From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Luck, Tony" <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Borislav Petkov <bp@alien8.de>, stable <stable@vger.kernel.org>,
the arch/x86 maintainers <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Paul Mackerras <paulus@samba.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Erwin Tsaur <erwin.tsaur@intel.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
linux-nvdimm <linux-nvdimm@lists.01.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 0/2] Replace and improve "mcsafe" with copy_safe()
Date: Thu, 30 Apr 2020 12:50:40 -0700 [thread overview]
Message-ID: <CAHk-=wg0Sza8uzQHzJbdt7FFc7bRK+o1BB=VBUGrQEvVv6+23w@mail.gmail.com> (raw)
In-Reply-To: <20200430192258.GA24749@agluck-desk2.amr.corp.intel.com>
On Thu, Apr 30, 2020 at 12:23 PM Luck, Tony <tony.luck@intel.com> wrote:
>
> How about
>
> try_copy_catch(void *dst, void *src, size_t count, int *fault)
>
> returns number of bytes not-copied (like copy_to_user etc).
>
> if return is not zero, "fault" tells you what type of fault
> cause the early stop (#PF, #MC).
That just makes things worse.
The problem isn't "what fault did I get?".
The problem is "what is the point of this function?".
In other words, I want the code to explain _why_ it uses a particular function.
So the question the function should answer is not "Why did it take a
fault?", but "Why isn't this just a 'memcpy()'"?
When somebody writes
x = copy_to_user(a,b,c);
the "why is it not a memcpy" question never comes up, because the code
is obvious. It's not a memory copy, because it's copying to user
space, and user space is different!
In contrast, if you write
x = copy_safe(a,b,c);
then what is going on? There is no rhyme or reason to the call. Is the
source unsafe? Wny? Is the destination faulting? Why? Both? How?
So "copy_to_user()" _answers_ a question. But "copy_safe()" just
results in more questions. See the difference?
And notice that the "why did it fault" question is NOT about your
"what kind of fault did it take" question. That question is generally
pretty much uninteresting.
The question I want answered is "why is this function being called AT ALL".
Again, "copy_to_user()" can fail, and we know to check failure cases.
But more importantly, the _reason_ it can fail is obvious from the
name and from the use. There's no confusion about "why".
"copy_safe()"? or "try_copy_catch()"? No such thing. It doesn't answer
that fundamental "why" question.
And yes, this also has practical consequences. If you know that the
failure is due to the source being some special memory (and if we care
about the MC case with unaligned accesses), then the function in
question should probably strive to make those _source_ accesses be the
aligned ones. But if it's the destination that is special memory,
then it's the writes to the destination that should be aligned. If you
need both, you may need to be either mutually aligned, or do byte
accesses, or do special shifting copies. So it matters for any initial
alignment code (if the thing has alignment issues to begin with).
I haven't even gotten an answer to the "why would the write fail".
When I asked, Dan said
"writes can mmu-fault now that memcpy_mcsafe() is also used by
_copy_to_iter_mcsafe()"
but as mentioned, the only reason I can find for _that_ is that the
destination is user space.
In which case a "copy_safe()" absolutely could never work.
If I can't figure out the "why is this function used" or even figure
out why it needs the semantics it claims it needs, then there's a
problem.
Personally, I suspect that the *easiest* way to support the broken
nvdimm semantics is to not have a "copy" function at all as the basic
accessor model.
Why? Exactly because "copy" is not a fundamental well-defined action.
You get nasty combinatorial explosions of different things, where you
have three different kinds of sources (user, RAM, nvdimm) and three
different kinds of destinations.
And that's ignoring the whole "maybe you don't want to do a plain
copy, maybe you want to calculate a RAID checksum, or do a 'strcpy()'
or whatever". If those are ever issues, you get another explosion of
combinations.
The only *fundamental* access would likely be a single read/write
operation, not a copy operation. Think "get_user()" instead of
"copy_from_user()". Even there you get combinatorial explosions with
access sizes, but you can often generate those automatically or with
simple patterns, and then you can build up the copy functions from
that if you really need to.
