xref: /linux/Documentation/RCU/Design/Requirements/Requirements.rst (revision a1b9dbb72b7f39eeaa2fb5bd5cc619679985876e)
1ccc9971eSMauro Carvalho Chehab=================================
2ccc9971eSMauro Carvalho ChehabA Tour Through RCU's Requirements
3ccc9971eSMauro Carvalho Chehab=================================
4ccc9971eSMauro Carvalho Chehab
5ccc9971eSMauro Carvalho ChehabCopyright IBM Corporation, 2015
6ccc9971eSMauro Carvalho Chehab
7ccc9971eSMauro Carvalho ChehabAuthor: Paul E. McKenney
8ccc9971eSMauro Carvalho Chehab
9ccc9971eSMauro Carvalho ChehabThe initial version of this document appeared in the
10ccc9971eSMauro Carvalho Chehab`LWN <https://lwn.net/>`_ on those articles:
11ccc9971eSMauro Carvalho Chehab`part 1 <https://lwn.net/Articles/652156/>`_,
12ccc9971eSMauro Carvalho Chehab`part 2 <https://lwn.net/Articles/652677/>`_, and
13ccc9971eSMauro Carvalho Chehab`part 3 <https://lwn.net/Articles/653326/>`_.
14ccc9971eSMauro Carvalho Chehab
15ccc9971eSMauro Carvalho ChehabIntroduction
16ccc9971eSMauro Carvalho Chehab------------
17ccc9971eSMauro Carvalho Chehab
18ccc9971eSMauro Carvalho ChehabRead-copy update (RCU) is a synchronization mechanism that is often used
19ccc9971eSMauro Carvalho Chehabas a replacement for reader-writer locking. RCU is unusual in that
20ccc9971eSMauro Carvalho Chehabupdaters do not block readers, which means that RCU's read-side
21ccc9971eSMauro Carvalho Chehabprimitives can be exceedingly fast and scalable. In addition, updaters
22ccc9971eSMauro Carvalho Chehabcan make useful forward progress concurrently with readers. However, all
23ccc9971eSMauro Carvalho Chehabthis concurrency between RCU readers and updaters does raise the
24ccc9971eSMauro Carvalho Chehabquestion of exactly what RCU readers are doing, which in turn raises the
25ccc9971eSMauro Carvalho Chehabquestion of exactly what RCU's requirements are.
26ccc9971eSMauro Carvalho Chehab
27ccc9971eSMauro Carvalho ChehabThis document therefore summarizes RCU's requirements, and can be
28ccc9971eSMauro Carvalho Chehabthought of as an informal, high-level specification for RCU. It is
29ccc9971eSMauro Carvalho Chehabimportant to understand that RCU's specification is primarily empirical
30ccc9971eSMauro Carvalho Chehabin nature; in fact, I learned about many of these requirements the hard
31ccc9971eSMauro Carvalho Chehabway. This situation might cause some consternation, however, not only
32ccc9971eSMauro Carvalho Chehabhas this learning process been a lot of fun, but it has also been a
33ccc9971eSMauro Carvalho Chehabgreat privilege to work with so many people willing to apply
34ccc9971eSMauro Carvalho Chehabtechnologies in interesting new ways.
35ccc9971eSMauro Carvalho Chehab
36ccc9971eSMauro Carvalho ChehabAll that aside, here are the categories of currently known RCU
37ccc9971eSMauro Carvalho Chehabrequirements:
38ccc9971eSMauro Carvalho Chehab
3907335c16SJoel Fernandes (Google)#. `Fundamental Requirements`_
4007335c16SJoel Fernandes (Google)#. `Fundamental Non-Requirements`_
4107335c16SJoel Fernandes (Google)#. `Parallelism Facts of Life`_
4207335c16SJoel Fernandes (Google)#. `Quality-of-Implementation Requirements`_
4307335c16SJoel Fernandes (Google)#. `Linux Kernel Complications`_
4407335c16SJoel Fernandes (Google)#. `Software-Engineering Requirements`_
4507335c16SJoel Fernandes (Google)#. `Other RCU Flavors`_
4607335c16SJoel Fernandes (Google)#. `Possible Future Changes`_
47ccc9971eSMauro Carvalho Chehab
48ccc9971eSMauro Carvalho ChehabThis is followed by a `summary <#Summary>`__, however, the answers to
49ccc9971eSMauro Carvalho Chehabeach quick quiz immediately follows the quiz. Select the big white space
50ccc9971eSMauro Carvalho Chehabwith your mouse to see the answer.
51ccc9971eSMauro Carvalho Chehab
52ccc9971eSMauro Carvalho ChehabFundamental Requirements
53ccc9971eSMauro Carvalho Chehab------------------------
54ccc9971eSMauro Carvalho Chehab
55ccc9971eSMauro Carvalho ChehabRCU's fundamental requirements are the closest thing RCU has to hard
56ccc9971eSMauro Carvalho Chehabmathematical requirements. These are:
57ccc9971eSMauro Carvalho Chehab
5807335c16SJoel Fernandes (Google)#. `Grace-Period Guarantee`_
5907335c16SJoel Fernandes (Google)#. `Publish/Subscribe Guarantee`_
6007335c16SJoel Fernandes (Google)#. `Memory-Barrier Guarantees`_
6107335c16SJoel Fernandes (Google)#. `RCU Primitives Guaranteed to Execute Unconditionally`_
6207335c16SJoel Fernandes (Google)#. `Guaranteed Read-to-Write Upgrade`_
63ccc9971eSMauro Carvalho Chehab
64ccc9971eSMauro Carvalho ChehabGrace-Period Guarantee
65ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~
66ccc9971eSMauro Carvalho Chehab
67ccc9971eSMauro Carvalho ChehabRCU's grace-period guarantee is unusual in being premeditated: Jack
68ccc9971eSMauro Carvalho ChehabSlingwine and I had this guarantee firmly in mind when we started work
69ccc9971eSMauro Carvalho Chehabon RCU (then called “rclock”) in the early 1990s. That said, the past
70ccc9971eSMauro Carvalho Chehabtwo decades of experience with RCU have produced a much more detailed
71ccc9971eSMauro Carvalho Chehabunderstanding of this guarantee.
72ccc9971eSMauro Carvalho Chehab
73ccc9971eSMauro Carvalho ChehabRCU's grace-period guarantee allows updaters to wait for the completion
74ccc9971eSMauro Carvalho Chehabof all pre-existing RCU read-side critical sections. An RCU read-side
75ccc9971eSMauro Carvalho Chehabcritical section begins with the marker ``rcu_read_lock()`` and ends
76ccc9971eSMauro Carvalho Chehabwith the marker ``rcu_read_unlock()``. These markers may be nested, and
77ccc9971eSMauro Carvalho ChehabRCU treats a nested set as one big RCU read-side critical section.
78ccc9971eSMauro Carvalho ChehabProduction-quality implementations of ``rcu_read_lock()`` and
79ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()`` are extremely lightweight, and in fact have
80ccc9971eSMauro Carvalho Chehabexactly zero overhead in Linux kernels built for production use with
81ccc9971eSMauro Carvalho Chehab``CONFIG_PREEMPT=n``.
82ccc9971eSMauro Carvalho Chehab
83ccc9971eSMauro Carvalho ChehabThis guarantee allows ordering to be enforced with extremely low
84ccc9971eSMauro Carvalho Chehaboverhead to readers, for example:
85ccc9971eSMauro Carvalho Chehab
86ccc9971eSMauro Carvalho Chehab   ::
87ccc9971eSMauro Carvalho Chehab
88ccc9971eSMauro Carvalho Chehab       1 int x, y;
89ccc9971eSMauro Carvalho Chehab       2
90ccc9971eSMauro Carvalho Chehab       3 void thread0(void)
91ccc9971eSMauro Carvalho Chehab       4 {
92ccc9971eSMauro Carvalho Chehab       5   rcu_read_lock();
93ccc9971eSMauro Carvalho Chehab       6   r1 = READ_ONCE(x);
94ccc9971eSMauro Carvalho Chehab       7   r2 = READ_ONCE(y);
95ccc9971eSMauro Carvalho Chehab       8   rcu_read_unlock();
96ccc9971eSMauro Carvalho Chehab       9 }
97ccc9971eSMauro Carvalho Chehab      10
98ccc9971eSMauro Carvalho Chehab      11 void thread1(void)
99ccc9971eSMauro Carvalho Chehab      12 {
100ccc9971eSMauro Carvalho Chehab      13   WRITE_ONCE(x, 1);
101ccc9971eSMauro Carvalho Chehab      14   synchronize_rcu();
102ccc9971eSMauro Carvalho Chehab      15   WRITE_ONCE(y, 1);
103ccc9971eSMauro Carvalho Chehab      16 }
104ccc9971eSMauro Carvalho Chehab
105ccc9971eSMauro Carvalho ChehabBecause the ``synchronize_rcu()`` on line 14 waits for all pre-existing
106ccc9971eSMauro Carvalho Chehabreaders, any instance of ``thread0()`` that loads a value of zero from
107ccc9971eSMauro Carvalho Chehab``x`` must complete before ``thread1()`` stores to ``y``, so that
108ccc9971eSMauro Carvalho Chehabinstance must also load a value of zero from ``y``. Similarly, any
109ccc9971eSMauro Carvalho Chehabinstance of ``thread0()`` that loads a value of one from ``y`` must have
110ccc9971eSMauro Carvalho Chehabstarted after the ``synchronize_rcu()`` started, and must therefore also
111ccc9971eSMauro Carvalho Chehabload a value of one from ``x``. Therefore, the outcome:
112ccc9971eSMauro Carvalho Chehab
113ccc9971eSMauro Carvalho Chehab   ::
114ccc9971eSMauro Carvalho Chehab
115ccc9971eSMauro Carvalho Chehab      (r1 == 0 && r2 == 1)
116ccc9971eSMauro Carvalho Chehab
117ccc9971eSMauro Carvalho Chehabcannot happen.
118ccc9971eSMauro Carvalho Chehab
119ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
120ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
121ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
122ccc9971eSMauro Carvalho Chehab| Wait a minute! You said that updaters can make useful forward         |
123ccc9971eSMauro Carvalho Chehab| progress concurrently with readers, but pre-existing readers will     |
124ccc9971eSMauro Carvalho Chehab| block ``synchronize_rcu()``!!!                                        |
125ccc9971eSMauro Carvalho Chehab| Just who are you trying to fool???                                    |
126ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
127ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
128ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
129ccc9971eSMauro Carvalho Chehab| First, if updaters do not wish to be blocked by readers, they can use |
130ccc9971eSMauro Carvalho Chehab| ``call_rcu()`` or ``kfree_rcu()``, which will be discussed later.     |
131ccc9971eSMauro Carvalho Chehab| Second, even when using ``synchronize_rcu()``, the other update-side  |
132ccc9971eSMauro Carvalho Chehab| code does run concurrently with readers, whether pre-existing or not. |
133ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
134ccc9971eSMauro Carvalho Chehab
135ccc9971eSMauro Carvalho ChehabThis scenario resembles one of the first uses of RCU in
136ccc9971eSMauro Carvalho Chehab`DYNIX/ptx <https://en.wikipedia.org/wiki/DYNIX>`__, which managed a
137ccc9971eSMauro Carvalho Chehabdistributed lock manager's transition into a state suitable for handling
138ccc9971eSMauro Carvalho Chehabrecovery from node failure, more or less as follows:
139ccc9971eSMauro Carvalho Chehab
140ccc9971eSMauro Carvalho Chehab   ::
141ccc9971eSMauro Carvalho Chehab
142ccc9971eSMauro Carvalho Chehab       1 #define STATE_NORMAL        0
143ccc9971eSMauro Carvalho Chehab       2 #define STATE_WANT_RECOVERY 1
144ccc9971eSMauro Carvalho Chehab       3 #define STATE_RECOVERING    2
145ccc9971eSMauro Carvalho Chehab       4 #define STATE_WANT_NORMAL   3
146ccc9971eSMauro Carvalho Chehab       5
147ccc9971eSMauro Carvalho Chehab       6 int state = STATE_NORMAL;
148ccc9971eSMauro Carvalho Chehab       7
149ccc9971eSMauro Carvalho Chehab       8 void do_something_dlm(void)
150ccc9971eSMauro Carvalho Chehab       9 {
151ccc9971eSMauro Carvalho Chehab      10   int state_snap;
152ccc9971eSMauro Carvalho Chehab      11
153ccc9971eSMauro Carvalho Chehab      12   rcu_read_lock();
154ccc9971eSMauro Carvalho Chehab      13   state_snap = READ_ONCE(state);
155ccc9971eSMauro Carvalho Chehab      14   if (state_snap == STATE_NORMAL)
156ccc9971eSMauro Carvalho Chehab      15     do_something();
157ccc9971eSMauro Carvalho Chehab      16   else
158ccc9971eSMauro Carvalho Chehab      17     do_something_carefully();
159ccc9971eSMauro Carvalho Chehab      18   rcu_read_unlock();
160ccc9971eSMauro Carvalho Chehab      19 }
161ccc9971eSMauro Carvalho Chehab      20
162ccc9971eSMauro Carvalho Chehab      21 void start_recovery(void)
163ccc9971eSMauro Carvalho Chehab      22 {
164ccc9971eSMauro Carvalho Chehab      23   WRITE_ONCE(state, STATE_WANT_RECOVERY);
165ccc9971eSMauro Carvalho Chehab      24   synchronize_rcu();
166ccc9971eSMauro Carvalho Chehab      25   WRITE_ONCE(state, STATE_RECOVERING);
167ccc9971eSMauro Carvalho Chehab      26   recovery();
168ccc9971eSMauro Carvalho Chehab      27   WRITE_ONCE(state, STATE_WANT_NORMAL);
169ccc9971eSMauro Carvalho Chehab      28   synchronize_rcu();
170ccc9971eSMauro Carvalho Chehab      29   WRITE_ONCE(state, STATE_NORMAL);
171ccc9971eSMauro Carvalho Chehab      30 }
172ccc9971eSMauro Carvalho Chehab
173ccc9971eSMauro Carvalho ChehabThe RCU read-side critical section in ``do_something_dlm()`` works with
174ccc9971eSMauro Carvalho Chehabthe ``synchronize_rcu()`` in ``start_recovery()`` to guarantee that
175ccc9971eSMauro Carvalho Chehab``do_something()`` never runs concurrently with ``recovery()``, but with
176ccc9971eSMauro Carvalho Chehablittle or no synchronization overhead in ``do_something_dlm()``.
177ccc9971eSMauro Carvalho Chehab
178ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
179ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
180ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
181ccc9971eSMauro Carvalho Chehab| Why is the ``synchronize_rcu()`` on line 28 needed?                   |
182ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
183ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
184ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
185ccc9971eSMauro Carvalho Chehab| Without that extra grace period, memory reordering could result in    |
186ccc9971eSMauro Carvalho Chehab| ``do_something_dlm()`` executing ``do_something()`` concurrently with |
187ccc9971eSMauro Carvalho Chehab| the last bits of ``recovery()``.                                      |
188ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
189ccc9971eSMauro Carvalho Chehab
190ccc9971eSMauro Carvalho ChehabIn order to avoid fatal problems such as deadlocks, an RCU read-side
191ccc9971eSMauro Carvalho Chehabcritical section must not contain calls to ``synchronize_rcu()``.
192ccc9971eSMauro Carvalho ChehabSimilarly, an RCU read-side critical section must not contain anything
193ccc9971eSMauro Carvalho Chehabthat waits, directly or indirectly, on completion of an invocation of
194ccc9971eSMauro Carvalho Chehab``synchronize_rcu()``.
195ccc9971eSMauro Carvalho Chehab
196ccc9971eSMauro Carvalho ChehabAlthough RCU's grace-period guarantee is useful in and of itself, with
197ccc9971eSMauro Carvalho Chehab`quite a few use cases <https://lwn.net/Articles/573497/>`__, it would
198ccc9971eSMauro Carvalho Chehabbe good to be able to use RCU to coordinate read-side access to linked
199ccc9971eSMauro Carvalho Chehabdata structures. For this, the grace-period guarantee is not sufficient,
200ccc9971eSMauro Carvalho Chehabas can be seen in function ``add_gp_buggy()`` below. We will look at the
201ccc9971eSMauro Carvalho Chehabreader's code later, but in the meantime, just think of the reader as
202ccc9971eSMauro Carvalho Chehablocklessly picking up the ``gp`` pointer, and, if the value loaded is
203ccc9971eSMauro Carvalho Chehabnon-\ ``NULL``, locklessly accessing the ``->a`` and ``->b`` fields.
