From: Marco Elver <elver@google.com>
To: Will Deacon <will@kernel.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Sami Tolvanen <samitolvanen@google.com>,
Nick Desaulniers <ndesaulniers@google.com>,
Kees Cook <keescook@chromium.org>,
"Paul E. McKenney" <paulmck@kernel.org>,
Josh Triplett <josh@joshtriplett.org>,
Matt Turner <mattst88@gmail.com>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
Richard Henderson <rth@twiddle.net>,
Peter Zijlstra <peterz@infradead.org>,
Alan Stern <stern@rowland.harvard.edu>,
"Michael S. Tsirkin" <mst@redhat.com>,
Jason Wang <jasowang@redhat.com>, Arnd Bergmann <arnd@arndb.de>,
Boqun Feng <boqun.feng@gmail.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Mark Rutland <mark.rutland@arm.com>,
linux-arm-kernel@lists.infradead.org,
linux-alpha@vger.kernel.org,
virtualization@lists.linux-foundation.org,
Android Kernel Team <kernel-team@android.com>
Subject: Re: [PATCH 18/18] arm64: lto: Strengthen READ_ONCE() to acquire when CLANG_LTO=y
Date: Tue, 30 Jun 2020 21:47:30 +0200 [thread overview]
Message-ID: <CANpmjNPOO=AVsVJMdL8sq03jwHsDR_1_FfWccwaLKEBRn1RFtA@mail.gmail.com> (raw)
In-Reply-To: <20200630173734.14057-19-will@kernel.org>
On Tue, 30 Jun 2020 at 19:39, Will Deacon <will@kernel.org> wrote:
>
> When building with LTO, there is an increased risk of the compiler
> converting an address dependency headed by a READ_ONCE() invocation
> into a control dependency and consequently allowing for harmful
> reordering by the CPU.
>
> Ensure that such transformations are harmless by overriding the generic
> READ_ONCE() definition with one that provides acquire semantics when
> building with LTO.
>
> Signed-off-by: Will Deacon <will@kernel.org>
> ---
> arch/arm64/include/asm/rwonce.h | 63 +++++++++++++++++++++++++++++++
> arch/arm64/kernel/vdso/Makefile | 2 +-
> arch/arm64/kernel/vdso32/Makefile | 2 +-
> 3 files changed, 65 insertions(+), 2 deletions(-)
> create mode 100644 arch/arm64/include/asm/rwonce.h
This seems reasonable, given we can't realistically tell the compiler
about dependent loads. What (if any), is the performance impact? I
guess this also heavily depends on the actual silicon.
I do wonder, though, if there is some way to make the compiler do
something better for us. Clearly, implementing real
memory_order_consume hasn't worked out until today. But maybe the
compiler could promote dependent loads to acquires if it recognizes it
lost dependencies during optimizations. Just thinking out loud, it
probably still has some weird corner case that will break. ;-)
The other thing is that I'd be cautious blaming LTO, as I tried to
summarize here:
https://lore.kernel.org/kernel-hardening/20200630191931.GA884155@elver.google.com/
The main thing is that, yes, this might be something to be worried
about, but if we are worried about it, we need to be worried about it
in *all* builds (LTO or not). My guess is that's not acceptable. Would
it be better to just guard the promotion of READ_ONCE() to acquire
behind a config option like CONFIG_ACQUIRE_READ_DEPENDENCIES, and then
make LTO select that (or maybe leave it optional?). In future, for
very aggressive non-LTO compilers even, one may then also select that
if there is substantiated worry things do actually break.
