Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Wed, 16 Jun 2021 14:19:49 +1000
From:   Nicholas Piggin <npiggin@gmail.com>
Subject: Re: [PATCH 4/8] membarrier: Make the post-switch-mm barrier explicit
To:     Andy Lutomirski <luto@kernel.org>, x86@kernel.org
Cc:     Andrew Morton <akpm@linux-foundation.org>,
        Dave Hansen <dave.hansen@intel.com>,
        LKML <linux-kernel@vger.kernel.org>, linux-mm@kvack.org,
        Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
        Peter Zijlstra <peterz@infradead.org>
References: <cover.1623813516.git.luto@kernel.org>
        <f184d013a255a523116b692db4996c5db2569e86.1623813516.git.luto@kernel.org>
In-Reply-To: <f184d013a255a523116b692db4996c5db2569e86.1623813516.git.luto@kernel.org>
MIME-Version: 1.0
Message-Id: <1623816595.myt8wbkcar.astroid@bobo.none>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

Excerpts from Andy Lutomirski's message of June 16, 2021 1:21 pm:
> membarrier() needs a barrier after any CPU changes mm.  There is currentl=
y
> a comment explaining why this barrier probably exists in all cases.  This
> is very fragile -- any change to the relevant parts of the scheduler
> might get rid of these barriers, and it's not really clear to me that
> the barrier actually exists in all necessary cases.

The comments and barriers in the mmdrop() hunks? I don't see what is=20
fragile or maybe-buggy about this. The barrier definitely exists.

And any change can change anything, that doesn't make it fragile. My
lazy tlb refcounting change avoids the mmdrop in some cases, but it
replaces it with smp_mb for example.

If you have some later changes that require this, can you post them
or move this patch to them?

>=20
> Simplify the logic by adding an explicit barrier, and allow architectures
> to override it as an optimization if they want to.
>=20
> One of the deleted comments in this patch said "It is therefore
> possible to schedule between user->kernel->user threads without
> passing through switch_mm()".  It is possible to do this without, say,
> writing to CR3 on x86, but the core scheduler indeed calls
> switch_mm_irqs_off() to tell the arch code to go back from lazy mode
> to no-lazy mode.

Context switching threads provides a barrier as well, so that comment at=20
least probably stands to be improved.