204ccc9971eSMauro Carvalho Chehab
205ccc9971eSMauro Carvalho Chehab   ::
206ccc9971eSMauro Carvalho Chehab
207ccc9971eSMauro Carvalho Chehab       1 bool add_gp_buggy(int a, int b)
208ccc9971eSMauro Carvalho Chehab       2 {
209ccc9971eSMauro Carvalho Chehab       3   p = kmalloc(sizeof(*p), GFP_KERNEL);
210ccc9971eSMauro Carvalho Chehab       4   if (!p)
211ccc9971eSMauro Carvalho Chehab       5     return -ENOMEM;
212ccc9971eSMauro Carvalho Chehab       6   spin_lock(&gp_lock);
213ccc9971eSMauro Carvalho Chehab       7   if (rcu_access_pointer(gp)) {
214ccc9971eSMauro Carvalho Chehab       8     spin_unlock(&gp_lock);
215ccc9971eSMauro Carvalho Chehab       9     return false;
216ccc9971eSMauro Carvalho Chehab      10   }
217ccc9971eSMauro Carvalho Chehab      11   p->a = a;
218ccc9971eSMauro Carvalho Chehab      12   p->b = a;
219ccc9971eSMauro Carvalho Chehab      13   gp = p; /* ORDERING BUG */
220ccc9971eSMauro Carvalho Chehab      14   spin_unlock(&gp_lock);
221ccc9971eSMauro Carvalho Chehab      15   return true;
222ccc9971eSMauro Carvalho Chehab      16 }
223ccc9971eSMauro Carvalho Chehab
224ccc9971eSMauro Carvalho ChehabThe problem is that both the compiler and weakly ordered CPUs are within
225ccc9971eSMauro Carvalho Chehabtheir rights to reorder this code as follows:
226ccc9971eSMauro Carvalho Chehab
227ccc9971eSMauro Carvalho Chehab   ::
228ccc9971eSMauro Carvalho Chehab
229ccc9971eSMauro Carvalho Chehab       1 bool add_gp_buggy_optimized(int a, int b)
230ccc9971eSMauro Carvalho Chehab       2 {
231ccc9971eSMauro Carvalho Chehab       3   p = kmalloc(sizeof(*p), GFP_KERNEL);
232ccc9971eSMauro Carvalho Chehab       4   if (!p)
233ccc9971eSMauro Carvalho Chehab       5     return -ENOMEM;
234ccc9971eSMauro Carvalho Chehab       6   spin_lock(&gp_lock);
235ccc9971eSMauro Carvalho Chehab       7   if (rcu_access_pointer(gp)) {
236ccc9971eSMauro Carvalho Chehab       8     spin_unlock(&gp_lock);
237ccc9971eSMauro Carvalho Chehab       9     return false;
238ccc9971eSMauro Carvalho Chehab      10   }
239ccc9971eSMauro Carvalho Chehab      11   gp = p; /* ORDERING BUG */
240ccc9971eSMauro Carvalho Chehab      12   p->a = a;
241ccc9971eSMauro Carvalho Chehab      13   p->b = a;
242ccc9971eSMauro Carvalho Chehab      14   spin_unlock(&gp_lock);
243ccc9971eSMauro Carvalho Chehab      15   return true;
244ccc9971eSMauro Carvalho Chehab      16 }
245ccc9971eSMauro Carvalho Chehab
246ccc9971eSMauro Carvalho ChehabIf an RCU reader fetches ``gp`` just after ``add_gp_buggy_optimized``
247ccc9971eSMauro Carvalho Chehabexecutes line 11, it will see garbage in the ``->a`` and ``->b`` fields.
248ccc9971eSMauro Carvalho ChehabAnd this is but one of many ways in which compiler and hardware
249ccc9971eSMauro Carvalho Chehaboptimizations could cause trouble. Therefore, we clearly need some way
250ccc9971eSMauro Carvalho Chehabto prevent the compiler and the CPU from reordering in this manner,
251ccc9971eSMauro Carvalho Chehabwhich brings us to the publish-subscribe guarantee discussed in the next
252ccc9971eSMauro Carvalho Chehabsection.
253ccc9971eSMauro Carvalho Chehab
254ccc9971eSMauro Carvalho ChehabPublish/Subscribe Guarantee
255ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~
256ccc9971eSMauro Carvalho Chehab
257ccc9971eSMauro Carvalho ChehabRCU's publish-subscribe guarantee allows data to be inserted into a
258ccc9971eSMauro Carvalho Chehablinked data structure without disrupting RCU readers. The updater uses
259ccc9971eSMauro Carvalho Chehab``rcu_assign_pointer()`` to insert the new data, and readers use
260ccc9971eSMauro Carvalho Chehab``rcu_dereference()`` to access data, whether new or old. The following
261ccc9971eSMauro Carvalho Chehabshows an example of insertion:
262ccc9971eSMauro Carvalho Chehab
263ccc9971eSMauro Carvalho Chehab   ::
264ccc9971eSMauro Carvalho Chehab
265ccc9971eSMauro Carvalho Chehab       1 bool add_gp(int a, int b)
266ccc9971eSMauro Carvalho Chehab       2 {
267ccc9971eSMauro Carvalho Chehab       3   p = kmalloc(sizeof(*p), GFP_KERNEL);
268ccc9971eSMauro Carvalho Chehab       4   if (!p)
269ccc9971eSMauro Carvalho Chehab       5     return -ENOMEM;
270ccc9971eSMauro Carvalho Chehab       6   spin_lock(&gp_lock);
271ccc9971eSMauro Carvalho Chehab       7   if (rcu_access_pointer(gp)) {
272ccc9971eSMauro Carvalho Chehab       8     spin_unlock(&gp_lock);
273ccc9971eSMauro Carvalho Chehab       9     return false;
274ccc9971eSMauro Carvalho Chehab      10   }
275ccc9971eSMauro Carvalho Chehab      11   p->a = a;
276ccc9971eSMauro Carvalho Chehab      12   p->b = a;
277ccc9971eSMauro Carvalho Chehab      13   rcu_assign_pointer(gp, p);
278ccc9971eSMauro Carvalho Chehab      14   spin_unlock(&gp_lock);
279ccc9971eSMauro Carvalho Chehab      15   return true;
280ccc9971eSMauro Carvalho Chehab      16 }
281ccc9971eSMauro Carvalho Chehab
282ccc9971eSMauro Carvalho ChehabThe ``rcu_assign_pointer()`` on line 13 is conceptually equivalent to a
283ccc9971eSMauro Carvalho Chehabsimple assignment statement, but also guarantees that its assignment
284ccc9971eSMauro Carvalho Chehabwill happen after the two assignments in lines 11 and 12, similar to the
285ccc9971eSMauro Carvalho ChehabC11 ``memory_order_release`` store operation. It also prevents any
286ccc9971eSMauro Carvalho Chehabnumber of “interesting” compiler optimizations, for example, the use of
287ccc9971eSMauro Carvalho Chehab``gp`` as a scratch location immediately preceding the assignment.
288ccc9971eSMauro Carvalho Chehab
289ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
290ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
291ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
292ccc9971eSMauro Carvalho Chehab| But ``rcu_assign_pointer()`` does nothing to prevent the two          |
293ccc9971eSMauro Carvalho Chehab| assignments to ``p->a`` and ``p->b`` from being reordered. Can't that |
294ccc9971eSMauro Carvalho Chehab| also cause problems?                                                  |
295ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
296ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
297ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
298ccc9971eSMauro Carvalho Chehab| No, it cannot. The readers cannot see either of these two fields      |
299ccc9971eSMauro Carvalho Chehab| until the assignment to ``gp``, by which time both fields are fully   |
300ccc9971eSMauro Carvalho Chehab| initialized. So reordering the assignments to ``p->a`` and ``p->b``   |
301ccc9971eSMauro Carvalho Chehab| cannot possibly cause any problems.                                   |
302ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
303ccc9971eSMauro Carvalho Chehab
304ccc9971eSMauro Carvalho ChehabIt is tempting to assume that the reader need not do anything special to
305ccc9971eSMauro Carvalho Chehabcontrol its accesses to the RCU-protected data, as shown in
306ccc9971eSMauro Carvalho Chehab``do_something_gp_buggy()`` below:
307ccc9971eSMauro Carvalho Chehab
308ccc9971eSMauro Carvalho Chehab   ::
309ccc9971eSMauro Carvalho Chehab
310ccc9971eSMauro Carvalho Chehab       1 bool do_something_gp_buggy(void)
311ccc9971eSMauro Carvalho Chehab       2 {
312ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
313ccc9971eSMauro Carvalho Chehab       4   p = gp;  /* OPTIMIZATIONS GALORE!!! */
314ccc9971eSMauro Carvalho Chehab       5   if (p) {
315ccc9971eSMauro Carvalho Chehab       6     do_something(p->a, p->b);
316ccc9971eSMauro Carvalho Chehab       7     rcu_read_unlock();
317ccc9971eSMauro Carvalho Chehab       8     return true;
318ccc9971eSMauro Carvalho Chehab       9   }
319ccc9971eSMauro Carvalho Chehab      10   rcu_read_unlock();
320ccc9971eSMauro Carvalho Chehab      11   return false;
321ccc9971eSMauro Carvalho Chehab      12 }
322ccc9971eSMauro Carvalho Chehab
323ccc9971eSMauro Carvalho ChehabHowever, this temptation must be resisted because there are a
324ccc9971eSMauro Carvalho Chehabsurprisingly large number of ways that the compiler (to say nothing of
325ccc9971eSMauro Carvalho Chehab`DEC Alpha CPUs <https://h71000.www7.hp.com/wizard/wiz_2637.html>`__)
326ccc9971eSMauro Carvalho Chehabcan trip this code up. For but one example, if the compiler were short
327ccc9971eSMauro Carvalho Chehabof registers, it might choose to refetch from ``gp`` rather than keeping
328ccc9971eSMauro Carvalho Chehaba separate copy in ``p`` as follows:
329ccc9971eSMauro Carvalho Chehab
330ccc9971eSMauro Carvalho Chehab   ::
331ccc9971eSMauro Carvalho Chehab
332ccc9971eSMauro Carvalho Chehab       1 bool do_something_gp_buggy_optimized(void)
333ccc9971eSMauro Carvalho Chehab       2 {
334ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
335ccc9971eSMauro Carvalho Chehab       4   if (gp) { /* OPTIMIZATIONS GALORE!!! */
336ccc9971eSMauro Carvalho Chehab       5     do_something(gp->a, gp->b);
337ccc9971eSMauro Carvalho Chehab       6     rcu_read_unlock();
338ccc9971eSMauro Carvalho Chehab       7     return true;
339ccc9971eSMauro Carvalho Chehab       8   }
340ccc9971eSMauro Carvalho Chehab       9   rcu_read_unlock();
341ccc9971eSMauro Carvalho Chehab      10   return false;
342ccc9971eSMauro Carvalho Chehab      11 }
343ccc9971eSMauro Carvalho Chehab
344ccc9971eSMauro Carvalho ChehabIf this function ran concurrently with a series of updates that replaced
345ccc9971eSMauro Carvalho Chehabthe current structure with a new one, the fetches of ``gp->a`` and
346ccc9971eSMauro Carvalho Chehab``gp->b`` might well come from two different structures, which could
347ccc9971eSMauro Carvalho Chehabcause serious confusion. To prevent this (and much else besides),
348ccc9971eSMauro Carvalho Chehab``do_something_gp()`` uses ``rcu_dereference()`` to fetch from ``gp``:
349ccc9971eSMauro Carvalho Chehab
350ccc9971eSMauro Carvalho Chehab   ::
351ccc9971eSMauro Carvalho Chehab
352ccc9971eSMauro Carvalho Chehab       1 bool do_something_gp(void)
353ccc9971eSMauro Carvalho Chehab       2 {
354ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
355ccc9971eSMauro Carvalho Chehab       4   p = rcu_dereference(gp);
356ccc9971eSMauro Carvalho Chehab       5   if (p) {
357ccc9971eSMauro Carvalho Chehab       6     do_something(p->a, p->b);
358ccc9971eSMauro Carvalho Chehab       7     rcu_read_unlock();
359ccc9971eSMauro Carvalho Chehab       8     return true;
360ccc9971eSMauro Carvalho Chehab       9   }
361ccc9971eSMauro Carvalho Chehab      10   rcu_read_unlock();
362ccc9971eSMauro Carvalho Chehab      11   return false;
363ccc9971eSMauro Carvalho Chehab      12 }
364ccc9971eSMauro Carvalho Chehab
365ccc9971eSMauro Carvalho ChehabThe ``rcu_dereference()`` uses volatile casts and (for DEC Alpha) memory
366ccc9971eSMauro Carvalho Chehabbarriers in the Linux kernel. Should a `high-quality implementation of
367ccc9971eSMauro Carvalho ChehabC11 ``memory_order_consume``
368ccc9971eSMauro Carvalho Chehab[PDF] <http://www.rdrop.com/users/paulmck/RCU/consume.2015.07.13a.pdf>`__
369ccc9971eSMauro Carvalho Chehabever appear, then ``rcu_dereference()`` could be implemented as a
370ccc9971eSMauro Carvalho Chehab``memory_order_consume`` load. Regardless of the exact implementation, a
371ccc9971eSMauro Carvalho Chehabpointer fetched by ``rcu_dereference()`` may not be used outside of the
372ccc9971eSMauro Carvalho Chehaboutermost RCU read-side critical section containing that
373ccc9971eSMauro Carvalho Chehab``rcu_dereference()``, unless protection of the corresponding data
374ccc9971eSMauro Carvalho Chehabelement has been passed from RCU to some other synchronization
375ccc9971eSMauro Carvalho Chehabmechanism, most commonly locking or `reference
376ccc9971eSMauro Carvalho Chehabcounting <https://www.kernel.org/doc/Documentation/RCU/rcuref.txt>`__.
377ccc9971eSMauro Carvalho Chehab
378ccc9971eSMauro Carvalho ChehabIn short, updaters use ``rcu_assign_pointer()`` and readers use
379ccc9971eSMauro Carvalho Chehab``rcu_dereference()``, and these two RCU API elements work together to
380ccc9971eSMauro Carvalho Chehabensure that readers have a consistent view of newly added data elements.
381ccc9971eSMauro Carvalho Chehab
382ccc9971eSMauro Carvalho ChehabOf course, it is also necessary to remove elements from RCU-protected
383ccc9971eSMauro Carvalho Chehabdata structures, for example, using the following process:
384ccc9971eSMauro Carvalho Chehab
385ccc9971eSMauro Carvalho Chehab#. Remove the data element from the enclosing structure.
386ccc9971eSMauro Carvalho Chehab#. Wait for all pre-existing RCU read-side critical sections to complete
387ccc9971eSMauro Carvalho Chehab   (because only pre-existing readers can possibly have a reference to
388ccc9971eSMauro Carvalho Chehab   the newly removed data element).
389ccc9971eSMauro Carvalho Chehab#. At this point, only the updater has a reference to the newly removed
390ccc9971eSMauro Carvalho Chehab   data element, so it can safely reclaim the data element, for example,
391ccc9971eSMauro Carvalho Chehab   by passing it to ``kfree()``.
392ccc9971eSMauro Carvalho Chehab
393ccc9971eSMauro Carvalho ChehabThis process is implemented by ``remove_gp_synchronous()``:
394ccc9971eSMauro Carvalho Chehab
395ccc9971eSMauro Carvalho Chehab   ::
396ccc9971eSMauro Carvalho Chehab
397ccc9971eSMauro Carvalho Chehab       1 bool remove_gp_synchronous(void)
398ccc9971eSMauro Carvalho Chehab       2 {
399ccc9971eSMauro Carvalho Chehab       3   struct foo *p;
400ccc9971eSMauro Carvalho Chehab       4
401ccc9971eSMauro Carvalho Chehab       5   spin_lock(&gp_lock);
402ccc9971eSMauro Carvalho Chehab       6   p = rcu_access_pointer(gp);
403ccc9971eSMauro Carvalho Chehab       7   if (!p) {
404ccc9971eSMauro Carvalho Chehab       8     spin_unlock(&gp_lock);
405ccc9971eSMauro Carvalho Chehab       9     return false;
406ccc9971eSMauro Carvalho Chehab      10   }
407ccc9971eSMauro Carvalho Chehab      11   rcu_assign_pointer(gp, NULL);
408ccc9971eSMauro Carvalho Chehab      12   spin_unlock(&gp_lock);
409ccc9971eSMauro Carvalho Chehab      13   synchronize_rcu();
410ccc9971eSMauro Carvalho Chehab      14   kfree(p);
411ccc9971eSMauro Carvalho Chehab      15   return true;
412ccc9971eSMauro Carvalho Chehab      16 }
413ccc9971eSMauro Carvalho Chehab
414ccc9971eSMauro Carvalho ChehabThis function is straightforward, with line 13 waiting for a grace
415ccc9971eSMauro Carvalho Chehabperiod before line 14 frees the old data element. This waiting ensures
416ccc9971eSMauro Carvalho Chehabthat readers will reach line 7 of ``do_something_gp()`` before the data
417ccc9971eSMauro Carvalho Chehabelement referenced by ``p`` is freed. The ``rcu_access_pointer()`` on
418ccc9971eSMauro Carvalho Chehabline 6 is similar to ``rcu_dereference()``, except that:
419ccc9971eSMauro Carvalho Chehab
420ccc9971eSMauro Carvalho Chehab#. The value returned by ``rcu_access_pointer()`` cannot be
421ccc9971eSMauro Carvalho Chehab   dereferenced. If you want to access the value pointed to as well as
422ccc9971eSMauro Carvalho Chehab   the pointer itself, use ``rcu_dereference()`` instead of
423ccc9971eSMauro Carvalho Chehab   ``rcu_access_pointer()``.
424ccc9971eSMauro Carvalho Chehab#. The call to ``rcu_access_pointer()`` need not be protected. In
425ccc9971eSMauro Carvalho Chehab   contrast, ``rcu_dereference()`` must either be within an RCU
426ccc9971eSMauro Carvalho Chehab   read-side critical section or in a code segment where the pointer
427ccc9971eSMauro Carvalho Chehab   cannot change, for example, in code protected by the corresponding
428ccc9971eSMauro Carvalho Chehab   update-side lock.