Linus
_______________________________________________
Linux-nvdimm mailing list -- linux-nvdimm@lists.01.org
To unsubscribe send an email to linux-nvdimm-leave@lists.01.org
WARNING: multiple messages have this Message-ID (diff)
From: Linus Torvalds <torvalds@linux-foundation.org>
To: "Luck, Tony" <tony.luck@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>,
Dan Williams <dan.j.williams@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Borislav Petkov <bp@alien8.de>, stable <stable@vger.kernel.org>,
"the arch/x86 maintainers" <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Paul Mackerras <paulus@samba.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Erwin Tsaur <erwin.tsaur@intel.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
linux-nvdimm <linux-nvdimm@lists.01.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v2 0/2] Replace and improve "mcsafe" with copy_safe()
Date: Thu, 30 Apr 2020 12:50:40 -0700 [thread overview]
Message-ID: <CAHk-=wg0Sza8uzQHzJbdt7FFc7bRK+o1BB=VBUGrQEvVv6+23w@mail.gmail.com> (raw)
In-Reply-To: <20200430192258.GA24749@agluck-desk2.amr.corp.intel.com>
On Thu, Apr 30, 2020 at 12:23 PM Luck, Tony <tony.luck@intel.com> wrote:
>
> How about
>
> try_copy_catch(void *dst, void *src, size_t count, int *fault)
>
> returns number of bytes not-copied (like copy_to_user etc).
>
> if return is not zero, "fault" tells you what type of fault
> cause the early stop (#PF, #MC).
That just makes things worse.
The problem isn't "what fault did I get?".
The problem is "what is the point of this function?".
In other words, I want the code to explain _why_ it uses a particular function.
So the question the function should answer is not "Why did it take a
fault?", but "Why isn't this just a 'memcpy()'"?
When somebody writes
x = copy_to_user(a,b,c);
the "why is it not a memcpy" question never comes up, because the code
is obvious. It's not a memory copy, because it's copying to user
space, and user space is different!
In contrast, if you write
x = copy_safe(a,b,c);
then what is going on? There is no rhyme or reason to the call. Is the
source unsafe? Wny? Is the destination faulting? Why? Both? How?
So "copy_to_user()" _answers_ a question. But "copy_safe()" just
results in more questions. See the difference?
And notice that the "why did it fault" question is NOT about your
"what kind of fault did it take" question. That question is generally
pretty much uninteresting.
The question I want answered is "why is this function being called AT ALL".
Again, "copy_to_user()" can fail, and we know to check failure cases.
But more importantly, the _reason_ it can fail is obvious from the
name and from the use. There's no confusion about "why".
"copy_safe()"? or "try_copy_catch()"? No such thing. It doesn't answer
that fundamental "why" question.
And yes, this also has practical consequences. If you know that the
failure is due to the source being some special memory (and if we care
about the MC case with unaligned accesses), then the function in
question should probably strive to make those _source_ accesses be the
aligned ones. But if it's the destination that is special memory,
then it's the writes to the destination that should be aligned. If you
need both, you may need to be either mutually aligned, or do byte
accesses, or do special shifting copies. So it matters for any initial
alignment code (if the thing has alignment issues to begin with).
I haven't even gotten an answer to the "why would the write fail".
When I asked, Dan said
"writes can mmu-fault now that memcpy_mcsafe() is also used by
_copy_to_iter_mcsafe()"
but as mentioned, the only reason I can find for _that_ is that the
destination is user space.
In which case a "copy_safe()" absolutely could never work.
If I can't figure out the "why is this function used" or even figure
out why it needs the semantics it claims it needs, then there's a
problem.
Personally, I suspect that the *easiest* way to support the broken
nvdimm semantics is to not have a "copy" function at all as the basic
accessor model.
Why? Exactly because "copy" is not a fundamental well-defined action.
You get nasty combinatorial explosions of different things, where you
have three different kinds of sources (user, RAM, nvdimm) and three
different kinds of destinations.
And that's ignoring the whole "maybe you don't want to do a plain
copy, maybe you want to calculate a RAID checksum, or do a 'strcpy()'
or whatever". If those are ever issues, you get another explosion of
combinations.
The only *fundamental* access would likely be a single read/write
operation, not a copy operation. Think "get_user()" instead of
"copy_from_user()". Even there you get combinatorial explosions with
access sizes, but you can often generate those automatically or with
simple patterns, and then you can build up the copy functions from
that if you really need to.
