Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On 9/19/2024 12:16 PM, Linus Torvalds wrote: > On Thu, 19 Sept 2024 at 00:44, Neeraj Upadhyay > wrote: >> >> While we were working on this problem, this refcount scalability issue got >> resolved recently with conditional ref acquisition [3] (however, there are >> new >> developments in apparmor code which might bring back the refcount problem >> [4]). > > Honestly, the various security layers should be a whole lot more > careful about their horrid performance issues, and I think that [4] > you point at needs to just be headed off at the pass. > > No more "the security layer is so bad at performance that we have to > introduce new ref mechanisms", please. Let's push back on bad security > layer code instead. > Ok got it. Thanks for your feedback! I had tried using percpu refcount first (in place of kref) in AppArmor. However, that required managing the last reference drop (implemented in [1] and [2]). Mateusz has shared some ideas in his reply to this thread. Maybe that is a workable solution. Will defer to John on this as I have limited understanding of the cred management code. - Neeraj > Linus
Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On Thu, Sep 19, 2024 at 04:14:05AM +0530, Neeraj Upadhyay wrote:
> On 9/18/2024 12:48 PM, Linus Torvalds wrote:
> > On Tue, 17 Sept 2024 at 16:34, Boqun Feng wrote:
> >>
> >> This series introduces hazard pointers [1] to kernel space. A TL;DR
> >> description of hazard pointers is "a scalable refcounting mechanim
> >> with RCU-like API". More information can be found at [2].
> >
> > Please give actual "this is useful for X, and here is an actual real
> > load with numbers showing why it matters".
> >
>
> One of the use case where we had seen improvement is - Nginx
> web server throughput scalability with AppArmor enabled. For this use
> case we see refcount scalability problem when kref operations
> are done for AppArmor label object in Nginx worker's context. More
> details about this are captured @ [1] [2].
>
> When we switch from kref to hazard pointer in apparmor_file_open(),
> we see ~7% improvement in Nginx throughput for this use case.
>
> While we were working on this problem, this refcount scalability issue got
> resolved recently with conditional ref acquisition [3] (however, there are
> new
> developments in apparmor code which might bring back the refcount problem
> [4]).
>
The open/close thing is still serializing across different processes,
the slowdown just got lower. As in apparmor *as is* continues to be a
problem at big enough scale.
Per my messages in the area in the past, I'm confident this is fixable
with changing the refcount model to cache ref changes per-thread. I
employed this very scheme $elsewhere.
Since equivalent mechanism is applicable to creds this may want to be
implemented as something under lib/. I even started to work on it for
Linux, but real life got in the way and then I could not be arsed to
finish.
It is a little reminiscenet of per-cpu refs. Here is the outline again:
kref usage gets replaced with a touple of { kref users; s64 refs; }
task_struct grows a pointer to the cached label and refs counter on it
when a new thread is created it bumps users and stores the pointer. on
destruction it decrements users and rolls up the local changes.
Similarly, if it turns out the label has to change during thread's
lifetime, the same thing happens.
In pseudo-code for apparmor_file_open():
if (unlikely(current->aa_cached_label != check_label())) {
/* do a replacement here */
}
/* just bump the local counter, no synchronisation with other
* cpus in the common case */
current->aa_cached_label_refs++;
In apparmor_file_close():
/* common case fast path */
if (file->aa_label == current->aa_cached_label) {
current->aa_cached_label_refs--;
return;
}
/* we get here if apparmor got reconfigured or this is a file we
* inherited from another proc which had a different label and
* this is the last fput */
kref_put(file->aa_label);
Conceptually there is almost nothing to see here.
As outlined above stale labels would clear themselves out as threads
open files. However, a thread which stubborly refuses to call allocate a
new file obj may hold on to a stale label indefinitely.
One way to sort it out:
I presume there is a spot somewhere in user<->kernel transition handling
which updates the credentials pointer, should it have changed.
$elsewhere I patched it up with a "cow" generation counter. If not
matching with the real task struct you know you need to take the fast
path and check creds, apparmor and whatever else. No extra branches in
the fast path, but a new int does have to be read. Given that
task_struct is a little bit of a cluster fuck I don't think it's a
problem.