Thanks,
-- Marco
next prev parent reply other threads:[~2020-06-30 19:47 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-30 17:37 [PATCH 00/18] Allow architectures to override __READ_ONCE() Will Deacon
2020-06-30 17:37 ` [PATCH 01/18] tools: bpf: Use local copy of headers including uapi/linux/filter.h Will Deacon
2020-07-01 16:38 ` Alexei Starovoitov
2020-06-30 17:37 ` [PATCH 02/18] compiler.h: Split {READ,WRITE}_ONCE definitions out into rwonce.h Will Deacon
2020-06-30 19:11 ` Arnd Bergmann
2020-07-01 10:16 ` Will Deacon
2020-07-01 11:33 ` Arnd Bergmann
2020-06-30 17:37 ` [PATCH 03/18] asm/rwonce: Allow __READ_ONCE to be overridden by the architecture Will Deacon
2020-06-30 17:37 ` [PATCH 04/18] alpha: Override READ_ONCE() with barriered implementation Will Deacon
2020-07-02 9:32 ` Mark Rutland
2020-07-02 9:48 ` Will Deacon
2020-07-02 10:08 ` Arnd Bergmann
2020-07-02 11:18 ` Will Deacon
2020-07-02 11:39 ` Arnd Bergmann
2020-07-02 14:43 ` Joel Fernandes
2020-07-02 14:55 ` Will Deacon
2020-07-02 15:07 ` Joel Fernandes
2020-06-30 17:37 ` [PATCH 05/18] asm/rwonce: Remove smp_read_barrier_depends() invocation Will Deacon
2020-06-30 17:37 ` [PATCH 06/18] vhost: Remove redundant use of read_barrier_depends() barrier Will Deacon
2020-06-30 17:37 ` [PATCH 07/18] alpha: Replace smp_read_barrier_depends() usage with smp_[r]mb() Will Deacon
2020-06-30 17:37 ` [PATCH 08/18] locking/barriers: Remove definitions for [smp_]read_barrier_depends() Will Deacon
2020-06-30 17:37 ` [PATCH 09/18] Documentation/barriers: Remove references to [smp_]read_barrier_depends() Will Deacon
2020-06-30 17:37 ` [PATCH 10/18] Documentation/barriers/kokr: " Will Deacon
2020-06-30 17:37 ` [PATCH 11/18] tools/memory-model: Remove smp_read_barrier_depends() from informal doc Will Deacon
2020-06-30 17:37 ` [PATCH 12/18] include/linux: Remove smp_read_barrier_depends() from comments Will Deacon
2020-06-30 17:37 ` [PATCH 13/18] checkpatch: Remove checks relating to [smp_]read_barrier_depends() Will Deacon
2020-06-30 17:37 ` [PATCH 14/18] arm64: Reduce the number of header files pulled into vmlinux.lds.S Will Deacon
2020-06-30 17:37 ` [PATCH 15/18] arm64: alternatives: Split up alternative.h Will Deacon
2020-06-30 17:37 ` [PATCH 16/18] arm64: cpufeatures: Add capability for LDAPR instruction Will Deacon
2020-06-30 17:37 ` [PATCH 17/18] arm64: alternatives: Remove READ_ONCE() usage during patch operation Will Deacon
2020-06-30 17:37 ` [PATCH 18/18] arm64: lto: Strengthen READ_ONCE() to acquire when CLANG_LTO=y Will Deacon
2020-06-30 19:25 ` Arnd Bergmann
2020-07-01 10:19 ` Will Deacon
2020-07-01 10:59 ` Arnd Bergmann
2020-06-30 19:47 ` Marco Elver [this message]
2020-06-30 20:20 ` Peter Zijlstra
2020-06-30 22:57 ` Sami Tolvanen
2020-07-01 10:25 ` Will Deacon
2020-07-01 10:24 ` Will Deacon
2020-07-01 17:07 ` Dave P Martin
2020-07-02 7:23 ` Will Deacon
2020-07-06 16:00 ` Dave Martin
2020-07-06 16:34 ` Paul E. McKenney
2020-07-06 17:05 ` Dave Martin
2020-07-06 17:36 ` Paul E. McKenney
2020-07-07 10:29 ` Dave Martin
2020-07-07 22:51 ` Paul E. McKenney
2020-07-07 23:01 ` Nick Desaulniers
2020-07-08 7:15 ` Marco Elver
2020-07-08 9:16 ` Peter Zijlstra
2020-07-08 18:20 ` Paul E. McKenney
2020-07-06 18:35 ` Will Deacon
2020-07-06 19:23 ` Marco Elver
2020-07-06 19:42 ` Paul E. McKenney
2020-07-06 16:08 ` Dave Martin
2020-07-06 18:35 ` Will Deacon
2020-07-07 10:10 ` Dave Martin
2020-07-01 7:38 ` [PATCH 00/18] Allow architectures to override __READ_ONCE() Josh Triplett
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANpmjNPOO=AVsVJMdL8sq03jwHsDR_1_FfWccwaLKEBRn1RFtA@mail.gmail.com' \
--to=elver@google.com \
--cc=arnd@arndb.de \
--cc=boqun.feng@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=ink@jurassic.park.msu.ru \
--cc=jasowang@redhat.com \
--cc=josh@joshtriplett.org \
--cc=keescook@chromium.org \
--cc=kernel-team@android.com \
--cc=linux-alpha@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=mattst88@gmail.com \
--cc=mst@redhat.com \
--cc=ndesaulniers@google.com \
--cc=paulmck@kernel.org \
--cc=peterz@infradead.org \
--cc=rth@twiddle.net \
--cc=samitolvanen@google.com \
--cc=stern@rowland.harvard.edu \
--cc=virtualization@lists.linux-foundation.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).