429ccc9971eSMauro Carvalho Chehab
430ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
431ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
432ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
433ccc9971eSMauro Carvalho Chehab| Without the ``rcu_dereference()`` or the ``rcu_access_pointer()``,    |
434ccc9971eSMauro Carvalho Chehab| what destructive optimizations might the compiler make use of?        |
435ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
436ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
437ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
438ccc9971eSMauro Carvalho Chehab| Let's start with what happens to ``do_something_gp()`` if it fails to |
439ccc9971eSMauro Carvalho Chehab| use ``rcu_dereference()``. It could reuse a value formerly fetched    |
440ccc9971eSMauro Carvalho Chehab| from this same pointer. It could also fetch the pointer from ``gp``   |
441ccc9971eSMauro Carvalho Chehab| in a byte-at-a-time manner, resulting in *load tearing*, in turn      |
442ccc9971eSMauro Carvalho Chehab| resulting a bytewise mash-up of two distinct pointer values. It might |
443ccc9971eSMauro Carvalho Chehab| even use value-speculation optimizations, where it makes a wrong      |
444ccc9971eSMauro Carvalho Chehab| guess, but by the time it gets around to checking the value, an       |
445ccc9971eSMauro Carvalho Chehab| update has changed the pointer to match the wrong guess. Too bad      |
446ccc9971eSMauro Carvalho Chehab| about any dereferences that returned pre-initialization garbage in    |
447ccc9971eSMauro Carvalho Chehab| the meantime!                                                         |
448ccc9971eSMauro Carvalho Chehab| For ``remove_gp_synchronous()``, as long as all modifications to      |
449ccc9971eSMauro Carvalho Chehab| ``gp`` are carried out while holding ``gp_lock``, the above           |
450ccc9971eSMauro Carvalho Chehab| optimizations are harmless. However, ``sparse`` will complain if you  |
451ccc9971eSMauro Carvalho Chehab| define ``gp`` with ``__rcu`` and then access it without using either  |
452ccc9971eSMauro Carvalho Chehab| ``rcu_access_pointer()`` or ``rcu_dereference()``.                    |
453ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
454ccc9971eSMauro Carvalho Chehab
455ccc9971eSMauro Carvalho ChehabIn short, RCU's publish-subscribe guarantee is provided by the
456ccc9971eSMauro Carvalho Chehabcombination of ``rcu_assign_pointer()`` and ``rcu_dereference()``. This
457ccc9971eSMauro Carvalho Chehabguarantee allows data elements to be safely added to RCU-protected
458ccc9971eSMauro Carvalho Chehablinked data structures without disrupting RCU readers. This guarantee
459ccc9971eSMauro Carvalho Chehabcan be used in combination with the grace-period guarantee to also allow
460ccc9971eSMauro Carvalho Chehabdata elements to be removed from RCU-protected linked data structures,
461ccc9971eSMauro Carvalho Chehabagain without disrupting RCU readers.
462ccc9971eSMauro Carvalho Chehab
463ccc9971eSMauro Carvalho ChehabThis guarantee was only partially premeditated. DYNIX/ptx used an
464ccc9971eSMauro Carvalho Chehabexplicit memory barrier for publication, but had nothing resembling
465ccc9971eSMauro Carvalho Chehab``rcu_dereference()`` for subscription, nor did it have anything
4668ca924aeSWill Deaconresembling the dependency-ordering barrier that was later subsumed
467ccc9971eSMauro Carvalho Chehabinto ``rcu_dereference()`` and later still into ``READ_ONCE()``. The
468ccc9971eSMauro Carvalho Chehabneed for these operations made itself known quite suddenly at a
469ccc9971eSMauro Carvalho Chehablate-1990s meeting with the DEC Alpha architects, back in the days when
470ccc9971eSMauro Carvalho ChehabDEC was still a free-standing company. It took the Alpha architects a
471ccc9971eSMauro Carvalho Chehabgood hour to convince me that any sort of barrier would ever be needed,
472ccc9971eSMauro Carvalho Chehaband it then took me a good *two* hours to convince them that their
473ccc9971eSMauro Carvalho Chehabdocumentation did not make this point clear. More recent work with the C
474ccc9971eSMauro Carvalho Chehaband C++ standards committees have provided much education on tricks and
475ccc9971eSMauro Carvalho Chehabtraps from the compiler. In short, compilers were much less tricky in
476ccc9971eSMauro Carvalho Chehabthe early 1990s, but in 2015, don't even think about omitting
477ccc9971eSMauro Carvalho Chehab``rcu_dereference()``!
478ccc9971eSMauro Carvalho Chehab
479ccc9971eSMauro Carvalho ChehabMemory-Barrier Guarantees
480ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~
481ccc9971eSMauro Carvalho Chehab
482ccc9971eSMauro Carvalho ChehabThe previous section's simple linked-data-structure scenario clearly
483ccc9971eSMauro Carvalho Chehabdemonstrates the need for RCU's stringent memory-ordering guarantees on
484ccc9971eSMauro Carvalho Chehabsystems with more than one CPU:
485ccc9971eSMauro Carvalho Chehab
486ccc9971eSMauro Carvalho Chehab#. Each CPU that has an RCU read-side critical section that begins
487ccc9971eSMauro Carvalho Chehab   before ``synchronize_rcu()`` starts is guaranteed to execute a full
488ccc9971eSMauro Carvalho Chehab   memory barrier between the time that the RCU read-side critical
489ccc9971eSMauro Carvalho Chehab   section ends and the time that ``synchronize_rcu()`` returns. Without
490ccc9971eSMauro Carvalho Chehab   this guarantee, a pre-existing RCU read-side critical section might
491ccc9971eSMauro Carvalho Chehab   hold a reference to the newly removed ``struct foo`` after the
492ccc9971eSMauro Carvalho Chehab   ``kfree()`` on line 14 of ``remove_gp_synchronous()``.
493ccc9971eSMauro Carvalho Chehab#. Each CPU that has an RCU read-side critical section that ends after
494ccc9971eSMauro Carvalho Chehab   ``synchronize_rcu()`` returns is guaranteed to execute a full memory
495ccc9971eSMauro Carvalho Chehab   barrier between the time that ``synchronize_rcu()`` begins and the
496ccc9971eSMauro Carvalho Chehab   time that the RCU read-side critical section begins. Without this
497ccc9971eSMauro Carvalho Chehab   guarantee, a later RCU read-side critical section running after the
498ccc9971eSMauro Carvalho Chehab   ``kfree()`` on line 14 of ``remove_gp_synchronous()`` might later run
499ccc9971eSMauro Carvalho Chehab   ``do_something_gp()`` and find the newly deleted ``struct foo``.
500ccc9971eSMauro Carvalho Chehab#. If the task invoking ``synchronize_rcu()`` remains on a given CPU,
501ccc9971eSMauro Carvalho Chehab   then that CPU is guaranteed to execute a full memory barrier sometime
502ccc9971eSMauro Carvalho Chehab   during the execution of ``synchronize_rcu()``. This guarantee ensures
503ccc9971eSMauro Carvalho Chehab   that the ``kfree()`` on line 14 of ``remove_gp_synchronous()`` really
504ccc9971eSMauro Carvalho Chehab   does execute after the removal on line 11.
505ccc9971eSMauro Carvalho Chehab#. If the task invoking ``synchronize_rcu()`` migrates among a group of
506ccc9971eSMauro Carvalho Chehab   CPUs during that invocation, then each of the CPUs in that group is
507ccc9971eSMauro Carvalho Chehab   guaranteed to execute a full memory barrier sometime during the
508ccc9971eSMauro Carvalho Chehab   execution of ``synchronize_rcu()``. This guarantee also ensures that
509ccc9971eSMauro Carvalho Chehab   the ``kfree()`` on line 14 of ``remove_gp_synchronous()`` really does
510ccc9971eSMauro Carvalho Chehab   execute after the removal on line 11, but also in the case where the
511ccc9971eSMauro Carvalho Chehab   thread executing the ``synchronize_rcu()`` migrates in the meantime.
512ccc9971eSMauro Carvalho Chehab
513ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
514ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
515ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
516ccc9971eSMauro Carvalho Chehab| Given that multiple CPUs can start RCU read-side critical sections at |
517ccc9971eSMauro Carvalho Chehab| any time without any ordering whatsoever, how can RCU possibly tell   |
518ccc9971eSMauro Carvalho Chehab| whether or not a given RCU read-side critical section starts before a |
519ccc9971eSMauro Carvalho Chehab| given instance of ``synchronize_rcu()``?                              |
520ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
521ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
522ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
523ccc9971eSMauro Carvalho Chehab| If RCU cannot tell whether or not a given RCU read-side critical      |
524ccc9971eSMauro Carvalho Chehab| section starts before a given instance of ``synchronize_rcu()``, then |
525ccc9971eSMauro Carvalho Chehab| it must assume that the RCU read-side critical section started first. |
526ccc9971eSMauro Carvalho Chehab| In other words, a given instance of ``synchronize_rcu()`` can avoid   |
527ccc9971eSMauro Carvalho Chehab| waiting on a given RCU read-side critical section only if it can      |
528ccc9971eSMauro Carvalho Chehab| prove that ``synchronize_rcu()`` started first.                       |
529ccc9971eSMauro Carvalho Chehab| A related question is “When ``rcu_read_lock()`` doesn't generate any  |
530ccc9971eSMauro Carvalho Chehab| code, why does it matter how it relates to a grace period?” The       |
531ccc9971eSMauro Carvalho Chehab| answer is that it is not the relationship of ``rcu_read_lock()``      |
532ccc9971eSMauro Carvalho Chehab| itself that is important, but rather the relationship of the code     |
533ccc9971eSMauro Carvalho Chehab| within the enclosed RCU read-side critical section to the code        |
534ccc9971eSMauro Carvalho Chehab| preceding and following the grace period. If we take this viewpoint,  |
535ccc9971eSMauro Carvalho Chehab| then a given RCU read-side critical section begins before a given     |
536ccc9971eSMauro Carvalho Chehab| grace period when some access preceding the grace period observes the |
537ccc9971eSMauro Carvalho Chehab| effect of some access within the critical section, in which case none |
538ccc9971eSMauro Carvalho Chehab| of the accesses within the critical section may observe the effects   |
539ccc9971eSMauro Carvalho Chehab| of any access following the grace period.                             |
540ccc9971eSMauro Carvalho Chehab|                                                                       |
541ccc9971eSMauro Carvalho Chehab| As of late 2016, mathematical models of RCU take this viewpoint, for  |
542ccc9971eSMauro Carvalho Chehab| example, see slides 62 and 63 of the `2016 LinuxCon                   |
543ccc9971eSMauro Carvalho Chehab| EU <http://www2.rdrop.com/users/paulmck/scalability/paper/LinuxMM.201 |
544ccc9971eSMauro Carvalho Chehab| 6.10.04c.LCE.pdf>`__                                                  |
545ccc9971eSMauro Carvalho Chehab| presentation.                                                         |
546ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
547ccc9971eSMauro Carvalho Chehab
548ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
549ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
550ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
551ccc9971eSMauro Carvalho Chehab| The first and second guarantees require unbelievably strict ordering! |
552ccc9971eSMauro Carvalho Chehab| Are all these memory barriers *really* required?                      |
553ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
554ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
555ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
556ccc9971eSMauro Carvalho Chehab| Yes, they really are required. To see why the first guarantee is      |
557ccc9971eSMauro Carvalho Chehab| required, consider the following sequence of events:                  |
558ccc9971eSMauro Carvalho Chehab|                                                                       |
559ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``rcu_read_lock()``                                         |
560ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``q = rcu_dereference(gp); /* Very likely to return p. */`` |
561ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``list_del_rcu(p);``                                        |
562ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``synchronize_rcu()`` starts.                               |
563ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``do_something_with(q->a);``                                |
564ccc9971eSMauro Carvalho Chehab|    ``/* No smp_mb(), so might happen after kfree(). */``              |
565ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``rcu_read_unlock()``                                       |
566ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``synchronize_rcu()`` returns.                              |
567ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``kfree(p);``                                               |
568ccc9971eSMauro Carvalho Chehab|                                                                       |
569ccc9971eSMauro Carvalho Chehab| Therefore, there absolutely must be a full memory barrier between the |
570ccc9971eSMauro Carvalho Chehab| end of the RCU read-side critical section and the end of the grace    |
571ccc9971eSMauro Carvalho Chehab| period.                                                               |
572ccc9971eSMauro Carvalho Chehab|                                                                       |
573ccc9971eSMauro Carvalho Chehab| The sequence of events demonstrating the necessity of the second rule |
574ccc9971eSMauro Carvalho Chehab| is roughly similar:                                                   |
575ccc9971eSMauro Carvalho Chehab|                                                                       |
576ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``list_del_rcu(p);``                                        |
577ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``synchronize_rcu()`` starts.                               |
578ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``rcu_read_lock()``                                         |
579ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``q = rcu_dereference(gp);``                                |
580ccc9971eSMauro Carvalho Chehab|    ``/* Might return p if no memory barrier. */``                     |
581ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``synchronize_rcu()`` returns.                              |
582ccc9971eSMauro Carvalho Chehab| #. CPU 0: ``kfree(p);``                                               |
583ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``do_something_with(q->a); /* Boom!!! */``                  |
584ccc9971eSMauro Carvalho Chehab| #. CPU 1: ``rcu_read_unlock()``                                       |
585ccc9971eSMauro Carvalho Chehab|                                                                       |
586ccc9971eSMauro Carvalho Chehab| And similarly, without a memory barrier between the beginning of the  |
587ccc9971eSMauro Carvalho Chehab| grace period and the beginning of the RCU read-side critical section, |
588ccc9971eSMauro Carvalho Chehab| CPU 1 might end up accessing the freelist.                            |
589ccc9971eSMauro Carvalho Chehab|                                                                       |
590ccc9971eSMauro Carvalho Chehab| The “as if” rule of course applies, so that any implementation that   |
591ccc9971eSMauro Carvalho Chehab| acts as if the appropriate memory barriers were in place is a correct |
592ccc9971eSMauro Carvalho Chehab| implementation. That said, it is much easier to fool yourself into    |
593ccc9971eSMauro Carvalho Chehab| believing that you have adhered to the as-if rule than it is to       |
594ccc9971eSMauro Carvalho Chehab| actually adhere to it!                                                |
595ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
596ccc9971eSMauro Carvalho Chehab
597ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
598ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
599ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
600ccc9971eSMauro Carvalho Chehab| You claim that ``rcu_read_lock()`` and ``rcu_read_unlock()`` generate |
601ccc9971eSMauro Carvalho Chehab| absolutely no code in some kernel builds. This means that the         |
602ccc9971eSMauro Carvalho Chehab| compiler might arbitrarily rearrange consecutive RCU read-side        |
603ccc9971eSMauro Carvalho Chehab| critical sections. Given such rearrangement, if a given RCU read-side |
604ccc9971eSMauro Carvalho Chehab| critical section is done, how can you be sure that all prior RCU      |
605ccc9971eSMauro Carvalho Chehab| read-side critical sections are done? Won't the compiler              |
606ccc9971eSMauro Carvalho Chehab| rearrangements make that impossible to determine?                     |
607ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
608ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
609ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
610ccc9971eSMauro Carvalho Chehab| In cases where ``rcu_read_lock()`` and ``rcu_read_unlock()`` generate |
611ccc9971eSMauro Carvalho Chehab| absolutely no code, RCU infers quiescent states only at special       |
612ccc9971eSMauro Carvalho Chehab| locations, for example, within the scheduler. Because calls to        |
613ccc9971eSMauro Carvalho Chehab| ``schedule()`` had better prevent calling-code accesses to shared     |
614ccc9971eSMauro Carvalho Chehab| variables from being rearranged across the call to ``schedule()``, if |
615ccc9971eSMauro Carvalho Chehab| RCU detects the end of a given RCU read-side critical section, it     |
616ccc9971eSMauro Carvalho Chehab| will necessarily detect the end of all prior RCU read-side critical   |
617ccc9971eSMauro Carvalho Chehab| sections, no matter how aggressively the compiler scrambles the code. |
618ccc9971eSMauro Carvalho Chehab| Again, this all assumes that the compiler cannot scramble code across |
619ccc9971eSMauro Carvalho Chehab| calls to the scheduler, out of interrupt handlers, into the idle      |
620ccc9971eSMauro Carvalho Chehab| loop, into user-mode code, and so on. But if your kernel build allows |
621ccc9971eSMauro Carvalho Chehab| that sort of scrambling, you have broken far more than just RCU!      |
622ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
623ccc9971eSMauro Carvalho Chehab
624ccc9971eSMauro Carvalho ChehabNote that these memory-barrier requirements do not replace the
625ccc9971eSMauro Carvalho Chehabfundamental RCU requirement that a grace period wait for all
626ccc9971eSMauro Carvalho Chehabpre-existing readers. On the contrary, the memory barriers called out in
627ccc9971eSMauro Carvalho Chehabthis section must operate in such a way as to *enforce* this fundamental
628ccc9971eSMauro Carvalho Chehabrequirement. Of course, different implementations enforce this
629ccc9971eSMauro Carvalho Chehabrequirement in different ways, but enforce it they must.
630ccc9971eSMauro Carvalho Chehab
631ccc9971eSMauro Carvalho ChehabRCU Primitives Guaranteed to Execute Unconditionally
632ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
633ccc9971eSMauro Carvalho Chehab
634ccc9971eSMauro Carvalho ChehabThe common-case RCU primitives are unconditional. They are invoked, they
635ccc9971eSMauro Carvalho Chehabdo their job, and they return, with no possibility of error, and no need
636ccc9971eSMauro Carvalho Chehabto retry. This is a key RCU design philosophy.
637ccc9971eSMauro Carvalho Chehab
638ccc9971eSMauro Carvalho ChehabHowever, this philosophy is pragmatic rather than pigheaded. If someone
639ccc9971eSMauro Carvalho Chehabcomes up with a good justification for a particular conditional RCU
640ccc9971eSMauro Carvalho Chehabprimitive, it might well be implemented and added. After all, this
641ccc9971eSMauro Carvalho Chehabguarantee was reverse-engineered, not premeditated. The unconditional
642ccc9971eSMauro Carvalho Chehabnature of the RCU primitives was initially an accident of
643ccc9971eSMauro Carvalho Chehabimplementation, and later experience with synchronization primitives
644ccc9971eSMauro Carvalho Chehabwith conditional primitives caused me to elevate this accident to a
645ccc9971eSMauro Carvalho Chehabguarantee. Therefore, the justification for adding a conditional
646ccc9971eSMauro Carvalho Chehabprimitive to RCU would need to be based on detailed and compelling use
647ccc9971eSMauro Carvalho Chehabcases.
648ccc9971eSMauro Carvalho Chehab
649ccc9971eSMauro Carvalho ChehabGuaranteed Read-to-Write Upgrade
650ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
651ccc9971eSMauro Carvalho Chehab
652ccc9971eSMauro Carvalho ChehabAs far as RCU is concerned, it is always possible to carry out an update
653ccc9971eSMauro Carvalho Chehabwithin an RCU read-side critical section. For example, that RCU
654ccc9971eSMauro Carvalho Chehabread-side critical section might search for a given data element, and
655ccc9971eSMauro Carvalho Chehabthen might acquire the update-side spinlock in order to update that
656ccc9971eSMauro Carvalho Chehabelement, all while remaining in that RCU read-side critical section. Of
657ccc9971eSMauro Carvalho Chehabcourse, it is necessary to exit the RCU read-side critical section
658ccc9971eSMauro Carvalho Chehabbefore invoking ``synchronize_rcu()``, however, this inconvenience can
659ccc9971eSMauro Carvalho Chehabbe avoided through use of the ``call_rcu()`` and ``kfree_rcu()`` API
660ccc9971eSMauro Carvalho Chehabmembers described later in this document.
