Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp421855pxu; Tue, 5 Jan 2021 15:12:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJwTJACBz6bGgKXfbMNbp5S6wE3AGmAFMGve43dv3OG6cDnbRR6Y4/dZHPhzo+5Or+UubFKk X-Received: by 2002:a17:906:a106:: with SMTP id t6mr1128685ejy.63.1609888333049; Tue, 05 Jan 2021 15:12:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609888333; cv=none; d=google.com; s=arc-20160816; b=X4hmsmzsROdx62wd2MRKcwmA0nDqQmxGUmFhUqR0BW89DtY8wDt7ACHK4PRel/fII2 XyICURzg2GeImedju10t3u0sPBVBuvHlFnrAALv9kyDFGW77j+8XC9qdoHdMQWnWjhYa 48xBjh41qYxtXJwNVV73fF0E0LE7cFs2ojUhViwUt0XHBTWDjJXqK1MMf5QX7X5AGItG UpevY5n/LhTUGBuBzmhpPdhegwZNsVkdAc6sQISiHL6JWm7dyX2NOgc1N2ts3Rm6P1oz eG2qoYEMBviI+zXKYMq1C1xrp7yu6OSCsxu9WYKaz+Xmx1+lFLqSzVD4KsPPvpZ83z6d OAlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=EzoxzCJcb3lpkYcbWpaeKtGBRTs9r9ekxTQwW3zjzXw=; b=E4p+SN8bFvsdrvDvEBct/8GRS2S47cHaL+O87CPjSvXOha1k3GOgu9+2TF6NZCgekM xYA3boV2gWdG91Ye/0qTKB7aByIKZzG+IJJ9VIf6WvxXvnCTRVtNT1SAkZL7Mgt99sH2 T2CLuvFNychomkvTZc5oEQXFhbtOnZxNZz/SajIM+xxP1VLawVs23zKsCwvJQv+6zQbK hlBDuzz2Gy1aQDxJYWN5a3X0cWE4LIVbLmkRyI/1eFwWb/kaVfpUwH+K8quRWeld4aQd xWPP7GhPEKXXe2GADWJ+h27S4OcOV6HkIG+25kSrUQ8frAckHjTHutHbntUP8vFWScOj AaVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=nEGBJJsu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h17si227469eds.404.2021.01.05.15.11.50; Tue, 05 Jan 2021 15:12:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=nEGBJJsu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728224AbhAEWmG (ORCPT + 99 others); Tue, 5 Jan 2021 17:42:06 -0500 Received: from mail.kernel.org ([198.145.29.99]:50868 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725838AbhAEWmG (ORCPT ); Tue, 5 Jan 2021 17:42:06 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id B64C422D6E; Tue, 5 Jan 2021 22:41:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1609886485; bh=Hd0WCK5SrMVNFPBh9xnoTwtX6vl1dAnkrgvh+w7m70g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=nEGBJJsu9wtcnOowraQpQglsTKmrBSp9f3SOj7ZqNb60xHmYkXWumhwpw4iZyFXrY Q2qgJsYv0Uc4U1FS1g+rl2+EyHUsnieBTu9iDunwMfTa7r6xIEQg8z+JA8rtbmc53I APYe/v66W4ITmKuq5bLpQJLqW8NGMHHGMCT3bgOKj5burfUi4IFUSjy8LI/JhC+iHX KdQUa/KGMwpB7qG4JDZPNcihKwEBNzm6aG9KvPH6AFwCE3hg/jXcodrUOZZ6QaZigD mGef+R7mmqmwscyztviJVtPN2ZWeAF0YZx2hBcUPTxUnPqaljWb9WXTltRIFi9nR/3 OSwNnvpOP3N6A== Date: Tue, 5 Jan 2021 22:41:19 +0000 From: Will Deacon To: Andy Lutomirski Cc: Andy Lutomirski , Nicholas Piggin , Mathieu Desnoyers , X86 ML , Arnd Bergmann , Benjamin Herrenschmidt , Catalin Marinas , linux-arm-kernel , LKML , linuxppc-dev , Michael Ellerman , Paul Mackerras , stable Subject: Re: [RFC please help] membarrier: Rewrite sync_core_before_usermode() Message-ID: <20210105224119.GA13005@willie-the-truck> References: <20210105132623.GB11108@willie-the-truck> <7BFAB97C-1949-46A3-A1E2-DFE108DC7D5E@amacapital.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <7BFAB97C-1949-46A3-A1E2-DFE108DC7D5E@amacapital.net> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 05, 2021 at 08:20:51AM -0800, Andy Lutomirski wrote: > > On Jan 5, 2021, at 5:26 AM, Will Deacon wrote: > > Sorry for the slow reply, I was socially distanced from my keyboard. > > > >> On Mon, Dec 28, 2020 at 04:36:11PM -0800, Andy Lutomirski wrote: > >> On Mon, Dec 28, 2020 at 4:11 PM Nicholas Piggin wrote: > >>>> +static inline void membarrier_sync_core_before_usermode(void) > >>>> +{ > >>>> + /* > >>>> + * XXX: I know basically nothing about powerpc cache management. > >>>> + * Is this correct? > >>>> + */ > >>>> + isync(); > >>> > >>> This is not about memory ordering or cache management, it's about > >>> pipeline management. Powerpc's return to user mode serializes the > >>> CPU (aka the hardware thread, _not_ the core; another wrongness of > >>> the