On Fri 03-07-20 15:29:22, Jann Horn wrote:> On Fri, Jul 3, 2020 at 1:30 PM Michal Hocko <mhocko at kernel.org> wrote: > > On Fri 03-07-20 10:34:09, Catangiu, Adrian Costin wrote: > > > This patch adds logic to the kernel power code to zero out contents of > > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > > known as S3. > > > > How does the application learn that its memory got wiped? S2disk is an > > async operation and it can happen at any time during the task execution. > > So how does the application work to prevent from corrupted state - e.g. > > when suspended between two memory loads? > > You can do it seqlock-style, kind of - you reserve the first byte of > the page or so as a "is this page initialized" marker, and after every > read from the page, you do a compiler barrier and check whether that > byte has been cleared.This is certainly possible yet wery awkwar interface to use IMHO. MADV_EXTERNALY_VOLATILE would express the actual semantic much better. I might not still understand the expected usecase but if the target application has to be changed anyway then why not simply use a transparent and proper signaling mechanism like poll on a fd. That would be certainly a more natural and less error prone programming interface. -- Michal Hocko SUSE Labs
Hi!> > > > This patch adds logic to the kernel power code to zero out contents of > > > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > > > known as S3. > > > > > > How does the application learn that its memory got wiped? S2disk is an > > > async operation and it can happen at any time during the task execution. > > > So how does the application work to prevent from corrupted state - e.g. > > > when suspended between two memory loads? > > > > You can do it seqlock-style, kind of - you reserve the first byte of > > the page or so as a "is this page initialized" marker, and after every > > read from the page, you do a compiler barrier and check whether that > > byte has been cleared. > > This is certainly possible yet wery awkwar interface to use IMHO. > MADV_EXTERNALY_VOLATILE would express the actual semantic much better. > I might not still understand the expected usecase but if the target > application has to be changed anyway then why not simply use a > transparent and proper signaling mechanism like poll on a fd. ThatThe goal is to have cryprographically-safe get_random_number() with 0 syscalls. You'd need to do: if (!poll(did_i_migrate)) { use_prng_seed(); if (poll(did_i_migrate)) { /* oops_they_migrated_me_in_middle_of_computation, lets_redo_it() */ goto retry: } } Which means two syscalls.. Best regards, Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://lists.linuxfoundation.org/pipermail/virtualization/attachments/20200707/72c6fe9f/attachment.sig>
On Tue 07-07-20 10:07:26, Pavel Machek wrote:> Hi! > > > > > > This patch adds logic to the kernel power code to zero out contents of > > > > > all MADV_WIPEONSUSPEND VMAs present in the system during its transition > > > > > to any suspend state equal or greater/deeper than Suspend-to-memory, > > > > > known as S3. > > > > > > > > How does the application learn that its memory got wiped? S2disk is an > > > > async operation and it can happen at any time during the task execution. > > > > So how does the application work to prevent from corrupted state - e.g. > > > > when suspended between two memory loads? > > > > > > You can do it seqlock-style, kind of - you reserve the first byte of > > > the page or so as a "is this page initialized" marker, and after every > > > read from the page, you do a compiler barrier and check whether that > > > byte has been cleared. > > > > This is certainly possible yet wery awkwar interface to use IMHO. > > MADV_EXTERNALY_VOLATILE would express the actual semantic much better. > > I might not still understand the expected usecase but if the target > > application has to be changed anyway then why not simply use a > > transparent and proper signaling mechanism like poll on a fd. That > > The goal is to have cryprographically-safe get_random_number() with 0 > syscalls. > > You'd need to do: > > if (!poll(did_i_migrate)) { > use_prng_seed(); > if (poll(did_i_migrate)) { > /* oops_they_migrated_me_in_middle_of_computation, > lets_redo_it() */ > goto retry: > } > } > > Which means two syscalls..Is this a real problem though? Do we have any actual numbers? E.g. how often does the migration happen so that 2 syscalls would be visible in actual workloads? -- Michal Hocko SUSE Labs