661ccc9971eSMauro Carvalho Chehab
662ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
663ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
664ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
665ccc9971eSMauro Carvalho Chehab| But how does the upgrade-to-write operation exclude other readers?    |
666ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
667ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
668ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
669ccc9971eSMauro Carvalho Chehab| It doesn't, just like normal RCU updates, which also do not exclude   |
670ccc9971eSMauro Carvalho Chehab| RCU readers.                                                          |
671ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
672ccc9971eSMauro Carvalho Chehab
673ccc9971eSMauro Carvalho ChehabThis guarantee allows lookup code to be shared between read-side and
674ccc9971eSMauro Carvalho Chehabupdate-side code, and was premeditated, appearing in the earliest
675ccc9971eSMauro Carvalho ChehabDYNIX/ptx RCU documentation.
676ccc9971eSMauro Carvalho Chehab
677ccc9971eSMauro Carvalho ChehabFundamental Non-Requirements
678ccc9971eSMauro Carvalho Chehab----------------------------
679ccc9971eSMauro Carvalho Chehab
680ccc9971eSMauro Carvalho ChehabRCU provides extremely lightweight readers, and its read-side
681ccc9971eSMauro Carvalho Chehabguarantees, though quite useful, are correspondingly lightweight. It is
682ccc9971eSMauro Carvalho Chehabtherefore all too easy to assume that RCU is guaranteeing more than it
683ccc9971eSMauro Carvalho Chehabreally is. Of course, the list of things that RCU does not guarantee is
684ccc9971eSMauro Carvalho Chehabinfinitely long, however, the following sections list a few
685ccc9971eSMauro Carvalho Chehabnon-guarantees that have caused confusion. Except where otherwise noted,
686ccc9971eSMauro Carvalho Chehabthese non-guarantees were premeditated.
687ccc9971eSMauro Carvalho Chehab
68807335c16SJoel Fernandes (Google)#. `Readers Impose Minimal Ordering`_
68907335c16SJoel Fernandes (Google)#. `Readers Do Not Exclude Updaters`_
69007335c16SJoel Fernandes (Google)#. `Updaters Only Wait For Old Readers`_
69107335c16SJoel Fernandes (Google)#. `Grace Periods Don't Partition Read-Side Critical Sections`_
69207335c16SJoel Fernandes (Google)#. `Read-Side Critical Sections Don't Partition Grace Periods`_
693ccc9971eSMauro Carvalho Chehab
694ccc9971eSMauro Carvalho ChehabReaders Impose Minimal Ordering
695ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
696ccc9971eSMauro Carvalho Chehab
697ccc9971eSMauro Carvalho ChehabReader-side markers such as ``rcu_read_lock()`` and
698ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()`` provide absolutely no ordering guarantees except
699ccc9971eSMauro Carvalho Chehabthrough their interaction with the grace-period APIs such as
700ccc9971eSMauro Carvalho Chehab``synchronize_rcu()``. To see this, consider the following pair of
701ccc9971eSMauro Carvalho Chehabthreads:
702ccc9971eSMauro Carvalho Chehab
703ccc9971eSMauro Carvalho Chehab   ::
704ccc9971eSMauro Carvalho Chehab
705ccc9971eSMauro Carvalho Chehab       1 void thread0(void)
706ccc9971eSMauro Carvalho Chehab       2 {
707ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
708ccc9971eSMauro Carvalho Chehab       4   WRITE_ONCE(x, 1);
709ccc9971eSMauro Carvalho Chehab       5   rcu_read_unlock();
710ccc9971eSMauro Carvalho Chehab       6   rcu_read_lock();
711ccc9971eSMauro Carvalho Chehab       7   WRITE_ONCE(y, 1);
712ccc9971eSMauro Carvalho Chehab       8   rcu_read_unlock();
713ccc9971eSMauro Carvalho Chehab       9 }
714ccc9971eSMauro Carvalho Chehab      10
715ccc9971eSMauro Carvalho Chehab      11 void thread1(void)
716ccc9971eSMauro Carvalho Chehab      12 {
717ccc9971eSMauro Carvalho Chehab      13   rcu_read_lock();
718ccc9971eSMauro Carvalho Chehab      14   r1 = READ_ONCE(y);
719ccc9971eSMauro Carvalho Chehab      15   rcu_read_unlock();
720ccc9971eSMauro Carvalho Chehab      16   rcu_read_lock();
721ccc9971eSMauro Carvalho Chehab      17   r2 = READ_ONCE(x);
722ccc9971eSMauro Carvalho Chehab      18   rcu_read_unlock();
723ccc9971eSMauro Carvalho Chehab      19 }
724ccc9971eSMauro Carvalho Chehab
725ccc9971eSMauro Carvalho ChehabAfter ``thread0()`` and ``thread1()`` execute concurrently, it is quite
726ccc9971eSMauro Carvalho Chehabpossible to have
727ccc9971eSMauro Carvalho Chehab
728ccc9971eSMauro Carvalho Chehab   ::
729ccc9971eSMauro Carvalho Chehab
730ccc9971eSMauro Carvalho Chehab      (r1 == 1 && r2 == 0)
731ccc9971eSMauro Carvalho Chehab
732ccc9971eSMauro Carvalho Chehab(that is, ``y`` appears to have been assigned before ``x``), which would
733ccc9971eSMauro Carvalho Chehabnot be possible if ``rcu_read_lock()`` and ``rcu_read_unlock()`` had
734ccc9971eSMauro Carvalho Chehabmuch in the way of ordering properties. But they do not, so the CPU is
735ccc9971eSMauro Carvalho Chehabwithin its rights to do significant reordering. This is by design: Any
736ccc9971eSMauro Carvalho Chehabsignificant ordering constraints would slow down these fast-path APIs.
737ccc9971eSMauro Carvalho Chehab
738ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
739ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
740ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
741ccc9971eSMauro Carvalho Chehab| Can't the compiler also reorder this code?                            |
742ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
743ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
744ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
745ccc9971eSMauro Carvalho Chehab| No, the volatile casts in ``READ_ONCE()`` and ``WRITE_ONCE()``        |
746ccc9971eSMauro Carvalho Chehab| prevent the compiler from reordering in this particular case.         |
747ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
748ccc9971eSMauro Carvalho Chehab
749ccc9971eSMauro Carvalho ChehabReaders Do Not Exclude Updaters
750ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
751ccc9971eSMauro Carvalho Chehab
752ccc9971eSMauro Carvalho ChehabNeither ``rcu_read_lock()`` nor ``rcu_read_unlock()`` exclude updates.
753ccc9971eSMauro Carvalho ChehabAll they do is to prevent grace periods from ending. The following
754ccc9971eSMauro Carvalho Chehabexample illustrates this:
755ccc9971eSMauro Carvalho Chehab
756ccc9971eSMauro Carvalho Chehab   ::
757ccc9971eSMauro Carvalho Chehab
758ccc9971eSMauro Carvalho Chehab       1 void thread0(void)
759ccc9971eSMauro Carvalho Chehab       2 {
760ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
761ccc9971eSMauro Carvalho Chehab       4   r1 = READ_ONCE(y);
762ccc9971eSMauro Carvalho Chehab       5   if (r1) {
763ccc9971eSMauro Carvalho Chehab       6     do_something_with_nonzero_x();
764ccc9971eSMauro Carvalho Chehab       7     r2 = READ_ONCE(x);
765ccc9971eSMauro Carvalho Chehab       8     WARN_ON(!r2); /* BUG!!! */
766ccc9971eSMauro Carvalho Chehab       9   }
767ccc9971eSMauro Carvalho Chehab      10   rcu_read_unlock();
768ccc9971eSMauro Carvalho Chehab      11 }
769ccc9971eSMauro Carvalho Chehab      12
770ccc9971eSMauro Carvalho Chehab      13 void thread1(void)
771ccc9971eSMauro Carvalho Chehab      14 {
772ccc9971eSMauro Carvalho Chehab      15   spin_lock(&my_lock);
773ccc9971eSMauro Carvalho Chehab      16   WRITE_ONCE(x, 1);
774ccc9971eSMauro Carvalho Chehab      17   WRITE_ONCE(y, 1);
775ccc9971eSMauro Carvalho Chehab      18   spin_unlock(&my_lock);
776ccc9971eSMauro Carvalho Chehab      19 }
777ccc9971eSMauro Carvalho Chehab
778ccc9971eSMauro Carvalho ChehabIf the ``thread0()`` function's ``rcu_read_lock()`` excluded the
779ccc9971eSMauro Carvalho Chehab``thread1()`` function's update, the ``WARN_ON()`` could never fire. But
780ccc9971eSMauro Carvalho Chehabthe fact is that ``rcu_read_lock()`` does not exclude much of anything
781ccc9971eSMauro Carvalho Chehabaside from subsequent grace periods, of which ``thread1()`` has none, so
782ccc9971eSMauro Carvalho Chehabthe ``WARN_ON()`` can and does fire.
783ccc9971eSMauro Carvalho Chehab
784ccc9971eSMauro Carvalho ChehabUpdaters Only Wait For Old Readers
785ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
786ccc9971eSMauro Carvalho Chehab
787ccc9971eSMauro Carvalho ChehabIt might be tempting to assume that after ``synchronize_rcu()``
788ccc9971eSMauro Carvalho Chehabcompletes, there are no readers executing. This temptation must be
789ccc9971eSMauro Carvalho Chehabavoided because new readers can start immediately after
790ccc9971eSMauro Carvalho Chehab``synchronize_rcu()`` starts, and ``synchronize_rcu()`` is under no
791ccc9971eSMauro Carvalho Chehabobligation to wait for these new readers.
792ccc9971eSMauro Carvalho Chehab
793ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
794ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
795ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
796ccc9971eSMauro Carvalho Chehab| Suppose that synchronize_rcu() did wait until *all* readers had       |
797ccc9971eSMauro Carvalho Chehab| completed instead of waiting only on pre-existing readers. For how    |
798ccc9971eSMauro Carvalho Chehab| long would the updater be able to rely on there being no readers?     |
799ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
800ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
801ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
802ccc9971eSMauro Carvalho Chehab| For no time at all. Even if ``synchronize_rcu()`` were to wait until  |
803ccc9971eSMauro Carvalho Chehab| all readers had completed, a new reader might start immediately after |
804ccc9971eSMauro Carvalho Chehab| ``synchronize_rcu()`` completed. Therefore, the code following        |
805ccc9971eSMauro Carvalho Chehab| ``synchronize_rcu()`` can *never* rely on there being no readers.     |
806ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
807ccc9971eSMauro Carvalho Chehab
808ccc9971eSMauro Carvalho ChehabGrace Periods Don't Partition Read-Side Critical Sections
809ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
810ccc9971eSMauro Carvalho Chehab
811ccc9971eSMauro Carvalho ChehabIt is tempting to assume that if any part of one RCU read-side critical
812ccc9971eSMauro Carvalho Chehabsection precedes a given grace period, and if any part of another RCU
813ccc9971eSMauro Carvalho Chehabread-side critical section follows that same grace period, then all of
814ccc9971eSMauro Carvalho Chehabthe first RCU read-side critical section must precede all of the second.
815ccc9971eSMauro Carvalho ChehabHowever, this just isn't the case: A single grace period does not
816ccc9971eSMauro Carvalho Chehabpartition the set of RCU read-side critical sections. An example of this
817ccc9971eSMauro Carvalho Chehabsituation can be illustrated as follows, where ``x``, ``y``, and ``z``
818ccc9971eSMauro Carvalho Chehabare initially all zero:
819ccc9971eSMauro Carvalho Chehab
820ccc9971eSMauro Carvalho Chehab   ::
821ccc9971eSMauro Carvalho Chehab
822ccc9971eSMauro Carvalho Chehab       1 void thread0(void)
823ccc9971eSMauro Carvalho Chehab       2 {
824ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
825ccc9971eSMauro Carvalho Chehab       4   WRITE_ONCE(a, 1);
826ccc9971eSMauro Carvalho Chehab       5   WRITE_ONCE(b, 1);
827ccc9971eSMauro Carvalho Chehab       6   rcu_read_unlock();
828ccc9971eSMauro Carvalho Chehab       7 }
829ccc9971eSMauro Carvalho Chehab       8
830ccc9971eSMauro Carvalho Chehab       9 void thread1(void)
831ccc9971eSMauro Carvalho Chehab      10 {
832ccc9971eSMauro Carvalho Chehab      11   r1 = READ_ONCE(a);
833ccc9971eSMauro Carvalho Chehab      12   synchronize_rcu();
834ccc9971eSMauro Carvalho Chehab      13   WRITE_ONCE(c, 1);
835ccc9971eSMauro Carvalho Chehab      14 }
836ccc9971eSMauro Carvalho Chehab      15
837ccc9971eSMauro Carvalho Chehab      16 void thread2(void)
838ccc9971eSMauro Carvalho Chehab      17 {
839ccc9971eSMauro Carvalho Chehab      18   rcu_read_lock();
840ccc9971eSMauro Carvalho Chehab      19   r2 = READ_ONCE(b);
841ccc9971eSMauro Carvalho Chehab      20   r3 = READ_ONCE(c);
842ccc9971eSMauro Carvalho Chehab      21   rcu_read_unlock();
843ccc9971eSMauro Carvalho Chehab      22 }
844ccc9971eSMauro Carvalho Chehab
845ccc9971eSMauro Carvalho ChehabIt turns out that the outcome:
846ccc9971eSMauro Carvalho Chehab
847ccc9971eSMauro Carvalho Chehab   ::
848ccc9971eSMauro Carvalho Chehab
849ccc9971eSMauro Carvalho Chehab      (r1 == 1 && r2 == 0 && r3 == 1)
850ccc9971eSMauro Carvalho Chehab
851ccc9971eSMauro Carvalho Chehabis entirely possible. The following figure show how this can happen,
852ccc9971eSMauro Carvalho Chehabwith each circled ``QS`` indicating the point at which RCU recorded a
853ccc9971eSMauro Carvalho Chehab*quiescent state* for each thread, that is, a state in which RCU knows
854ccc9971eSMauro Carvalho Chehabthat the thread cannot be in the midst of an RCU read-side critical
855ccc9971eSMauro Carvalho Chehabsection that started before the current grace period:
856ccc9971eSMauro Carvalho Chehab
857ccc9971eSMauro Carvalho Chehab.. kernel-figure:: GPpartitionReaders1.svg
858ccc9971eSMauro Carvalho Chehab
859ccc9971eSMauro Carvalho ChehabIf it is necessary to partition RCU read-side critical sections in this
860ccc9971eSMauro Carvalho Chehabmanner, it is necessary to use two grace periods, where the first grace
861ccc9971eSMauro Carvalho Chehabperiod is known to end before the second grace period starts:
862ccc9971eSMauro Carvalho Chehab
863ccc9971eSMauro Carvalho Chehab   ::
864ccc9971eSMauro Carvalho Chehab
865ccc9971eSMauro Carvalho Chehab       1 void thread0(void)
866ccc9971eSMauro Carvalho Chehab       2 {
867ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
868ccc9971eSMauro Carvalho Chehab       4   WRITE_ONCE(a, 1);
869ccc9971eSMauro Carvalho Chehab       5   WRITE_ONCE(b, 1);
870ccc9971eSMauro Carvalho Chehab       6   rcu_read_unlock();
871ccc9971eSMauro Carvalho Chehab       7 }
872ccc9971eSMauro Carvalho Chehab       8
873ccc9971eSMauro Carvalho Chehab       9 void thread1(void)
874ccc9971eSMauro Carvalho Chehab      10 {
875ccc9971eSMauro Carvalho Chehab      11   r1 = READ_ONCE(a);
876ccc9971eSMauro Carvalho Chehab      12   synchronize_rcu();
877ccc9971eSMauro Carvalho Chehab      13   WRITE_ONCE(c, 1);
878ccc9971eSMauro Carvalho Chehab      14 }
879ccc9971eSMauro Carvalho Chehab      15
880ccc9971eSMauro Carvalho Chehab      16 void thread2(void)
881ccc9971eSMauro Carvalho Chehab      17 {
882ccc9971eSMauro Carvalho Chehab      18   r2 = READ_ONCE(c);
883ccc9971eSMauro Carvalho Chehab      19   synchronize_rcu();
884ccc9971eSMauro Carvalho Chehab      20   WRITE_ONCE(d, 1);
885ccc9971eSMauro Carvalho Chehab      21 }
886ccc9971eSMauro Carvalho Chehab      22
887ccc9971eSMauro Carvalho Chehab      23 void thread3(void)
888ccc9971eSMauro Carvalho Chehab      24 {
889ccc9971eSMauro Carvalho Chehab      25   rcu_read_lock();
890ccc9971eSMauro Carvalho Chehab      26   r3 = READ_ONCE(b);
891ccc9971eSMauro Carvalho Chehab      27   r4 = READ_ONCE(d);
892ccc9971eSMauro Carvalho Chehab      28   rcu_read_unlock();
893ccc9971eSMauro Carvalho Chehab      29 }
894ccc9971eSMauro Carvalho Chehab
895ccc9971eSMauro Carvalho ChehabHere, if ``(r1 == 1)``, then ``thread0()``'s write to ``b`` must happen
896ccc9971eSMauro Carvalho Chehabbefore the end of ``thread1()``'s grace period. If in addition
897ccc9971eSMauro Carvalho Chehab``(r4 == 1)``, then ``thread3()``'s read from ``b`` must happen after
898ccc9971eSMauro Carvalho Chehabthe beginning of ``thread2()``'s grace period. If it is also the case
899ccc9971eSMauro Carvalho Chehabthat ``(r2 == 1)``, then the end of ``thread1()``'s grace period must
900ccc9971eSMauro Carvalho Chehabprecede the beginning of ``thread2()``'s grace period. This mean that
901ccc9971eSMauro Carvalho Chehabthe two RCU read-side critical sections cannot overlap, guaranteeing
902ccc9971eSMauro Carvalho Chehabthat ``(r3 == 1)``. As a result, the outcome:
903ccc9971eSMauro Carvalho Chehab
904ccc9971eSMauro Carvalho Chehab   ::
905ccc9971eSMauro Carvalho Chehab
906ccc9971eSMauro Carvalho Chehab      (r1 == 1 && r2 == 1 && r3 == 0 && r4 == 1)
907ccc9971eSMauro Carvalho Chehab
908ccc9971eSMauro Carvalho Chehabcannot happen.