name, but AFAIKS the HW thread is what is required for > >>> membarrier). So this is wrong, powerpc needs nothing here. > >> > >> Fair enough. I'm happy to defer to you on the powerpc details. In > >> any case, this just illustrates that we need feedback from a person > >> who knows more about ARM64 than I do. > > > > I think we're in a very similar boat to PowerPC, fwiw. Roughly speaking: > > > > 1. SYNC_CORE does _not_ perform any cache management; that is the > > responsibility of userspace, either by executing the relevant > > maintenance instructions (arm64) or a system call (arm32). Crucially, > > the hardware will ensure that this cache maintenance is broadcast > > to all other CPUs. > > Is this guaranteed regardless of any aliases? That is, if I flush from > one CPU at one VA and then execute the same physical address from another > CPU at a different VA, does this still work? The data side will be fine, but the instruction side can have virtual aliases. We handle this in flush_ptrace_access() by blowing away the whole I-cache if we're not physically-indexed, but userspace would be in trouble if it wanted to handle this situation alone. > > 2. Even with all the cache maintenance in the world, a CPU could have > > speculatively fetched stale instructions into its "pipeline" ahead of > > time, and these are _not_ flushed by the broadcast maintenance instructions > > in (1). SYNC_CORE provides a means for userspace to discard these stale > > instructions. > > > > 3. The context synchronization event on exception entry/exit is > > sufficient here. The Arm ARM isn't very good at describing what it > > does, because it's in denial about the existence of a pipeline, but > > it does have snippets such as: > > > > (s/PE/CPU/) > > | For all types of memory: > > | The PE might have fetched the instructions from memory at any time > > | since the last Context synchronization event on that PE. > > > > Interestingly, the architecture recently added a control bit to remove > > this synchronisation from exception return, so if we set that then we'd > > have a problem with SYNC_CORE and adding an ISB would be necessary (and > > we could probable then make kernel->kernel returns cheaper, but I > > suspect we're relying on this implicit synchronisation in other places > > too). > > > > Is ISB just a context synchronization event or does it do more? That's a good question. Barrier instructions on ARM do tend to get overloaded with extra behaviours over time, so it could certainly end up doing the context synchronization event + extra stuff in future. Right now, the only thing that springs to mind is the spectre-v1 heavy mitigation barrier of 'DSB; ISB' which, for example, probably doesn't work for 'DSB; ERET' because the ERET can be treated like a conditional (!) branch. > On x86, it’s very hard to tell that MFENCE does any more than LOCK, but > it’s much slower. And we have LFENCE, which, as documented, doesn’t > appear to have any semantics at all. (Or at least it didn’t before > Spectre.) I tend to think of ISB as a front-end barrier relating to instruction fetch whereas DMB, acquire/release and DSB are all back-end barriers relating to memory accesses. You _can_ use ISB in conjunction with control dependencies to order a pair of loads (like you can with ISYNC on Power), but it's a really expensive way to do it. > > Are you seeing a problem in practice, or did this come up while trying to > > decipher the semantics of SYNC_CORE? > > It came up while trying to understand the code and work through various > bugs in it. The code was written using something approximating x86 > terminology, but it was definitely wrong on x86 (at least if you believe > the SDM, and I haven’t convinced any architects to say otherwise). Ok, thanks. Will