Thanks,
Nick

>=20
> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> Cc: Nicholas Piggin <npiggin@gmail.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Signed-off-by: Andy Lutomirski <luto@kernel.org>
> ---
>  include/linux/sched/mm.h | 21 +++++++++++++++++++++
>  kernel/kthread.c         | 12 +-----------
>  kernel/sched/core.c      | 35 +++++++++--------------------------
>  3 files changed, 31 insertions(+), 37 deletions(-)
>=20
> diff --git a/include/linux/sched/mm.h b/include/linux/sched/mm.h
> index 10aace21d25e..c6eebbafadb0 100644
> --- a/include/linux/sched/mm.h
> +++ b/include/linux/sched/mm.h
> @@ -341,6 +341,27 @@ enum {
>  	MEMBARRIER_FLAG_RSEQ		=3D (1U << 1),
>  };
> =20
> +#ifdef CONFIG_MEMBARRIER
> +
> +/*
> + * Called by the core scheduler after calling switch_mm_irqs_off().
> + * Architectures that have implicit barriers when switching mms can
> + * override this as an optimization.
> + */
> +#ifndef membarrier_finish_switch_mm
> +static inline void membarrier_finish_switch_mm(int membarrier_state)
> +{
> +	if (membarrier_state & (MEMBARRIER_STATE_GLOBAL_EXPEDITED | MEMBARRIER_=
STATE_PRIVATE_EXPEDITED))
> +		smp_mb();
> +}
> +#endif
> +
> +#else
> +
> +static inline void membarrier_finish_switch_mm(int membarrier_state) {}
> +
> +#endif
> +
>  #ifdef CONFIG_ARCH_HAS_MEMBARRIER_CALLBACKS
>  #include <asm/membarrier.h>
>  #endif
> diff --git a/kernel/kthread.c b/kernel/kthread.c
> index fe3f2a40d61e..8275b415acec 100644
> --- a/kernel/kthread.c
> +++ b/kernel/kthread.c
> @@ -1325,25 +1325,15 @@ void kthread_use_mm(struct mm_struct *mm)
>  	tsk->mm =3D mm;
>  	membarrier_update_current_mm(mm);
>  	switch_mm_irqs_off(active_mm, mm, tsk);
> +	membarrier_finish_switch_mm(atomic_read(&mm->membarrier_state));
>  	local_irq_enable();
>  	task_unlock(tsk);
>  #ifdef finish_arch_post_lock_switch
>  	finish_arch_post_lock_switch();
>  #endif
> =20
> -	/*
> -	 * When a kthread starts operating on an address space, the loop
> -	 * in membarrier_{private,global}_expedited() may not observe
> -	 * that tsk->mm, and not issue an IPI. Membarrier requires a
> -	 * memory barrier after storing to tsk->mm, before accessing
> -	 * user-space memory. A full memory barrier for membarrier
> -	 * {PRIVATE,GLOBAL}_EXPEDITED is implicitly provided by
> -	 * mmdrop(), or explicitly with smp_mb().
> -	 */
>  	if (active_mm !=3D mm)
>  		mmdrop(active_mm);
> -	else
> -		smp_mb();
> =20
>  	to_kthread(tsk)->oldfs =3D force_uaccess_begin();
>  }
> diff --git a/kernel/sched/core.c b/kernel/sched/core.c
> index e4c122f8bf21..329a6d2a4e13 100644
> --- a/kernel/sched/core.c
> +++ b/kernel/sched/core.c
> @@ -4221,15 +4221,6 @@ static struct rq *finish_task_switch(struct task_s=
truct *prev)
> =20
>  	fire_sched_in_preempt_notifiers(current);
> =20
> -	/*
> -	 * When switching through a kernel thread, the loop in
> -	 * membarrier_{private,global}_expedited() may have observed that
> -	 * kernel thread and not issued an IPI. It is therefore possible to
> -	 * schedule between user->kernel->user threads without passing though
> -	 * switch_mm(). Membarrier requires a barrier after storing to
> -	 * rq->curr, before returning to userspace, and mmdrop() provides
> -	 * this barrier.
> -	 */
>  	if (mm)
>  		mmdrop(mm);
> =20
> @@ -4311,15 +4302,14 @@ context_switch(struct rq *rq, struct task_struct =
*prev,
>  			prev->active_mm =3D NULL;
>  	} else {                                        // to user
>  		membarrier_switch_mm(rq, prev->active_mm, next->mm);
> +		switch_mm_irqs_off(prev->active_mm, next->mm, next);
> +
>  		/*
>  		 * sys_membarrier() requires an smp_mb() between setting
> -		 * rq->curr / membarrier_switch_mm() and returning to userspace.
> -		 *
> -		 * The below provides this either through switch_mm(), or in
> -		 * case 'prev->active_mm =3D=3D next->mm' through
> -		 * finish_task_switch()'s mmdrop().
> +		 * rq->curr->mm to a membarrier-enabled mm and returning
> +		 * to userspace.
>  		 */
> -		switch_mm_irqs_off(prev->active_mm, next->mm, next);
> +		membarrier_finish_switch_mm(rq->membarrier_state);
> =20
>  		if (!prev->mm) {                        // from kernel
>  			/* will mmdrop() in finish_task_switch(). */
> @@ -5121,17 +5111,10 @@ static void __sched notrace __schedule(bool preem=
pt)
>  		RCU_INIT_POINTER(rq->curr, next);
>  		/*
>  		 * The membarrier system call requires each architecture
> -		 * to have a full memory barrier after updating
> -		 * rq->curr, before returning to user-space.
> -		 *
> -		 * Here are the schemes providing that barrier on the
> -		 * various architectures:
> -		 * - mm ? switch_mm() : mmdrop() for x86, s390, sparc, PowerPC.
> -		 *   switch_mm() rely on membarrier_arch_switch_mm() on PowerPC.
> -		 * - finish_lock_switch() for weakly-ordered
> -		 *   architectures where spin_unlock is a full barrier,
> -		 * - switch_to() for arm64 (weakly-ordered, spin_unlock
> -		 *   is a RELEASE barrier),
> +		 * to have a full memory barrier before and after updating
> +		 * rq->curr->mm, before returning to userspace.  This
> +		 * is provided by membarrier_finish_switch_mm().  Architectures
> +		 * that want to optimize this can override that function.
>  		 */
>  		++*switch_count;
> =20
> --=20
> 2.31.1
>=20
>=20