On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote:> This patch adds logic to the kernel power code to zero out contents of > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > to any suspend state equal or greater/deeper than Suspend-to-memory, > known as S3.How does the application learn that its memory got wiped? S2disk is an async operation and it can happen at any time during the task execution. So how does the application work to prevent from corrupted state - e.g. when suspended between two memory loads? -- Michal Hocko SUSE Labs
On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote:> > On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > This patch adds logic to the kernel power code to zero out contents of > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > known as S3. > > How does the application learn that its memory got wiped? S2disk is an > async operation and it can happen at any time during the task execution. > So how does the application work to prevent from corrupted state - e.g. > when suspended between two memory loads?This doesn't affect hibernation AFAICS, but system suspend (suspend-to-RAM or suspend-to-idle, or standby) is async too. I guess this calls for an interface to notify user space (that opted in to receive such notifications) on system-wide suspend start and finish. Thanks!
On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote:> On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > This patch adds logic to the kernel power code to zero out contents of > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > known as S3. > > How does the application learn that its memory got wiped? S2disk is an > async operation and it can happen at any time during the task execution. > So how does the application work to prevent from corrupted state - e.g. > when suspended between two memory loads?You can do it seqlock-style, kind of - you reserve the first byte of the page or so as a "is this page initialized" marker, and after every read from the page, you do a compiler barrier and check whether that byte has been cleared.
On Fri 2020-07-03 15:29:22, Jann Horn wrote:> On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote: > > On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > > This patch adds logic to the kernel power code to zero out contents of > > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > > known as S3. > > > > How does the application learn that its memory got wiped? S2disk is an > > async operation and it can happen at any time during the task execution. > > So how does the application work to prevent from corrupted state - e.g. > > when suspended between two memory loads? > > You can do it seqlock-style, kind of - you reserve the first byte of > the page or so as a "is this page initialized" marker, and after every > read from the page, you do a compiler barrier and check whether that > byte has beenThat would also need smp cpu barriers, and guarantee that first byte is always ... cleared first, and matching barriers in kernel space, too, no? Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://lists.linuxfoundation.org/pipermail/virtualization/attachments/20200704/3da98c5b/attachment.sig>
On Fri 2020-07-03 14:17:50, Rafael J. Wysocki wrote:> On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote: > > > > On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > > This patch adds logic to the kernel power code to zero out contents of > > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > > known as S3. > > > > How does the application learn that its memory got wiped? S2disk is an > > async operation and it can happen at any time during the task execution. > > So how does the application work to prevent from corrupted state - e.g. > > when suspended between two memory loads? > > This doesn't affect hibernation AFAICS, but system suspend > (suspend-to-RAM or suspend-to-idle, or standby) is async too. > > I guess this calls for an interface to notify user space (that opted > in to receive such notifications) on system-wide suspend start and > finish.We could simply provide a file that would produce single byte 'e' when entering the suspend and different byte 'x' when exiting... Not sure how useful that would be for the crypto stuff... Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://lists.linuxfoundation.org/pipermail/virtualization/attachments/20200704/b6f829aa/attachment.sig>
On Fri 03-07-20 15:29:22, Jann Horn wrote:> On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote: > > On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > > This patch adds logic to the kernel power code to zero out contents of > > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > > known as S3. > > > > How does the application learn that its memory got wiped? S2disk is an > > async operation and it can happen at any time during the task execution. > > So how does the application work to prevent from corrupted state - e.g. > > when suspended between two memory loads? > > You can do it seqlock-style, kind of - you reserve the first byte of > the page or so as a "is this page initialized" marker, and after every > read from the page, you do a compiler barrier and check whether that > byte has been cleared.This is certainly possible yet wery awkwar interface to use IMHO. MADV_EXTERNALY_VOLATILE would express the actual semantic much better. I might not still understand the expected usecase but if the target application has to be changed anyway then why not simply use a transparent and proper signaling mechanism like poll on a fd. That would be certainly a more natural and less error prone programming interface. -- Michal Hocko SUSE Labs