909ccc9971eSMauro Carvalho Chehab
910ccc9971eSMauro Carvalho ChehabThis non-requirement was also non-premeditated, but became apparent when
911ccc9971eSMauro Carvalho Chehabstudying RCU's interaction with memory ordering.
912ccc9971eSMauro Carvalho Chehab
913ccc9971eSMauro Carvalho ChehabRead-Side Critical Sections Don't Partition Grace Periods
914ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
915ccc9971eSMauro Carvalho Chehab
916ccc9971eSMauro Carvalho ChehabIt is also tempting to assume that if an RCU read-side critical section
917ccc9971eSMauro Carvalho Chehabhappens between a pair of grace periods, then those grace periods cannot
918ccc9971eSMauro Carvalho Chehaboverlap. However, this temptation leads nowhere good, as can be
919ccc9971eSMauro Carvalho Chehabillustrated by the following, with all variables initially zero:
920ccc9971eSMauro Carvalho Chehab
921ccc9971eSMauro Carvalho Chehab   ::
922ccc9971eSMauro Carvalho Chehab
923ccc9971eSMauro Carvalho Chehab       1 void thread0(void)
924ccc9971eSMauro Carvalho Chehab       2 {
925ccc9971eSMauro Carvalho Chehab       3   rcu_read_lock();
926ccc9971eSMauro Carvalho Chehab       4   WRITE_ONCE(a, 1);
927ccc9971eSMauro Carvalho Chehab       5   WRITE_ONCE(b, 1);
928ccc9971eSMauro Carvalho Chehab       6   rcu_read_unlock();
929ccc9971eSMauro Carvalho Chehab       7 }
930ccc9971eSMauro Carvalho Chehab       8
931ccc9971eSMauro Carvalho Chehab       9 void thread1(void)
932ccc9971eSMauro Carvalho Chehab      10 {
933ccc9971eSMauro Carvalho Chehab      11   r1 = READ_ONCE(a);
934ccc9971eSMauro Carvalho Chehab      12   synchronize_rcu();
935ccc9971eSMauro Carvalho Chehab      13   WRITE_ONCE(c, 1);
936ccc9971eSMauro Carvalho Chehab      14 }
937ccc9971eSMauro Carvalho Chehab      15
938ccc9971eSMauro Carvalho Chehab      16 void thread2(void)
939ccc9971eSMauro Carvalho Chehab      17 {
940ccc9971eSMauro Carvalho Chehab      18   rcu_read_lock();
941ccc9971eSMauro Carvalho Chehab      19   WRITE_ONCE(d, 1);
942ccc9971eSMauro Carvalho Chehab      20   r2 = READ_ONCE(c);
943ccc9971eSMauro Carvalho Chehab      21   rcu_read_unlock();
944ccc9971eSMauro Carvalho Chehab      22 }
945ccc9971eSMauro Carvalho Chehab      23
946ccc9971eSMauro Carvalho Chehab      24 void thread3(void)
947ccc9971eSMauro Carvalho Chehab      25 {
948ccc9971eSMauro Carvalho Chehab      26   r3 = READ_ONCE(d);
949ccc9971eSMauro Carvalho Chehab      27   synchronize_rcu();
950ccc9971eSMauro Carvalho Chehab      28   WRITE_ONCE(e, 1);
951ccc9971eSMauro Carvalho Chehab      29 }
952ccc9971eSMauro Carvalho Chehab      30
953ccc9971eSMauro Carvalho Chehab      31 void thread4(void)
954ccc9971eSMauro Carvalho Chehab      32 {
955ccc9971eSMauro Carvalho Chehab      33   rcu_read_lock();
956ccc9971eSMauro Carvalho Chehab      34   r4 = READ_ONCE(b);
957ccc9971eSMauro Carvalho Chehab      35   r5 = READ_ONCE(e);
958ccc9971eSMauro Carvalho Chehab      36   rcu_read_unlock();
959ccc9971eSMauro Carvalho Chehab      37 }
960ccc9971eSMauro Carvalho Chehab
961ccc9971eSMauro Carvalho ChehabIn this case, the outcome:
962ccc9971eSMauro Carvalho Chehab
963ccc9971eSMauro Carvalho Chehab   ::
964ccc9971eSMauro Carvalho Chehab
965ccc9971eSMauro Carvalho Chehab      (r1 == 1 && r2 == 1 && r3 == 1 && r4 == 0 && r5 == 1)
966ccc9971eSMauro Carvalho Chehab
967ccc9971eSMauro Carvalho Chehabis entirely possible, as illustrated below:
968ccc9971eSMauro Carvalho Chehab
969ccc9971eSMauro Carvalho Chehab.. kernel-figure:: ReadersPartitionGP1.svg
970ccc9971eSMauro Carvalho Chehab
971ccc9971eSMauro Carvalho ChehabAgain, an RCU read-side critical section can overlap almost all of a
972ccc9971eSMauro Carvalho Chehabgiven grace period, just so long as it does not overlap the entire grace
973ccc9971eSMauro Carvalho Chehabperiod. As a result, an RCU read-side critical section cannot partition
974ccc9971eSMauro Carvalho Chehaba pair of RCU grace periods.
975ccc9971eSMauro Carvalho Chehab
976ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
977ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
978ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
979ccc9971eSMauro Carvalho Chehab| How long a sequence of grace periods, each separated by an RCU        |
980ccc9971eSMauro Carvalho Chehab| read-side critical section, would be required to partition the RCU    |
981ccc9971eSMauro Carvalho Chehab| read-side critical sections at the beginning and end of the chain?    |
982ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
983ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
984ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
985ccc9971eSMauro Carvalho Chehab| In theory, an infinite number. In practice, an unknown number that is |
986ccc9971eSMauro Carvalho Chehab| sensitive to both implementation details and timing considerations.   |
987ccc9971eSMauro Carvalho Chehab| Therefore, even in practice, RCU users must abide by the theoretical  |
988ccc9971eSMauro Carvalho Chehab| rather than the practical answer.                                     |
989ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
990ccc9971eSMauro Carvalho Chehab
991ccc9971eSMauro Carvalho ChehabParallelism Facts of Life
992ccc9971eSMauro Carvalho Chehab-------------------------
993ccc9971eSMauro Carvalho Chehab
994ccc9971eSMauro Carvalho ChehabThese parallelism facts of life are by no means specific to RCU, but the
995ccc9971eSMauro Carvalho ChehabRCU implementation must abide by them. They therefore bear repeating:
996ccc9971eSMauro Carvalho Chehab
997ccc9971eSMauro Carvalho Chehab#. Any CPU or task may be delayed at any time, and any attempts to avoid
998ccc9971eSMauro Carvalho Chehab   these delays by disabling preemption, interrupts, or whatever are
999ccc9971eSMauro Carvalho Chehab   completely futile. This is most obvious in preemptible user-level
1000ccc9971eSMauro Carvalho Chehab   environments and in virtualized environments (where a given guest
1001ccc9971eSMauro Carvalho Chehab   OS's VCPUs can be preempted at any time by the underlying
1002ccc9971eSMauro Carvalho Chehab   hypervisor), but can also happen in bare-metal environments due to
1003ccc9971eSMauro Carvalho Chehab   ECC errors, NMIs, and other hardware events. Although a delay of more
1004ccc9971eSMauro Carvalho Chehab   than about 20 seconds can result in splats, the RCU implementation is
1005ccc9971eSMauro Carvalho Chehab   obligated to use algorithms that can tolerate extremely long delays,
1006ccc9971eSMauro Carvalho Chehab   but where “extremely long” is not long enough to allow wrap-around
1007ccc9971eSMauro Carvalho Chehab   when incrementing a 64-bit counter.
1008ccc9971eSMauro Carvalho Chehab#. Both the compiler and the CPU can reorder memory accesses. Where it
1009ccc9971eSMauro Carvalho Chehab   matters, RCU must use compiler directives and memory-barrier
1010ccc9971eSMauro Carvalho Chehab   instructions to preserve ordering.
1011ccc9971eSMauro Carvalho Chehab#. Conflicting writes to memory locations in any given cache line will
1012ccc9971eSMauro Carvalho Chehab   result in expensive cache misses. Greater numbers of concurrent
1013ccc9971eSMauro Carvalho Chehab   writes and more-frequent concurrent writes will result in more
1014ccc9971eSMauro Carvalho Chehab   dramatic slowdowns. RCU is therefore obligated to use algorithms that
1015ccc9971eSMauro Carvalho Chehab   have sufficient locality to avoid significant performance and
1016ccc9971eSMauro Carvalho Chehab   scalability problems.
1017ccc9971eSMauro Carvalho Chehab#. As a rough rule of thumb, only one CPU's worth of processing may be
1018ccc9971eSMauro Carvalho Chehab   carried out under the protection of any given exclusive lock. RCU
1019ccc9971eSMauro Carvalho Chehab   must therefore use scalable locking designs.
1020ccc9971eSMauro Carvalho Chehab#. Counters are finite, especially on 32-bit systems. RCU's use of
1021ccc9971eSMauro Carvalho Chehab   counters must therefore tolerate counter wrap, or be designed such
1022ccc9971eSMauro Carvalho Chehab   that counter wrap would take way more time than a single system is
1023ccc9971eSMauro Carvalho Chehab   likely to run. An uptime of ten years is quite possible, a runtime of
1024ccc9971eSMauro Carvalho Chehab   a century much less so. As an example of the latter, RCU's
1025ccc9971eSMauro Carvalho Chehab   dyntick-idle nesting counter allows 54 bits for interrupt nesting
1026ccc9971eSMauro Carvalho Chehab   level (this counter is 64 bits even on a 32-bit system). Overflowing
1027ccc9971eSMauro Carvalho Chehab   this counter requires 2\ :sup:`54` half-interrupts on a given CPU
1028ccc9971eSMauro Carvalho Chehab   without that CPU ever going idle. If a half-interrupt happened every
1029ccc9971eSMauro Carvalho Chehab   microsecond, it would take 570 years of runtime to overflow this
1030ccc9971eSMauro Carvalho Chehab   counter, which is currently believed to be an acceptably long time.
1031ccc9971eSMauro Carvalho Chehab#. Linux systems can have thousands of CPUs running a single Linux
1032ccc9971eSMauro Carvalho Chehab   kernel in a single shared-memory environment. RCU must therefore pay
1033ccc9971eSMauro Carvalho Chehab   close attention to high-end scalability.
1034ccc9971eSMauro Carvalho Chehab
1035ccc9971eSMauro Carvalho ChehabThis last parallelism fact of life means that RCU must pay special
1036ccc9971eSMauro Carvalho Chehabattention to the preceding facts of life. The idea that Linux might
1037ccc9971eSMauro Carvalho Chehabscale to systems with thousands of CPUs would have been met with some
1038ccc9971eSMauro Carvalho Chehabskepticism in the 1990s, but these requirements would have otherwise
1039ccc9971eSMauro Carvalho Chehabhave been unsurprising, even in the early 1990s.
1040ccc9971eSMauro Carvalho Chehab
1041ccc9971eSMauro Carvalho ChehabQuality-of-Implementation Requirements
1042ccc9971eSMauro Carvalho Chehab--------------------------------------
1043ccc9971eSMauro Carvalho Chehab
1044ccc9971eSMauro Carvalho ChehabThese sections list quality-of-implementation requirements. Although an
1045ccc9971eSMauro Carvalho ChehabRCU implementation that ignores these requirements could still be used,
1046ccc9971eSMauro Carvalho Chehabit would likely be subject to limitations that would make it
1047ccc9971eSMauro Carvalho Chehabinappropriate for industrial-strength production use. Classes of
1048ccc9971eSMauro Carvalho Chehabquality-of-implementation requirements are as follows:
1049ccc9971eSMauro Carvalho Chehab
105007335c16SJoel Fernandes (Google)#. `Specialization`_
105107335c16SJoel Fernandes (Google)#. `Performance and Scalability`_
105207335c16SJoel Fernandes (Google)#. `Forward Progress`_
105307335c16SJoel Fernandes (Google)#. `Composability`_
105407335c16SJoel Fernandes (Google)#. `Corner Cases`_
1055ccc9971eSMauro Carvalho Chehab
1056ccc9971eSMauro Carvalho ChehabThese classes is covered in the following sections.
1057ccc9971eSMauro Carvalho Chehab
1058ccc9971eSMauro Carvalho ChehabSpecialization
1059ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~
1060ccc9971eSMauro Carvalho Chehab
1061ccc9971eSMauro Carvalho ChehabRCU is and always has been intended primarily for read-mostly
1062ccc9971eSMauro Carvalho Chehabsituations, which means that RCU's read-side primitives are optimized,
1063ccc9971eSMauro Carvalho Chehaboften at the expense of its update-side primitives. Experience thus far
1064ccc9971eSMauro Carvalho Chehabis captured by the following list of situations:
1065ccc9971eSMauro Carvalho Chehab
1066ccc9971eSMauro Carvalho Chehab#. Read-mostly data, where stale and inconsistent data is not a problem:
1067ccc9971eSMauro Carvalho Chehab   RCU works great!
1068ccc9971eSMauro Carvalho Chehab#. Read-mostly data, where data must be consistent: RCU works well.
1069ccc9971eSMauro Carvalho Chehab#. Read-write data, where data must be consistent: RCU *might* work OK.
1070ccc9971eSMauro Carvalho Chehab   Or not.
1071ccc9971eSMauro Carvalho Chehab#. Write-mostly data, where data must be consistent: RCU is very
1072ccc9971eSMauro Carvalho Chehab   unlikely to be the right tool for the job, with the following
1073ccc9971eSMauro Carvalho Chehab   exceptions, where RCU can provide:
1074ccc9971eSMauro Carvalho Chehab
1075ccc9971eSMauro Carvalho Chehab   a. Existence guarantees for update-friendly mechanisms.
1076ccc9971eSMauro Carvalho Chehab   b. Wait-free read-side primitives for real-time use.
1077ccc9971eSMauro Carvalho Chehab
1078ccc9971eSMauro Carvalho ChehabThis focus on read-mostly situations means that RCU must interoperate
1079ccc9971eSMauro Carvalho Chehabwith other synchronization primitives. For example, the ``add_gp()`` and
1080ccc9971eSMauro Carvalho Chehab``remove_gp_synchronous()`` examples discussed earlier use RCU to
1081ccc9971eSMauro Carvalho Chehabprotect readers and locking to coordinate updaters. However, the need
1082ccc9971eSMauro Carvalho Chehabextends much farther, requiring that a variety of synchronization
1083ccc9971eSMauro Carvalho Chehabprimitives be legal within RCU read-side critical sections, including
1084ccc9971eSMauro Carvalho Chehabspinlocks, sequence locks, atomic operations, reference counters, and
1085ccc9971eSMauro Carvalho Chehabmemory barriers.
1086ccc9971eSMauro Carvalho Chehab
1087ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1088ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
1089ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1090ccc9971eSMauro Carvalho Chehab| What about sleeping locks?                                            |
1091ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1092ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
1093ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1094ccc9971eSMauro Carvalho Chehab| These are forbidden within Linux-kernel RCU read-side critical        |
1095ccc9971eSMauro Carvalho Chehab| sections because it is not legal to place a quiescent state (in this  |
1096ccc9971eSMauro Carvalho Chehab| case, voluntary context switch) within an RCU read-side critical      |
1097ccc9971eSMauro Carvalho Chehab| section. However, sleeping locks may be used within userspace RCU     |
1098ccc9971eSMauro Carvalho Chehab| read-side critical sections, and also within Linux-kernel sleepable   |
1099ccc9971eSMauro Carvalho Chehab| RCU `(SRCU) <#Sleepable%20RCU>`__ read-side critical sections. In     |
1100ccc9971eSMauro Carvalho Chehab| addition, the -rt patchset turns spinlocks into a sleeping locks so   |
1101ccc9971eSMauro Carvalho Chehab| that the corresponding critical sections can be preempted, which also |
1102ccc9971eSMauro Carvalho Chehab| means that these sleeplockified spinlocks (but not other sleeping     |
1103ccc9971eSMauro Carvalho Chehab| locks!) may be acquire within -rt-Linux-kernel RCU read-side critical |
1104ccc9971eSMauro Carvalho Chehab| sections.                                                             |
1105ccc9971eSMauro Carvalho Chehab| Note that it *is* legal for a normal RCU read-side critical section   |
1106ccc9971eSMauro Carvalho Chehab| to conditionally acquire a sleeping locks (as in                      |
1107ccc9971eSMauro Carvalho Chehab| ``mutex_trylock()``), but only as long as it does not loop            |
1108ccc9971eSMauro Carvalho Chehab| indefinitely attempting to conditionally acquire that sleeping locks. |
1109ccc9971eSMauro Carvalho Chehab| The key point is that things like ``mutex_trylock()`` either return   |
1110ccc9971eSMauro Carvalho Chehab| with the mutex held, or return an error indication if the mutex was   |
1111ccc9971eSMauro Carvalho Chehab| not immediately available. Either way, ``mutex_trylock()`` returns    |
1112ccc9971eSMauro Carvalho Chehab| immediately without sleeping.                                         |
1113ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1114ccc9971eSMauro Carvalho Chehab
1115ccc9971eSMauro Carvalho ChehabIt often comes as a surprise that many algorithms do not require a
1116ccc9971eSMauro Carvalho Chehabconsistent view of data, but many can function in that mode, with
1117ccc9971eSMauro Carvalho Chehabnetwork routing being the poster child. Internet routing algorithms take
1118ccc9971eSMauro Carvalho Chehabsignificant time to propagate updates, so that by the time an update
1119ccc9971eSMauro Carvalho Chehabarrives at a given system, that system has been sending network traffic
1120ccc9971eSMauro Carvalho Chehabthe wrong way for a considerable length of time. Having a few threads
1121ccc9971eSMauro Carvalho Chehabcontinue to send traffic the wrong way for a few more milliseconds is
1122ccc9971eSMauro Carvalho Chehabclearly not a problem: In the worst case, TCP retransmissions will
1123ccc9971eSMauro Carvalho Chehabeventually get the data where it needs to go. In general, when tracking
1124ccc9971eSMauro Carvalho Chehabthe state of the universe outside of the computer, some level of
1125ccc9971eSMauro Carvalho Chehabinconsistency must be tolerated due to speed-of-light delays if nothing
1126ccc9971eSMauro Carvalho Chehabelse.
