From: Phil Hofer <phil@sunfi.sh>
To: "jason@zx2c4.com" <jason@zx2c4.com>
Cc: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: last_under_load on 32-bit systems
Date: Fri, 14 Dec 2018 19:37:55 +0000 [thread overview]
Message-ID: <0oqG1T7qs16b0xaYr-Ms4h-ruPx_fLfU7or8BZoGmr5BZkbYPpBANDJz_yIr7tfxsxpFPTdDznDdjjLk6FMyoO2LPwhKI-uNZvmFtroeqbY=@sunfi.sh> (raw)
[-- Attachment #1.1.1: Type: text/plain, Size: 1838 bytes --]
Hey Jason,
First off, thanks for this wonderful project.
I have a question/comment regarding a bit of kernel code.
Background:
src/receive.c has the following code (lightly edited):
---
static u64 last_under_load;
bool under_load;
under_load = ...;
if (under_load)
last_under_load = ktime_get_boot_fast_ns();
else
under_load = !wg_birthdate_has_expired(last_under_load, 1);
---
after which the code uses 'under_load' to determine whether
or not to demand that handshake cookies be present.
The comment above 'last_under_load' says we don't care
about races on that unsynchronized global. I assume the rationale
here is that updates to last_under_load are always values from
ktime_get_boot_fast_ns(), and therefore observing a value
produced by a different cpu core won't produce meaningfully
different behavior. I agree that this is true on 64-bit hardware,
but I disagree that the race here is benign on 32-bit systems.
If the compiler decides to access the 8-byte storage with two
32-bit accesses, then it's possible that another thread could
observe the intermediate state in which one of the two words
has been updated. (I think you're most likely to observe this
behavior if wg_receive_handshake_packet is preempted, since
last_under_load shouldn't span cache lines.)
The thread that observes a 'torn' write to last_under_load may
not compute under_load as desired, and consequently drop a
handshake packet that it would have otherwise accepted.
I don't think performance would change meaningfully if
access to last_under_load was mediated with
atomic64_read()/atomic64_set(). On ARM, for example,
those macros will typically expand to a single ldrd/strd instruction, which is what you would want.
Let me know if I've analyzed this problem incorrectly.
Thanks!
Phil
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 509 bytes --]
[-- Attachment #2: Type: text/plain, Size: 148 bytes --]
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
reply other threads:[~2018-12-14 19:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='0oqG1T7qs16b0xaYr-Ms4h-ruPx_fLfU7or8BZoGmr5BZkbYPpBANDJz_yIr7tfxsxpFPTdDznDdjjLk6FMyoO2LPwhKI-uNZvmFtroeqbY=@sunfi.sh' \
--to=phil@sunfi.sh \
--cc=jason@zx2c4.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.