Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65397C05027 for ; Mon, 20 Feb 2023 08:42:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231270AbjBTImq (ORCPT ); Mon, 20 Feb 2023 03:42:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56850 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229709AbjBTImn (ORCPT ); Mon, 20 Feb 2023 03:42:43 -0500 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8DF92FF10; Mon, 20 Feb 2023 00:42:41 -0800 (PST) Received: from [192.168.192.83] (unknown [50.47.134.245]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 4C0B9400DA; Mon, 20 Feb 2023 08:42:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1676882558; bh=StrKTfKysBD3dfJrS86VzFRzi9AR6e25y4+PwBzyDu8=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=L8VCslT2auUvAwpKcsP2g9o9bsfIyV6qdgJeSQKzSZnQYDuZbvoS+Ff4Z2omsIE56 eKFGKopkfcJ6Uti4i75w1p6DlApbEdL7l+C2c1h3gqqR7xdOgMwVVzLRgKZxVGjPyN tHyjrjNBqDsWj0/klp0jqqAPpzUdiXNz4HSeb5Uu/qslJ6yfIoIPopXKD8/rTo1ZP9 7NKmEgntlttAbdr5APjcp4b0PjcszgFFRIA8euLanq6hj2kUdp9wnE+2owd2Uv2bFD 4zAFIWjfS5/lOO69FdiV8DfqaMtZW3i6J0BXLeDjujyclJP945wvLYhU44JQQrvYrW jC4Z6NQCM4h8A== Message-ID: Date: Mon, 20 Feb 2023 00:42:35 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Subject: Re: [PATCH v3] apparmor: global buffers spin lock may get contended Content-Language: en-US To: Sebastian Andrzej Siewior Cc: LKLM , Sergey Senozhatsky , Peter Zijlstra , Tomasz Figa , linux-security-module@vger.kernel.org, Anil Altinay References: <4595e7b4-ea31-5b01-f636-259e84737dfc@canonical.com> From: John Johansen Organization: Canonical In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/17/23 02:44, Sebastian Andrzej Siewior wrote: > On 2023-02-16 16:08:10 [-0800], John Johansen wrote: >> --- a/security/apparmor/lsm.c >> +++ b/security/apparmor/lsm.c >> @@ -49,12 +49,19 @@ union aa_buffer { >> char buffer[1]; >> }; >> +struct aa_local_cache { >> + unsigned int contention; >> + unsigned int hold; >> + struct list_head head; >> +}; > > if you stick a local_lock_t into that struct, then you could replace > cache = get_cpu_ptr(&aa_local_buffers); > with > local_lock(&aa_local_buffers.lock); > cache = this_cpu_ptr(&aa_local_buffers); > > You would get the preempt_disable() based locking for the per-CPU > variable (as with get_cpu_ptr()) and additionally some lockdep > validation which would warn if it is used outside of task context (IRQ). > I did look at local_locks and there was a reason I didn't use them. I can't recall as the original iteration of this is over a year old now. I will have to dig into it again. > I didn't parse completely the hold/contention logic but it seems to work > ;) > You check "cache->count >= 2" twice but I don't see an inc/ dec of it > nor is it part of aa_local_cache. > sadly I messed up the reordering of this and the debug patch. This will be fixed in v4. > I can't parse how many items can end up on the local list if the global > list is locked. My guess would be more than 2 due the ->hold parameter. > So this iteration, forces pushing back to global list if there are already two on the local list. The hold parameter just affects how long the buffers remain on the local list, before trying to place them back on the global list. Originally before the count was added more than 2 buffers could end up on the local list, and having too many local buffers is a waste of memory. The count got added to address this. The value of 2 (which should be switched to a define) was chosen because no mediation routine currently uses more than 2 buffers. Note that this doesn't mean that more than two buffers can be allocated to a tasks on a cpu. Its possible in some cases to have a task have allocated buffers and to still have buffers on the local cache list. > Do you have any numbers on the machine and performance it improved? It > sure will be a good selling point. > I can include some supporting info, for a 16 core machine. But it will take some time to for me to get access to a bigger machine, where this is much more important. Hence the call for some of the other people on this thread to test. thanks for the feedback