1127ccc9971eSMauro Carvalho Chehab
1128ccc9971eSMauro Carvalho ChehabFurthermore, uncertainty about external state is inherent in many cases.
1129ccc9971eSMauro Carvalho ChehabFor example, a pair of veterinarians might use heartbeat to determine
1130ccc9971eSMauro Carvalho Chehabwhether or not a given cat was alive. But how long should they wait
1131ccc9971eSMauro Carvalho Chehabafter the last heartbeat to decide that the cat is in fact dead? Waiting
1132ccc9971eSMauro Carvalho Chehabless than 400 milliseconds makes no sense because this would mean that a
1133ccc9971eSMauro Carvalho Chehabrelaxed cat would be considered to cycle between death and life more
1134ccc9971eSMauro Carvalho Chehabthan 100 times per minute. Moreover, just as with human beings, a cat's
1135ccc9971eSMauro Carvalho Chehabheart might stop for some period of time, so the exact wait period is a
1136ccc9971eSMauro Carvalho Chehabjudgment call. One of our pair of veterinarians might wait 30 seconds
1137ccc9971eSMauro Carvalho Chehabbefore pronouncing the cat dead, while the other might insist on waiting
1138ccc9971eSMauro Carvalho Chehaba full minute. The two veterinarians would then disagree on the state of
1139ccc9971eSMauro Carvalho Chehabthe cat during the final 30 seconds of the minute following the last
1140ccc9971eSMauro Carvalho Chehabheartbeat.
1141ccc9971eSMauro Carvalho Chehab
1142ccc9971eSMauro Carvalho ChehabInterestingly enough, this same situation applies to hardware. When push
1143ccc9971eSMauro Carvalho Chehabcomes to shove, how do we tell whether or not some external server has
1144ccc9971eSMauro Carvalho Chehabfailed? We send messages to it periodically, and declare it failed if we
1145ccc9971eSMauro Carvalho Chehabdon't receive a response within a given period of time. Policy decisions
1146ccc9971eSMauro Carvalho Chehabcan usually tolerate short periods of inconsistency. The policy was
1147ccc9971eSMauro Carvalho Chehabdecided some time ago, and is only now being put into effect, so a few
1148ccc9971eSMauro Carvalho Chehabmilliseconds of delay is normally inconsequential.
1149ccc9971eSMauro Carvalho Chehab
1150ccc9971eSMauro Carvalho ChehabHowever, there are algorithms that absolutely must see consistent data.
1151ccc9971eSMauro Carvalho ChehabFor example, the translation between a user-level SystemV semaphore ID
1152ccc9971eSMauro Carvalho Chehabto the corresponding in-kernel data structure is protected by RCU, but
1153ccc9971eSMauro Carvalho Chehabit is absolutely forbidden to update a semaphore that has just been
1154ccc9971eSMauro Carvalho Chehabremoved. In the Linux kernel, this need for consistency is accommodated
1155ccc9971eSMauro Carvalho Chehabby acquiring spinlocks located in the in-kernel data structure from
1156ccc9971eSMauro Carvalho Chehabwithin the RCU read-side critical section, and this is indicated by the
1157ccc9971eSMauro Carvalho Chehabgreen box in the figure above. Many other techniques may be used, and
1158ccc9971eSMauro Carvalho Chehabare in fact used within the Linux kernel.
1159ccc9971eSMauro Carvalho Chehab
1160ccc9971eSMauro Carvalho ChehabIn short, RCU is not required to maintain consistency, and other
1161ccc9971eSMauro Carvalho Chehabmechanisms may be used in concert with RCU when consistency is required.
1162ccc9971eSMauro Carvalho ChehabRCU's specialization allows it to do its job extremely well, and its
1163ccc9971eSMauro Carvalho Chehabability to interoperate with other synchronization mechanisms allows the
1164ccc9971eSMauro Carvalho Chehabright mix of synchronization tools to be used for a given job.
1165ccc9971eSMauro Carvalho Chehab
1166ccc9971eSMauro Carvalho ChehabPerformance and Scalability
1167ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~
1168ccc9971eSMauro Carvalho Chehab
1169ccc9971eSMauro Carvalho ChehabEnergy efficiency is a critical component of performance today, and
1170ccc9971eSMauro Carvalho ChehabLinux-kernel RCU implementations must therefore avoid unnecessarily
1171ccc9971eSMauro Carvalho Chehabawakening idle CPUs. I cannot claim that this requirement was
1172ccc9971eSMauro Carvalho Chehabpremeditated. In fact, I learned of it during a telephone conversation
1173ccc9971eSMauro Carvalho Chehabin which I was given “frank and open” feedback on the importance of
1174ccc9971eSMauro Carvalho Chehabenergy efficiency in battery-powered systems and on specific
1175ccc9971eSMauro Carvalho Chehabenergy-efficiency shortcomings of the Linux-kernel RCU implementation.
1176ccc9971eSMauro Carvalho ChehabIn my experience, the battery-powered embedded community will consider
1177ccc9971eSMauro Carvalho Chehabany unnecessary wakeups to be extremely unfriendly acts. So much so that
1178ccc9971eSMauro Carvalho Chehabmere Linux-kernel-mailing-list posts are insufficient to vent their ire.
1179ccc9971eSMauro Carvalho Chehab
1180ccc9971eSMauro Carvalho ChehabMemory consumption is not particularly important for in most situations,
1181ccc9971eSMauro Carvalho Chehaband has become decreasingly so as memory sizes have expanded and memory
1182ccc9971eSMauro Carvalho Chehabcosts have plummeted. However, as I learned from Matt Mackall's
1183ccc9971eSMauro Carvalho Chehab`bloatwatch <http://elinux.org/Linux_Tiny-FAQ>`__ efforts, memory
1184ccc9971eSMauro Carvalho Chehabfootprint is critically important on single-CPU systems with
1185ccc9971eSMauro Carvalho Chehabnon-preemptible (``CONFIG_PREEMPT=n``) kernels, and thus `tiny
1186ccc9971eSMauro Carvalho ChehabRCU <https://lkml.kernel.org/g/20090113221724.GA15307@linux.vnet.ibm.com>`__
1187ccc9971eSMauro Carvalho Chehabwas born. Josh Triplett has since taken over the small-memory banner
1188ccc9971eSMauro Carvalho Chehabwith his `Linux kernel tinification <https://tiny.wiki.kernel.org/>`__
1189ccc9971eSMauro Carvalho Chehabproject, which resulted in `SRCU <#Sleepable%20RCU>`__ becoming optional
1190ccc9971eSMauro Carvalho Chehabfor those kernels not needing it.
1191ccc9971eSMauro Carvalho Chehab
1192ccc9971eSMauro Carvalho ChehabThe remaining performance requirements are, for the most part,
1193ccc9971eSMauro Carvalho Chehabunsurprising. For example, in keeping with RCU's read-side
1194ccc9971eSMauro Carvalho Chehabspecialization, ``rcu_dereference()`` should have negligible overhead
1195ccc9971eSMauro Carvalho Chehab(for example, suppression of a few minor compiler optimizations).
1196ccc9971eSMauro Carvalho ChehabSimilarly, in non-preemptible environments, ``rcu_read_lock()`` and
1197ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()`` should have exactly zero overhead.
1198ccc9971eSMauro Carvalho Chehab
1199ccc9971eSMauro Carvalho ChehabIn preemptible environments, in the case where the RCU read-side
1200ccc9971eSMauro Carvalho Chehabcritical section was not preempted (as will be the case for the
1201ccc9971eSMauro Carvalho Chehabhighest-priority real-time process), ``rcu_read_lock()`` and
1202ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()`` should have minimal overhead. In particular, they
1203ccc9971eSMauro Carvalho Chehabshould not contain atomic read-modify-write operations, memory-barrier
1204ccc9971eSMauro Carvalho Chehabinstructions, preemption disabling, interrupt disabling, or backwards
1205ccc9971eSMauro Carvalho Chehabbranches. However, in the case where the RCU read-side critical section
1206ccc9971eSMauro Carvalho Chehabwas preempted, ``rcu_read_unlock()`` may acquire spinlocks and disable
1207ccc9971eSMauro Carvalho Chehabinterrupts. This is why it is better to nest an RCU read-side critical
1208ccc9971eSMauro Carvalho Chehabsection within a preempt-disable region than vice versa, at least in
1209ccc9971eSMauro Carvalho Chehabcases where that critical section is short enough to avoid unduly
1210ccc9971eSMauro Carvalho Chehabdegrading real-time latencies.
1211ccc9971eSMauro Carvalho Chehab
1212ccc9971eSMauro Carvalho ChehabThe ``synchronize_rcu()`` grace-period-wait primitive is optimized for
1213ccc9971eSMauro Carvalho Chehabthroughput. It may therefore incur several milliseconds of latency in
1214ccc9971eSMauro Carvalho Chehabaddition to the duration of the longest RCU read-side critical section.
1215ccc9971eSMauro Carvalho ChehabOn the other hand, multiple concurrent invocations of
1216ccc9971eSMauro Carvalho Chehab``synchronize_rcu()`` are required to use batching optimizations so that
1217ccc9971eSMauro Carvalho Chehabthey can be satisfied by a single underlying grace-period-wait
1218ccc9971eSMauro Carvalho Chehaboperation. For example, in the Linux kernel, it is not unusual for a
1219ccc9971eSMauro Carvalho Chehabsingle grace-period-wait operation to serve more than `1,000 separate
1220ccc9971eSMauro Carvalho Chehabinvocations <https://www.usenix.org/conference/2004-usenix-annual-technical-conference/making-rcu-safe-deep-sub-millisecond-response>`__
1221ccc9971eSMauro Carvalho Chehabof ``synchronize_rcu()``, thus amortizing the per-invocation overhead
1222ccc9971eSMauro Carvalho Chehabdown to nearly zero. However, the grace-period optimization is also
1223ccc9971eSMauro Carvalho Chehabrequired to avoid measurable degradation of real-time scheduling and
1224ccc9971eSMauro Carvalho Chehabinterrupt latencies.
1225ccc9971eSMauro Carvalho Chehab
1226ccc9971eSMauro Carvalho ChehabIn some cases, the multi-millisecond ``synchronize_rcu()`` latencies are
1227ccc9971eSMauro Carvalho Chehabunacceptable. In these cases, ``synchronize_rcu_expedited()`` may be
1228ccc9971eSMauro Carvalho Chehabused instead, reducing the grace-period latency down to a few tens of
1229ccc9971eSMauro Carvalho Chehabmicroseconds on small systems, at least in cases where the RCU read-side
1230ccc9971eSMauro Carvalho Chehabcritical sections are short. There are currently no special latency
1231ccc9971eSMauro Carvalho Chehabrequirements for ``synchronize_rcu_expedited()`` on large systems, but,
1232ccc9971eSMauro Carvalho Chehabconsistent with the empirical nature of the RCU specification, that is
1233ccc9971eSMauro Carvalho Chehabsubject to change. However, there most definitely are scalability
1234ccc9971eSMauro Carvalho Chehabrequirements: A storm of ``synchronize_rcu_expedited()`` invocations on
1235ccc9971eSMauro Carvalho Chehab4096 CPUs should at least make reasonable forward progress. In return
1236ccc9971eSMauro Carvalho Chehabfor its shorter latencies, ``synchronize_rcu_expedited()`` is permitted
1237ccc9971eSMauro Carvalho Chehabto impose modest degradation of real-time latency on non-idle online
1238ccc9971eSMauro Carvalho ChehabCPUs. Here, “modest” means roughly the same latency degradation as a
1239ccc9971eSMauro Carvalho Chehabscheduling-clock interrupt.
1240ccc9971eSMauro Carvalho Chehab
1241ccc9971eSMauro Carvalho ChehabThere are a number of situations where even
1242ccc9971eSMauro Carvalho Chehab``synchronize_rcu_expedited()``'s reduced grace-period latency is
1243ccc9971eSMauro Carvalho Chehabunacceptable. In these situations, the asynchronous ``call_rcu()`` can
1244ccc9971eSMauro Carvalho Chehabbe used in place of ``synchronize_rcu()`` as follows:
1245ccc9971eSMauro Carvalho Chehab
1246ccc9971eSMauro Carvalho Chehab   ::
1247ccc9971eSMauro Carvalho Chehab
1248ccc9971eSMauro Carvalho Chehab       1 struct foo {
1249ccc9971eSMauro Carvalho Chehab       2   int a;
1250ccc9971eSMauro Carvalho Chehab       3   int b;
1251ccc9971eSMauro Carvalho Chehab       4   struct rcu_head rh;
1252ccc9971eSMauro Carvalho Chehab       5 };
1253ccc9971eSMauro Carvalho Chehab       6
1254ccc9971eSMauro Carvalho Chehab       7 static void remove_gp_cb(struct rcu_head *rhp)
1255ccc9971eSMauro Carvalho Chehab       8 {
1256ccc9971eSMauro Carvalho Chehab       9   struct foo *p = container_of(rhp, struct foo, rh);
1257ccc9971eSMauro Carvalho Chehab      10
1258ccc9971eSMauro Carvalho Chehab      11   kfree(p);
1259ccc9971eSMauro Carvalho Chehab      12 }
1260ccc9971eSMauro Carvalho Chehab      13
1261ccc9971eSMauro Carvalho Chehab      14 bool remove_gp_asynchronous(void)
1262ccc9971eSMauro Carvalho Chehab      15 {
1263ccc9971eSMauro Carvalho Chehab      16   struct foo *p;
1264ccc9971eSMauro Carvalho Chehab      17
1265ccc9971eSMauro Carvalho Chehab      18   spin_lock(&gp_lock);
1266ccc9971eSMauro Carvalho Chehab      19   p = rcu_access_pointer(gp);
1267ccc9971eSMauro Carvalho Chehab      20   if (!p) {
1268ccc9971eSMauro Carvalho Chehab      21     spin_unlock(&gp_lock);
1269ccc9971eSMauro Carvalho Chehab      22     return false;
1270ccc9971eSMauro Carvalho Chehab      23   }
1271ccc9971eSMauro Carvalho Chehab      24   rcu_assign_pointer(gp, NULL);
1272ccc9971eSMauro Carvalho Chehab      25   call_rcu(&p->rh, remove_gp_cb);
1273ccc9971eSMauro Carvalho Chehab      26   spin_unlock(&gp_lock);
1274ccc9971eSMauro Carvalho Chehab      27   return true;
1275ccc9971eSMauro Carvalho Chehab      28 }
1276ccc9971eSMauro Carvalho Chehab
1277ccc9971eSMauro Carvalho ChehabA definition of ``struct foo`` is finally needed, and appears on
1278ccc9971eSMauro Carvalho Chehablines 1-5. The function ``remove_gp_cb()`` is passed to ``call_rcu()``
1279ccc9971eSMauro Carvalho Chehabon line 25, and will be invoked after the end of a subsequent grace
1280ccc9971eSMauro Carvalho Chehabperiod. This gets the same effect as ``remove_gp_synchronous()``, but
1281ccc9971eSMauro Carvalho Chehabwithout forcing the updater to wait for a grace period to elapse. The
1282ccc9971eSMauro Carvalho Chehab``call_rcu()`` function may be used in a number of situations where
1283ccc9971eSMauro Carvalho Chehabneither ``synchronize_rcu()`` nor ``synchronize_rcu_expedited()`` would
1284ccc9971eSMauro Carvalho Chehabbe legal, including within preempt-disable code, ``local_bh_disable()``
1285ccc9971eSMauro Carvalho Chehabcode, interrupt-disable code, and interrupt handlers. However, even
1286ccc9971eSMauro Carvalho Chehab``call_rcu()`` is illegal within NMI handlers and from idle and offline
1287ccc9971eSMauro Carvalho ChehabCPUs. The callback function (``remove_gp_cb()`` in this case) will be
1288ccc9971eSMauro Carvalho Chehabexecuted within softirq (software interrupt) environment within the
1289ccc9971eSMauro Carvalho ChehabLinux kernel, either within a real softirq handler or under the
1290ccc9971eSMauro Carvalho Chehabprotection of ``local_bh_disable()``. In both the Linux kernel and in
1291ccc9971eSMauro Carvalho Chehabuserspace, it is bad practice to write an RCU callback function that
1292ccc9971eSMauro Carvalho Chehabtakes too long. Long-running operations should be relegated to separate
1293ccc9971eSMauro Carvalho Chehabthreads or (in the Linux kernel) workqueues.
