clMSvdjZizG33UsgO9bE3mtJCih3wp8fuo9c=; b=BMBsamxG672FIQ5RQiVCArzPwHC9zdcdczu6lwEvmh4D89QXqy0+VP3usT+K7cvekt M0/Lfgof/CmBgln4zVsha8GUWKWWvXquJcHTqZABuxJ/v5d4rVy5qUnHeh1CzQ78FCzx nE3r1zW2+jYqq/swC61GacB+T/tBBLlzeKtx592bNw/Ucd+sW8XiAxE/BjJ6ZoKXyFMM 4BzByIY3B+puK37tPnVU0YsWMplugchfFrzYrotmnglwCKxoC1yQpNsceW/BEdwYti7k X8B5yG+zozGNt4HQCSBxOb4DMupEPYw07Kzna2GesC7thYGAz6rTqJ/j0rC3mUrkjZ/+ uWvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2MIdgHcm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t22si3489209edr.571.2020.07.01.03.27.43; Wed, 01 Jul 2020 03:28:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=2MIdgHcm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729834AbgGAKZj (ORCPT + 99 others); Wed, 1 Jul 2020 06:25:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:43946 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729180AbgGAKZi (ORCPT ); Wed, 1 Jul 2020 06:25:38 -0400 Received: from willie-the-truck (236.31.169.217.in-addr.arpa [217.169.31.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 61FB02067D; Wed, 1 Jul 2020 10:25:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593599137; bh=jhLhsiid/JHPTIQixozqrmVK7Z7yivTR5uDy/0fEI4U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=2MIdgHcm8hZxwfkiuFehiZvcf3/Tr5GQA+93bWFROSIzCHdkqIW0C336sqCSrcoOe 9IGFq8THz2jtH5mtcNylSPiv8N8xlfrvpic2hj5lk+Rk4Eb7rCXBL3olxKyBxMCDvy 0GTZR7CuylPcMkoeFsVzizN2x+JiEUGVw6wBlss8= Date: Wed, 1 Jul 2020 11:25:31 +0100 From: Will Deacon To: Sami Tolvanen Cc: Marco Elver , LKML , Nick Desaulniers , Kees Cook , "Paul E. McKenney" , Josh Triplett , Matt Turner , Ivan Kokshaysky , Richard Henderson , Peter Zijlstra , Alan Stern , "Michael S. Tsirkin" , Jason Wang , Arnd Bergmann , Boqun Feng , Catalin Marinas , Mark Rutland , linux-arm-kernel , linux-alpha@vger.kernel.org, virtualization@lists.linux-foundation.org, Android Kernel Team Subject: Re: [PATCH 18/18] arm64: lto: Strengthen READ_ONCE() to acquire when CLANG_LTO=y Message-ID: <20200701102531.GE14959@willie-the-truck> References: <20200630173734.14057-1-will@kernel.org> <20200630173734.14057-19-will@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 30, 2020 at 03:57:54PM -0700, Sami Tolvanen wrote: > On Tue, Jun 30, 2020 at 12:47 PM Marco Elver wrote: > > > > On Tue, 30 Jun 2020 at 19:39, Will Deacon wrote: > > > > > > When building with LTO, there is an increased risk of the compiler > > > converting an address dependency headed by a READ_ONCE() invocation > > > into a control dependency and consequently allowing for harmful > > > reordering by the CPU. > > > > > > Ensure that such transformations are harmless by overriding the generic > > > READ_ONCE() definition with one that provides acquire semantics when > > > building with LTO. > > > > > > Signed-off-by: Will Deacon > > > --- > > > arch/arm64/include/asm/rwonce.h | 63 +++++++++++++++++++++++++++++++ > > > arch/arm64/kernel/vdso/Makefile | 2 +- > > > arch/arm64/kernel/vdso32/Makefile | 2 +- > > > 3 files changed, 65 insertions(+), 2 deletions(-) > > > create mode 100644 arch/arm64/include/asm/rwonce.h > > > > This seems reasonable, given we can't realistically tell the compiler > > about dependent loads. What (if any), is the performance impact? I > > guess this also heavily depends on the actual silicon. > > > > I do wonder, though, if there is some way to make the compiler do > > something better for us. Clearly, implementing real > > memory_order_consume hasn't worked out until today. But maybe the > > compiler could promote dependent loads to acquires if it recognizes it > > lost dependencies during optimizations. Just thinking out loud, it > > probably still has some weird corner case that will break. ;-) > > > > The other thing is that I'd be cautious blaming LTO, as I tried to > > summarize here: > > https://lore.kernel.org/kernel-hardening/20200630191931.GA884155@elver.google.com/ > > > > The main thing is that, yes, this might be something to be worried > > about, but if we are worried about it, we need to be worried about it > > in *all* builds (LTO or not). My guess is that's not acceptable. Would > > it be better to just guard the promotion of READ_ONCE() to acquire > > behind a config option like CONFIG_ACQUIRE_READ_DEPENDENCIES, and then > > make LTO select that (or maybe leave it optional?). In future, for > > very aggressive non-LTO compilers even, one may then also select that > > if there is substantiated worry things do actually break. > > I agree, a separate config option would be better here. > > Also Will, the LTO patches use CONFIG_LTO_CLANG instead of CLANG_LTO. D'oh, sorry. I'll fix that (I had that #ifdef commented out for my testing). Will