That would be a rough sketch, anyone interested can fill in the details.
This still performs serializing atomics in *certain* cases, but avoids
them in almost all cases and there is nothing complicated about this
that I see, just some effort to implement.
So I don't believe patching up RCU with hazard pointers is warranted if
apparmor is the only justification.
Anyway no ETA from my end, anyone interested is free to take the idea or
do better.
Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On Thu, 19 Sept 2024 at 16:15, Christoph Hellwig wrote: > > Agreed. From the description this would seem like a good fit for > q_usage_counter in the block layer, which currently makes creative use > of percpu counters. Yes, if this actually could simplify code that currently used percpu counters, that might be lovely. The percpu counters often perform very well, but then have huge pain in either managing the percpu allocation, or in trying to synchronize across CPU's. I'd be a lot more interested in "we can fix complex code" than in "we have crappy code in bad subsystems where we can hide the performance impact of the subsystem not having been done right". Linus
Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On Wed, Sep 18, 2024 at 09:18:43AM +0200, Linus Torvalds wrote: > On Tue, 17 Sept 2024 at 16:34, Boqun Feng wrote: > > > > This series introduces hazard pointers [1] to kernel space. A TL;DR > > description of hazard pointers is "a scalable refcounting mechanim > > with RCU-like API". More information can be found at [2]. > > Please give actual "this is useful for X, and here is an actual real > load with numbers showing why it matters". Agreed. From the description this would seem like a good fit for q_usage_counter in the block layer, which currently makes creative use of percpu counters.
Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On Thu, 19 Sept 2024 at 00:44, Neeraj Upadhyay wrote: > > While we were working on this problem, this refcount scalability issue got > resolved recently with conditional ref acquisition [3] (however, there are > new > developments in apparmor code which might bring back the refcount problem > [4]). Honestly, the various security layers should be a whole lot more careful about their horrid performance issues, and I think that [4] you point at needs to just be headed off at the pass. No more "the security layer is so bad at performance that we have to introduce new ref mechanisms", please. Let's push back on bad security layer code instead. Linus
Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On 9/18/2024 12:48 PM, Linus Torvalds wrote: > On Tue, 17 Sept 2024 at 16:34, Boqun Feng wrote: >> >> This series introduces hazard pointers [1] to kernel space. A TL;DR >> description of hazard pointers is "a scalable refcounting mechanim >> with RCU-like API". More information can be found at [2]. > > Please give actual "this is useful for X, and here is an actual real > load with numbers showing why it matters". > One of the use case where we had seen improvement is - Nginx web server throughput scalability with AppArmor enabled. For this use case we see refcount scalability problem when kref operations are done for AppArmor label object in Nginx worker's context. More details about this are captured @ [1] [2]. When we switch from kref to hazard pointer in apparmor_file_open(), we see ~7% improvement in Nginx throughput for this use case. While we were working on this problem, this refcount scalability issue got resolved recently with conditional ref acquisition [3] (however, there are new developments in apparmor code which might bring back the refcount problem [4]). [1] https://lore.kernel.org/lkml/20240110111856.87370-7-neeraj.upadh...@amd.com/T/ [2] https://lore.kernel.org/lkml/20240916050811.473556-1-neeraj.upadh...@amd.com/ [3] https://lore.kernel.org/lkml/20240620131524.156312-1-mjgu...@gmail.com/ [4] https://lore.kernel.org/lkml/71c0ea18-8b8b-402b-b03c-029aeedc2...@canonical.com/ - Neeraj > We don't just merge random infrastructure without a use-case and an > argument for it. > > Linus
Re: [RFC PATCH 0/4] Add hazard pointers to kernel
On Tue, 17 Sept 2024 at 16:34, Boqun Feng wrote: > > This series introduces hazard pointers [1] to kernel space. A TL;DR > description of hazard pointers is "a scalable refcounting mechanim > with RCU-like API". More information can be found at [2]. Please give actual "this is useful for X, and here is an actual real load with numbers showing why it matters". We don't just merge random infrastructure without a use-case and an argument for it. Linus