1294ccc9971eSMauro Carvalho Chehab
1295ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1296ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
1297ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1298ccc9971eSMauro Carvalho Chehab| Why does line 19 use ``rcu_access_pointer()``? After all,             |
1299ccc9971eSMauro Carvalho Chehab| ``call_rcu()`` on line 25 stores into the structure, which would      |
1300ccc9971eSMauro Carvalho Chehab| interact badly with concurrent insertions. Doesn't this mean that     |
1301ccc9971eSMauro Carvalho Chehab| ``rcu_dereference()`` is required?                                    |
1302ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1303ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
1304ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1305ccc9971eSMauro Carvalho Chehab| Presumably the ``->gp_lock`` acquired on line 18 excludes any         |
1306ccc9971eSMauro Carvalho Chehab| changes, including any insertions that ``rcu_dereference()`` would    |
1307ccc9971eSMauro Carvalho Chehab| protect against. Therefore, any insertions will be delayed until      |
1308ccc9971eSMauro Carvalho Chehab| after ``->gp_lock`` is released on line 25, which in turn means that  |
1309ccc9971eSMauro Carvalho Chehab| ``rcu_access_pointer()`` suffices.                                    |
1310ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1311ccc9971eSMauro Carvalho Chehab
1312ccc9971eSMauro Carvalho ChehabHowever, all that ``remove_gp_cb()`` is doing is invoking ``kfree()`` on
1313ccc9971eSMauro Carvalho Chehabthe data element. This is a common idiom, and is supported by
1314ccc9971eSMauro Carvalho Chehab``kfree_rcu()``, which allows “fire and forget” operation as shown
1315ccc9971eSMauro Carvalho Chehabbelow:
1316ccc9971eSMauro Carvalho Chehab
1317ccc9971eSMauro Carvalho Chehab   ::
1318ccc9971eSMauro Carvalho Chehab
1319ccc9971eSMauro Carvalho Chehab       1 struct foo {
1320ccc9971eSMauro Carvalho Chehab       2   int a;
1321ccc9971eSMauro Carvalho Chehab       3   int b;
1322ccc9971eSMauro Carvalho Chehab       4   struct rcu_head rh;
1323ccc9971eSMauro Carvalho Chehab       5 };
1324ccc9971eSMauro Carvalho Chehab       6
1325ccc9971eSMauro Carvalho Chehab       7 bool remove_gp_faf(void)
1326ccc9971eSMauro Carvalho Chehab       8 {
1327ccc9971eSMauro Carvalho Chehab       9   struct foo *p;
1328ccc9971eSMauro Carvalho Chehab      10
1329ccc9971eSMauro Carvalho Chehab      11   spin_lock(&gp_lock);
1330ccc9971eSMauro Carvalho Chehab      12   p = rcu_dereference(gp);
1331ccc9971eSMauro Carvalho Chehab      13   if (!p) {
1332ccc9971eSMauro Carvalho Chehab      14     spin_unlock(&gp_lock);
1333ccc9971eSMauro Carvalho Chehab      15     return false;
1334ccc9971eSMauro Carvalho Chehab      16   }
1335ccc9971eSMauro Carvalho Chehab      17   rcu_assign_pointer(gp, NULL);
1336ccc9971eSMauro Carvalho Chehab      18   kfree_rcu(p, rh);
1337ccc9971eSMauro Carvalho Chehab      19   spin_unlock(&gp_lock);
1338ccc9971eSMauro Carvalho Chehab      20   return true;
1339ccc9971eSMauro Carvalho Chehab      21 }
1340ccc9971eSMauro Carvalho Chehab
1341ccc9971eSMauro Carvalho ChehabNote that ``remove_gp_faf()`` simply invokes ``kfree_rcu()`` and
1342ccc9971eSMauro Carvalho Chehabproceeds, without any need to pay any further attention to the
1343ccc9971eSMauro Carvalho Chehabsubsequent grace period and ``kfree()``. It is permissible to invoke
1344ccc9971eSMauro Carvalho Chehab``kfree_rcu()`` from the same environments as for ``call_rcu()``.
1345ccc9971eSMauro Carvalho ChehabInterestingly enough, DYNIX/ptx had the equivalents of ``call_rcu()``
1346ccc9971eSMauro Carvalho Chehaband ``kfree_rcu()``, but not ``synchronize_rcu()``. This was due to the
1347ccc9971eSMauro Carvalho Chehabfact that RCU was not heavily used within DYNIX/ptx, so the very few
1348ccc9971eSMauro Carvalho Chehabplaces that needed something like ``synchronize_rcu()`` simply
1349ccc9971eSMauro Carvalho Chehabopen-coded it.
1350ccc9971eSMauro Carvalho Chehab
1351ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1352ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
1353ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1354ccc9971eSMauro Carvalho Chehab| Earlier it was claimed that ``call_rcu()`` and ``kfree_rcu()``        |
1355ccc9971eSMauro Carvalho Chehab| allowed updaters to avoid being blocked by readers. But how can that  |
1356ccc9971eSMauro Carvalho Chehab| be correct, given that the invocation of the callback and the freeing |
1357ccc9971eSMauro Carvalho Chehab| of the memory (respectively) must still wait for a grace period to    |
1358ccc9971eSMauro Carvalho Chehab| elapse?                                                               |
1359ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1360ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
1361ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1362ccc9971eSMauro Carvalho Chehab| We could define things this way, but keep in mind that this sort of   |
1363ccc9971eSMauro Carvalho Chehab| definition would say that updates in garbage-collected languages      |
1364ccc9971eSMauro Carvalho Chehab| cannot complete until the next time the garbage collector runs, which |
1365ccc9971eSMauro Carvalho Chehab| does not seem at all reasonable. The key point is that in most cases, |
1366ccc9971eSMauro Carvalho Chehab| an updater using either ``call_rcu()`` or ``kfree_rcu()`` can proceed |
1367ccc9971eSMauro Carvalho Chehab| to the next update as soon as it has invoked ``call_rcu()`` or        |
1368ccc9971eSMauro Carvalho Chehab| ``kfree_rcu()``, without having to wait for a subsequent grace        |
1369ccc9971eSMauro Carvalho Chehab| period.                                                               |
1370ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1371ccc9971eSMauro Carvalho Chehab
1372ccc9971eSMauro Carvalho ChehabBut what if the updater must wait for the completion of code to be
1373ccc9971eSMauro Carvalho Chehabexecuted after the end of the grace period, but has other tasks that can
1374ccc9971eSMauro Carvalho Chehabbe carried out in the meantime? The polling-style
1375ccc9971eSMauro Carvalho Chehab``get_state_synchronize_rcu()`` and ``cond_synchronize_rcu()`` functions
1376ccc9971eSMauro Carvalho Chehabmay be used for this purpose, as shown below:
1377ccc9971eSMauro Carvalho Chehab
1378ccc9971eSMauro Carvalho Chehab   ::
1379ccc9971eSMauro Carvalho Chehab
1380ccc9971eSMauro Carvalho Chehab       1 bool remove_gp_poll(void)
1381ccc9971eSMauro Carvalho Chehab       2 {
1382ccc9971eSMauro Carvalho Chehab       3   struct foo *p;
1383ccc9971eSMauro Carvalho Chehab       4   unsigned long s;
1384ccc9971eSMauro Carvalho Chehab       5
1385ccc9971eSMauro Carvalho Chehab       6   spin_lock(&gp_lock);
1386ccc9971eSMauro Carvalho Chehab       7   p = rcu_access_pointer(gp);
1387ccc9971eSMauro Carvalho Chehab       8   if (!p) {
1388ccc9971eSMauro Carvalho Chehab       9     spin_unlock(&gp_lock);
1389ccc9971eSMauro Carvalho Chehab      10     return false;
1390ccc9971eSMauro Carvalho Chehab      11   }
1391ccc9971eSMauro Carvalho Chehab      12   rcu_assign_pointer(gp, NULL);
1392ccc9971eSMauro Carvalho Chehab      13   spin_unlock(&gp_lock);
1393ccc9971eSMauro Carvalho Chehab      14   s = get_state_synchronize_rcu();
1394ccc9971eSMauro Carvalho Chehab      15   do_something_while_waiting();
1395ccc9971eSMauro Carvalho Chehab      16   cond_synchronize_rcu(s);
1396ccc9971eSMauro Carvalho Chehab      17   kfree(p);
1397ccc9971eSMauro Carvalho Chehab      18   return true;
1398ccc9971eSMauro Carvalho Chehab      19 }
1399ccc9971eSMauro Carvalho Chehab
1400ccc9971eSMauro Carvalho ChehabOn line 14, ``get_state_synchronize_rcu()`` obtains a “cookie” from RCU,
1401ccc9971eSMauro Carvalho Chehabthen line 15 carries out other tasks, and finally, line 16 returns
1402ccc9971eSMauro Carvalho Chehabimmediately if a grace period has elapsed in the meantime, but otherwise
1403ccc9971eSMauro Carvalho Chehabwaits as required. The need for ``get_state_synchronize_rcu`` and
1404ccc9971eSMauro Carvalho Chehab``cond_synchronize_rcu()`` has appeared quite recently, so it is too
1405ccc9971eSMauro Carvalho Chehabearly to tell whether they will stand the test of time.
1406ccc9971eSMauro Carvalho Chehab
1407ccc9971eSMauro Carvalho ChehabRCU thus provides a range of tools to allow updaters to strike the
1408ccc9971eSMauro Carvalho Chehabrequired tradeoff between latency, flexibility and CPU overhead.
1409ccc9971eSMauro Carvalho Chehab
1410ccc9971eSMauro Carvalho ChehabForward Progress
1411ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~
1412ccc9971eSMauro Carvalho Chehab
1413ccc9971eSMauro Carvalho ChehabIn theory, delaying grace-period completion and callback invocation is
1414ccc9971eSMauro Carvalho Chehabharmless. In practice, not only are memory sizes finite but also
1415ccc9971eSMauro Carvalho Chehabcallbacks sometimes do wakeups, and sufficiently deferred wakeups can be
1416ccc9971eSMauro Carvalho Chehabdifficult to distinguish from system hangs. Therefore, RCU must provide
1417ccc9971eSMauro Carvalho Chehaba number of mechanisms to promote forward progress.
1418ccc9971eSMauro Carvalho Chehab
1419ccc9971eSMauro Carvalho ChehabThese mechanisms are not foolproof, nor can they be. For one simple
1420ccc9971eSMauro Carvalho Chehabexample, an infinite loop in an RCU read-side critical section must by
1421ccc9971eSMauro Carvalho Chehabdefinition prevent later grace periods from ever completing. For a more
1422ccc9971eSMauro Carvalho Chehabinvolved example, consider a 64-CPU system built with
1423ccc9971eSMauro Carvalho Chehab``CONFIG_RCU_NOCB_CPU=y`` and booted with ``rcu_nocbs=1-63``, where
1424ccc9971eSMauro Carvalho ChehabCPUs 1 through 63 spin in tight loops that invoke ``call_rcu()``. Even
1425ccc9971eSMauro Carvalho Chehabif these tight loops also contain calls to ``cond_resched()`` (thus
1426ccc9971eSMauro Carvalho Chehaballowing grace periods to complete), CPU 0 simply will not be able to
1427ccc9971eSMauro Carvalho Chehabinvoke callbacks as fast as the other 63 CPUs can register them, at
1428ccc9971eSMauro Carvalho Chehableast not until the system runs out of memory. In both of these
1429ccc9971eSMauro Carvalho Chehabexamples, the Spiderman principle applies: With great power comes great
1430ccc9971eSMauro Carvalho Chehabresponsibility. However, short of this level of abuse, RCU is required
1431ccc9971eSMauro Carvalho Chehabto ensure timely completion of grace periods and timely invocation of
1432ccc9971eSMauro Carvalho Chehabcallbacks.
1433ccc9971eSMauro Carvalho Chehab
1434ccc9971eSMauro Carvalho ChehabRCU takes the following steps to encourage timely completion of grace
1435ccc9971eSMauro Carvalho Chehabperiods:
1436ccc9971eSMauro Carvalho Chehab
1437ccc9971eSMauro Carvalho Chehab#. If a grace period fails to complete within 100 milliseconds, RCU
1438ccc9971eSMauro Carvalho Chehab   causes future invocations of ``cond_resched()`` on the holdout CPUs
1439ccc9971eSMauro Carvalho Chehab   to provide an RCU quiescent state. RCU also causes those CPUs'
1440ccc9971eSMauro Carvalho Chehab   ``need_resched()`` invocations to return ``true``, but only after the
1441ccc9971eSMauro Carvalho Chehab   corresponding CPU's next scheduling-clock.
1442ccc9971eSMauro Carvalho Chehab#. CPUs mentioned in the ``nohz_full`` kernel boot parameter can run
1443ccc9971eSMauro Carvalho Chehab   indefinitely in the kernel without scheduling-clock interrupts, which
1444ccc9971eSMauro Carvalho Chehab   defeats the above ``need_resched()`` strategem. RCU will therefore
1445ccc9971eSMauro Carvalho Chehab   invoke ``resched_cpu()`` on any ``nohz_full`` CPUs still holding out
1446ccc9971eSMauro Carvalho Chehab   after 109 milliseconds.
1447ccc9971eSMauro Carvalho Chehab#. In kernels built with ``CONFIG_RCU_BOOST=y``, if a given task that
1448ccc9971eSMauro Carvalho Chehab   has been preempted within an RCU read-side critical section is
1449ccc9971eSMauro Carvalho Chehab   holding out for more than 500 milliseconds, RCU will resort to
1450ccc9971eSMauro Carvalho Chehab   priority boosting.
1451ccc9971eSMauro Carvalho Chehab#. If a CPU is still holding out 10 seconds into the grace period, RCU
1452ccc9971eSMauro Carvalho Chehab   will invoke ``resched_cpu()`` on it regardless of its ``nohz_full``
1453ccc9971eSMauro Carvalho Chehab   state.
1454ccc9971eSMauro Carvalho Chehab
1455ccc9971eSMauro Carvalho ChehabThe above values are defaults for systems running with ``HZ=1000``. They
1456ccc9971eSMauro Carvalho Chehabwill vary as the value of ``HZ`` varies, and can also be changed using
1457ccc9971eSMauro Carvalho Chehabthe relevant Kconfig options and kernel boot parameters. RCU currently
1458ccc9971eSMauro Carvalho Chehabdoes not do much sanity checking of these parameters, so please use
1459ccc9971eSMauro Carvalho Chehabcaution when changing them. Note that these forward-progress measures
1460ccc9971eSMauro Carvalho Chehabare provided only for RCU, not for `SRCU <#Sleepable%20RCU>`__ or `Tasks
1461ccc9971eSMauro Carvalho ChehabRCU <#Tasks%20RCU>`__.
1462ccc9971eSMauro Carvalho Chehab
1463ccc9971eSMauro Carvalho ChehabRCU takes the following steps in ``call_rcu()`` to encourage timely
1464ccc9971eSMauro Carvalho Chehabinvocation of callbacks when any given non-\ ``rcu_nocbs`` CPU has
1465ccc9971eSMauro Carvalho Chehab10,000 callbacks, or has 10,000 more callbacks than it had the last time
1466ccc9971eSMauro Carvalho Chehabencouragement was provided:
1467ccc9971eSMauro Carvalho Chehab
1468ccc9971eSMauro Carvalho Chehab#. Starts a grace period, if one is not already in progress.
1469ccc9971eSMauro Carvalho Chehab#. Forces immediate checking for quiescent states, rather than waiting
1470ccc9971eSMauro Carvalho Chehab   for three milliseconds to have elapsed since the beginning of the
1471ccc9971eSMauro Carvalho Chehab   grace period.
1472ccc9971eSMauro Carvalho Chehab#. Immediately tags the CPU's callbacks with their grace period
1473ccc9971eSMauro Carvalho Chehab   completion numbers, rather than waiting for the ``RCU_SOFTIRQ``
1474ccc9971eSMauro Carvalho Chehab   handler to get around to it.
1475ccc9971eSMauro Carvalho Chehab#. Lifts callback-execution batch limits, which speeds up callback
1476ccc9971eSMauro Carvalho Chehab   invocation at the expense of degrading realtime response.
1477ccc9971eSMauro Carvalho Chehab
1478ccc9971eSMauro Carvalho ChehabAgain, these are default values when running at ``HZ=1000``, and can be
1479ccc9971eSMauro Carvalho Chehaboverridden. Again, these forward-progress measures are provided only for
1480ccc9971eSMauro Carvalho ChehabRCU, not for `SRCU <#Sleepable%20RCU>`__ or `Tasks
1481ccc9971eSMauro Carvalho ChehabRCU <#Tasks%20RCU>`__. Even for RCU, callback-invocation forward
1482ccc9971eSMauro Carvalho Chehabprogress for ``rcu_nocbs`` CPUs is much less well-developed, in part
1483ccc9971eSMauro Carvalho Chehabbecause workloads benefiting from ``rcu_nocbs`` CPUs tend to invoke
1484ccc9971eSMauro Carvalho Chehab``call_rcu()`` relatively infrequently. If workloads emerge that need
1485ccc9971eSMauro Carvalho Chehabboth ``rcu_nocbs`` CPUs and high ``call_rcu()`` invocation rates, then
1486ccc9971eSMauro Carvalho Chehabadditional forward-progress work will be required.
1487ccc9971eSMauro Carvalho Chehab
1488ccc9971eSMauro Carvalho ChehabComposability
1489ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~
1490ccc9971eSMauro Carvalho Chehab
1491ccc9971eSMauro Carvalho ChehabComposability has received much attention in recent years, perhaps in
1492ccc9971eSMauro Carvalho Chehabpart due to the collision of multicore hardware with object-oriented
1493ccc9971eSMauro Carvalho Chehabtechniques designed in single-threaded environments for single-threaded
1494ccc9971eSMauro Carvalho Chehabuse. And in theory, RCU read-side critical sections may be composed, and
1495ccc9971eSMauro Carvalho Chehabin fact may be nested arbitrarily deeply. In practice, as with all
1496ccc9971eSMauro Carvalho Chehabreal-world implementations of composable constructs, there are
1497ccc9971eSMauro Carvalho Chehablimitations.
1498ccc9971eSMauro Carvalho Chehab
1499ccc9971eSMauro Carvalho ChehabImplementations of RCU for which ``rcu_read_lock()`` and
1500ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()`` generate no code, such as Linux-kernel RCU when
1501ccc9971eSMauro Carvalho Chehab``CONFIG_PREEMPT=n``, can be nested arbitrarily deeply. After all, there
1502ccc9971eSMauro Carvalho Chehabis no overhead. Except that if all these instances of
1503ccc9971eSMauro Carvalho Chehab``rcu_read_lock()`` and ``rcu_read_unlock()`` are visible to the
1504ccc9971eSMauro Carvalho Chehabcompiler, compilation will eventually fail due to exhausting memory,
1505ccc9971eSMauro Carvalho Chehabmass storage, or user patience, whichever comes first. If the nesting is
1506ccc9971eSMauro Carvalho Chehabnot visible to the compiler, as is the case with mutually recursive
1507ccc9971eSMauro Carvalho Chehabfunctions each in its own translation unit, stack overflow will result.