Linus
next prev parent reply other threads:[~2020-04-30 19:51 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-30 8:24 [PATCH v2 0/2] Replace and improve "mcsafe" with copy_safe() Dan Williams
2020-04-30 8:24 ` Dan Williams
2020-04-30 8:25 ` [PATCH v2 1/2] copy_safe: Rename memcpy_mcsafe() to copy_safe() Dan Williams
2020-04-30 8:25 ` Dan Williams
2020-05-01 2:55 ` Sasha Levin
2020-04-30 8:25 ` [PATCH v2 2/2] x86/copy_safe: Introduce copy_safe_fast() Dan Williams
2020-04-30 8:25 ` Dan Williams
2020-05-01 2:55 ` Sasha Levin
2020-04-30 14:02 ` [PATCH v2 0/2] Replace and improve "mcsafe" with copy_safe() Linus Torvalds
2020-04-30 14:02 ` Linus Torvalds
2020-04-30 16:51 ` Andy Lutomirski
2020-04-30 16:51 ` Andy Lutomirski
2020-04-30 17:17 ` Linus Torvalds
2020-04-30 17:17 ` Linus Torvalds
2020-04-30 18:42 ` Andy Lutomirski
2020-04-30 18:42 ` Andy Lutomirski
2020-04-30 19:22 ` Luck, Tony
2020-04-30 19:22 ` Luck, Tony
2020-04-30 19:50 ` Linus Torvalds [this message]
2020-04-30 19:50 ` Linus Torvalds
2020-04-30 20:25 ` Luck, Tony
2020-04-30 20:25 ` Luck, Tony
2020-04-30 23:52 ` Dan Williams
2020-04-30 23:52 ` Dan Williams
2020-05-01 0:10 ` Linus Torvalds
2020-05-01 0:10 ` Linus Torvalds
2020-05-01 0:23 ` Andy Lutomirski
2020-05-01 0:23 ` Andy Lutomirski
2020-05-01 0:39 ` Linus Torvalds
2020-05-01 0:39 ` Linus Torvalds
2020-05-01 1:10 ` Andy Lutomirski
2020-05-01 1:10 ` Andy Lutomirski
2020-05-01 14:09 ` Luck, Tony
2020-05-01 14:09 ` Luck, Tony
2020-05-03 0:29 ` Andy Lutomirski
2020-05-03 0:29 ` Andy Lutomirski
2020-05-04 20:05 ` Luck, Tony
2020-05-04 20:05 ` Luck, Tony
2020-05-04 20:26 ` Andy Lutomirski
2020-05-04 20:26 ` Andy Lutomirski
2020-05-04 21:30 ` Dan Williams
2020-05-04 21:30 ` Dan Williams
2020-05-01 0:24 ` Linus Torvalds
2020-05-01 0:24 ` Linus Torvalds
2020-05-01 1:20 ` Andy Lutomirski
2020-05-01 1:20 ` Andy Lutomirski
2020-05-01 1:21 ` Dan Williams
2020-05-01 1:21 ` Dan Williams
2020-05-01 18:28 ` Linus Torvalds
2020-05-01 18:28 ` Linus Torvalds
2020-05-01 20:17 ` Dave Hansen
2020-05-01 20:17 ` Dave Hansen
2020-05-03 12:57 ` David Laight
2020-05-03 12:57 ` David Laight
2020-05-04 18:33 ` Dan Williams
2020-05-04 18:33 ` Dan Williams
2020-05-11 15:24 ` Vivek Goyal
2020-05-11 15:24 ` Vivek Goyal
2020-04-30 19:51 ` Dan Williams
2020-04-30 19:51 ` Dan Williams
2020-04-30 20:07 ` Andy Lutomirski
2020-04-30 20:07 ` Andy Lutomirski
2020-05-01 7:46 ` David Laight
2020-05-01 7:46 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wg0Sza8uzQHzJbdt7FFc7bRK+o1BB=VBUGrQEvVv6+23w@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=acme@kernel.org \
--cc=benh@kernel.crashing.org \
--cc=bp@alien8.de \
--cc=erwin.tsaur@intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-nvdimm@lists.01.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.