1508ccc9971eSMauro Carvalho ChehabIf the nesting takes the form of loops, perhaps in the guise of tail
1509ccc9971eSMauro Carvalho Chehabrecursion, either the control variable will overflow or (in the Linux
1510ccc9971eSMauro Carvalho Chehabkernel) you will get an RCU CPU stall warning. Nevertheless, this class
1511ccc9971eSMauro Carvalho Chehabof RCU implementations is one of the most composable constructs in
1512ccc9971eSMauro Carvalho Chehabexistence.
1513ccc9971eSMauro Carvalho Chehab
1514ccc9971eSMauro Carvalho ChehabRCU implementations that explicitly track nesting depth are limited by
1515ccc9971eSMauro Carvalho Chehabthe nesting-depth counter. For example, the Linux kernel's preemptible
1516ccc9971eSMauro Carvalho ChehabRCU limits nesting to ``INT_MAX``. This should suffice for almost all
1517ccc9971eSMauro Carvalho Chehabpractical purposes. That said, a consecutive pair of RCU read-side
1518ccc9971eSMauro Carvalho Chehabcritical sections between which there is an operation that waits for a
1519ccc9971eSMauro Carvalho Chehabgrace period cannot be enclosed in another RCU read-side critical
1520ccc9971eSMauro Carvalho Chehabsection. This is because it is not legal to wait for a grace period
1521ccc9971eSMauro Carvalho Chehabwithin an RCU read-side critical section: To do so would result either
1522ccc9971eSMauro Carvalho Chehabin deadlock or in RCU implicitly splitting the enclosing RCU read-side
1523ccc9971eSMauro Carvalho Chehabcritical section, neither of which is conducive to a long-lived and
1524ccc9971eSMauro Carvalho Chehabprosperous kernel.
1525ccc9971eSMauro Carvalho Chehab
1526ccc9971eSMauro Carvalho ChehabIt is worth noting that RCU is not alone in limiting composability. For
1527ccc9971eSMauro Carvalho Chehabexample, many transactional-memory implementations prohibit composing a
1528ccc9971eSMauro Carvalho Chehabpair of transactions separated by an irrevocable operation (for example,
1529ccc9971eSMauro Carvalho Chehaba network receive operation). For another example, lock-based critical
1530ccc9971eSMauro Carvalho Chehabsections can be composed surprisingly freely, but only if deadlock is
1531ccc9971eSMauro Carvalho Chehabavoided.
1532ccc9971eSMauro Carvalho Chehab
1533ccc9971eSMauro Carvalho ChehabIn short, although RCU read-side critical sections are highly
1534ccc9971eSMauro Carvalho Chehabcomposable, care is required in some situations, just as is the case for
1535ccc9971eSMauro Carvalho Chehabany other composable synchronization mechanism.
1536ccc9971eSMauro Carvalho Chehab
1537ccc9971eSMauro Carvalho ChehabCorner Cases
1538ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~
1539ccc9971eSMauro Carvalho Chehab
1540ccc9971eSMauro Carvalho ChehabA given RCU workload might have an endless and intense stream of RCU
1541ccc9971eSMauro Carvalho Chehabread-side critical sections, perhaps even so intense that there was
1542ccc9971eSMauro Carvalho Chehabnever a point in time during which there was not at least one RCU
1543ccc9971eSMauro Carvalho Chehabread-side critical section in flight. RCU cannot allow this situation to
1544ccc9971eSMauro Carvalho Chehabblock grace periods: As long as all the RCU read-side critical sections
1545ccc9971eSMauro Carvalho Chehabare finite, grace periods must also be finite.
1546ccc9971eSMauro Carvalho Chehab
1547ccc9971eSMauro Carvalho ChehabThat said, preemptible RCU implementations could potentially result in
1548ccc9971eSMauro Carvalho ChehabRCU read-side critical sections being preempted for long durations,
1549ccc9971eSMauro Carvalho Chehabwhich has the effect of creating a long-duration RCU read-side critical
1550ccc9971eSMauro Carvalho Chehabsection. This situation can arise only in heavily loaded systems, but
1551ccc9971eSMauro Carvalho Chehabsystems using real-time priorities are of course more vulnerable.
1552ccc9971eSMauro Carvalho ChehabTherefore, RCU priority boosting is provided to help deal with this
1553ccc9971eSMauro Carvalho Chehabcase. That said, the exact requirements on RCU priority boosting will
1554ccc9971eSMauro Carvalho Chehablikely evolve as more experience accumulates.
1555ccc9971eSMauro Carvalho Chehab
1556ccc9971eSMauro Carvalho ChehabOther workloads might have very high update rates. Although one can
1557ccc9971eSMauro Carvalho Chehabargue that such workloads should instead use something other than RCU,
1558ccc9971eSMauro Carvalho Chehabthe fact remains that RCU must handle such workloads gracefully. This
1559ccc9971eSMauro Carvalho Chehabrequirement is another factor driving batching of grace periods, but it
1560ccc9971eSMauro Carvalho Chehabis also the driving force behind the checks for large numbers of queued
1561ccc9971eSMauro Carvalho ChehabRCU callbacks in the ``call_rcu()`` code path. Finally, high update
1562ccc9971eSMauro Carvalho Chehabrates should not delay RCU read-side critical sections, although some
1563ccc9971eSMauro Carvalho Chehabsmall read-side delays can occur when using
1564ccc9971eSMauro Carvalho Chehab``synchronize_rcu_expedited()``, courtesy of this function's use of
1565ccc9971eSMauro Carvalho Chehab``smp_call_function_single()``.
1566ccc9971eSMauro Carvalho Chehab
1567ccc9971eSMauro Carvalho ChehabAlthough all three of these corner cases were understood in the early
1568ccc9971eSMauro Carvalho Chehab1990s, a simple user-level test consisting of ``close(open(path))`` in a
1569ccc9971eSMauro Carvalho Chehabtight loop in the early 2000s suddenly provided a much deeper
1570ccc9971eSMauro Carvalho Chehabappreciation of the high-update-rate corner case. This test also
1571ccc9971eSMauro Carvalho Chehabmotivated addition of some RCU code to react to high update rates, for
1572ccc9971eSMauro Carvalho Chehabexample, if a given CPU finds itself with more than 10,000 RCU callbacks
1573ccc9971eSMauro Carvalho Chehabqueued, it will cause RCU to take evasive action by more aggressively
1574ccc9971eSMauro Carvalho Chehabstarting grace periods and more aggressively forcing completion of
1575ccc9971eSMauro Carvalho Chehabgrace-period processing. This evasive action causes the grace period to
1576ccc9971eSMauro Carvalho Chehabcomplete more quickly, but at the cost of restricting RCU's batching
1577ccc9971eSMauro Carvalho Chehaboptimizations, thus increasing the CPU overhead incurred by that grace
1578ccc9971eSMauro Carvalho Chehabperiod.
1579ccc9971eSMauro Carvalho Chehab
1580ccc9971eSMauro Carvalho ChehabSoftware-Engineering Requirements
1581ccc9971eSMauro Carvalho Chehab---------------------------------
1582ccc9971eSMauro Carvalho Chehab
1583ccc9971eSMauro Carvalho ChehabBetween Murphy's Law and “To err is human”, it is necessary to guard
1584ccc9971eSMauro Carvalho Chehabagainst mishaps and misuse:
1585ccc9971eSMauro Carvalho Chehab
1586ccc9971eSMauro Carvalho Chehab#. It is all too easy to forget to use ``rcu_read_lock()`` everywhere
1587ccc9971eSMauro Carvalho Chehab   that it is needed, so kernels built with ``CONFIG_PROVE_RCU=y`` will
1588ccc9971eSMauro Carvalho Chehab   splat if ``rcu_dereference()`` is used outside of an RCU read-side
1589ccc9971eSMauro Carvalho Chehab   critical section. Update-side code can use
1590ccc9971eSMauro Carvalho Chehab   ``rcu_dereference_protected()``, which takes a `lockdep
1591ccc9971eSMauro Carvalho Chehab   expression <https://lwn.net/Articles/371986/>`__ to indicate what is
1592ccc9971eSMauro Carvalho Chehab   providing the protection. If the indicated protection is not
1593ccc9971eSMauro Carvalho Chehab   provided, a lockdep splat is emitted.
1594ccc9971eSMauro Carvalho Chehab   Code shared between readers and updaters can use
1595ccc9971eSMauro Carvalho Chehab   ``rcu_dereference_check()``, which also takes a lockdep expression,
1596ccc9971eSMauro Carvalho Chehab   and emits a lockdep splat if neither ``rcu_read_lock()`` nor the
1597ccc9971eSMauro Carvalho Chehab   indicated protection is in place. In addition,
1598ccc9971eSMauro Carvalho Chehab   ``rcu_dereference_raw()`` is used in those (hopefully rare) cases
1599ccc9971eSMauro Carvalho Chehab   where the required protection cannot be easily described. Finally,
1600ccc9971eSMauro Carvalho Chehab   ``rcu_read_lock_held()`` is provided to allow a function to verify
1601ccc9971eSMauro Carvalho Chehab   that it has been invoked within an RCU read-side critical section. I
1602ccc9971eSMauro Carvalho Chehab   was made aware of this set of requirements shortly after Thomas
1603ccc9971eSMauro Carvalho Chehab   Gleixner audited a number of RCU uses.
1604ccc9971eSMauro Carvalho Chehab#. A given function might wish to check for RCU-related preconditions
1605ccc9971eSMauro Carvalho Chehab   upon entry, before using any other RCU API. The
1606ccc9971eSMauro Carvalho Chehab   ``rcu_lockdep_assert()`` does this job, asserting the expression in
1607ccc9971eSMauro Carvalho Chehab   kernels having lockdep enabled and doing nothing otherwise.
1608ccc9971eSMauro Carvalho Chehab#. It is also easy to forget to use ``rcu_assign_pointer()`` and
1609ccc9971eSMauro Carvalho Chehab   ``rcu_dereference()``, perhaps (incorrectly) substituting a simple
1610ccc9971eSMauro Carvalho Chehab   assignment. To catch this sort of error, a given RCU-protected
1611ccc9971eSMauro Carvalho Chehab   pointer may be tagged with ``__rcu``, after which sparse will
1612ccc9971eSMauro Carvalho Chehab   complain about simple-assignment accesses to that pointer. Arnd
1613ccc9971eSMauro Carvalho Chehab   Bergmann made me aware of this requirement, and also supplied the
1614ccc9971eSMauro Carvalho Chehab   needed `patch series <https://lwn.net/Articles/376011/>`__.
1615ccc9971eSMauro Carvalho Chehab#. Kernels built with ``CONFIG_DEBUG_OBJECTS_RCU_HEAD=y`` will splat if
1616ccc9971eSMauro Carvalho Chehab   a data element is passed to ``call_rcu()`` twice in a row, without a
1617ccc9971eSMauro Carvalho Chehab   grace period in between. (This error is similar to a double free.)
1618ccc9971eSMauro Carvalho Chehab   The corresponding ``rcu_head`` structures that are dynamically
1619ccc9971eSMauro Carvalho Chehab   allocated are automatically tracked, but ``rcu_head`` structures
1620ccc9971eSMauro Carvalho Chehab   allocated on the stack must be initialized with
1621ccc9971eSMauro Carvalho Chehab   ``init_rcu_head_on_stack()`` and cleaned up with
1622ccc9971eSMauro Carvalho Chehab   ``destroy_rcu_head_on_stack()``. Similarly, statically allocated
1623ccc9971eSMauro Carvalho Chehab   non-stack ``rcu_head`` structures must be initialized with
1624ccc9971eSMauro Carvalho Chehab   ``init_rcu_head()`` and cleaned up with ``destroy_rcu_head()``.
1625ccc9971eSMauro Carvalho Chehab   Mathieu Desnoyers made me aware of this requirement, and also
1626ccc9971eSMauro Carvalho Chehab   supplied the needed
1627ccc9971eSMauro Carvalho Chehab   `patch <https://lkml.kernel.org/g/20100319013024.GA28456@Krystal>`__.
1628ccc9971eSMauro Carvalho Chehab#. An infinite loop in an RCU read-side critical section will eventually
1629ccc9971eSMauro Carvalho Chehab   trigger an RCU CPU stall warning splat, with the duration of
1630ccc9971eSMauro Carvalho Chehab   “eventually” being controlled by the ``RCU_CPU_STALL_TIMEOUT``
1631ccc9971eSMauro Carvalho Chehab   ``Kconfig`` option, or, alternatively, by the
1632ccc9971eSMauro Carvalho Chehab   ``rcupdate.rcu_cpu_stall_timeout`` boot/sysfs parameter. However, RCU
1633ccc9971eSMauro Carvalho Chehab   is not obligated to produce this splat unless there is a grace period
1634ccc9971eSMauro Carvalho Chehab   waiting on that particular RCU read-side critical section.
1635ccc9971eSMauro Carvalho Chehab
1636ccc9971eSMauro Carvalho Chehab   Some extreme workloads might intentionally delay RCU grace periods,
1637ccc9971eSMauro Carvalho Chehab   and systems running those workloads can be booted with
1638ccc9971eSMauro Carvalho Chehab   ``rcupdate.rcu_cpu_stall_suppress`` to suppress the splats. This
1639ccc9971eSMauro Carvalho Chehab   kernel parameter may also be set via ``sysfs``. Furthermore, RCU CPU
1640ccc9971eSMauro Carvalho Chehab   stall warnings are counter-productive during sysrq dumps and during
1641ccc9971eSMauro Carvalho Chehab   panics. RCU therefore supplies the ``rcu_sysrq_start()`` and
1642ccc9971eSMauro Carvalho Chehab   ``rcu_sysrq_end()`` API members to be called before and after long
1643ccc9971eSMauro Carvalho Chehab   sysrq dumps. RCU also supplies the ``rcu_panic()`` notifier that is
1644ccc9971eSMauro Carvalho Chehab   automatically invoked at the beginning of a panic to suppress further
1645ccc9971eSMauro Carvalho Chehab   RCU CPU stall warnings.
1646ccc9971eSMauro Carvalho Chehab
1647ccc9971eSMauro Carvalho Chehab   This requirement made itself known in the early 1990s, pretty much
1648ccc9971eSMauro Carvalho Chehab   the first time that it was necessary to debug a CPU stall. That said,
1649ccc9971eSMauro Carvalho Chehab   the initial implementation in DYNIX/ptx was quite generic in
1650ccc9971eSMauro Carvalho Chehab   comparison with that of Linux.
1651ccc9971eSMauro Carvalho Chehab
1652ccc9971eSMauro Carvalho Chehab#. Although it would be very good to detect pointers leaking out of RCU
1653ccc9971eSMauro Carvalho Chehab   read-side critical sections, there is currently no good way of doing
1654ccc9971eSMauro Carvalho Chehab   this. One complication is the need to distinguish between pointers
1655ccc9971eSMauro Carvalho Chehab   leaking and pointers that have been handed off from RCU to some other
1656ccc9971eSMauro Carvalho Chehab   synchronization mechanism, for example, reference counting.
1657ccc9971eSMauro Carvalho Chehab#. In kernels built with ``CONFIG_RCU_TRACE=y``, RCU-related information
1658ccc9971eSMauro Carvalho Chehab   is provided via event tracing.
1659ccc9971eSMauro Carvalho Chehab#. Open-coded use of ``rcu_assign_pointer()`` and ``rcu_dereference()``
1660ccc9971eSMauro Carvalho Chehab   to create typical linked data structures can be surprisingly
1661ccc9971eSMauro Carvalho Chehab   error-prone. Therefore, RCU-protected `linked
1662ccc9971eSMauro Carvalho Chehab   lists <https://lwn.net/Articles/609973/#RCU%20List%20APIs>`__ and,
1663ccc9971eSMauro Carvalho Chehab   more recently, RCU-protected `hash
1664ccc9971eSMauro Carvalho Chehab   tables <https://lwn.net/Articles/612100/>`__ are available. Many
1665ccc9971eSMauro Carvalho Chehab   other special-purpose RCU-protected data structures are available in
1666ccc9971eSMauro Carvalho Chehab   the Linux kernel and the userspace RCU library.
1667ccc9971eSMauro Carvalho Chehab#. Some linked structures are created at compile time, but still require
1668ccc9971eSMauro Carvalho Chehab   ``__rcu`` checking. The ``RCU_POINTER_INITIALIZER()`` macro serves
1669ccc9971eSMauro Carvalho Chehab   this purpose.
1670ccc9971eSMauro Carvalho Chehab#. It is not necessary to use ``rcu_assign_pointer()`` when creating
1671ccc9971eSMauro Carvalho Chehab   linked structures that are to be published via a single external
1672ccc9971eSMauro Carvalho Chehab   pointer. The ``RCU_INIT_POINTER()`` macro is provided for this task
1673ccc9971eSMauro Carvalho Chehab   and also for assigning ``NULL`` pointers at runtime.
1674ccc9971eSMauro Carvalho Chehab
1675ccc9971eSMauro Carvalho ChehabThis not a hard-and-fast list: RCU's diagnostic capabilities will
1676ccc9971eSMauro Carvalho Chehabcontinue to be guided by the number and type of usage bugs found in
1677ccc9971eSMauro Carvalho Chehabreal-world RCU usage.
1678ccc9971eSMauro Carvalho Chehab
1679ccc9971eSMauro Carvalho ChehabLinux Kernel Complications
1680ccc9971eSMauro Carvalho Chehab--------------------------
1681ccc9971eSMauro Carvalho Chehab
1682ccc9971eSMauro Carvalho ChehabThe Linux kernel provides an interesting environment for all kinds of
1683ccc9971eSMauro Carvalho Chehabsoftware, including RCU. Some of the relevant points of interest are as
1684ccc9971eSMauro Carvalho Chehabfollows:
1685ccc9971eSMauro Carvalho Chehab
168607335c16SJoel Fernandes (Google)#. `Configuration`_
168707335c16SJoel Fernandes (Google)#. `Firmware Interface`_
168807335c16SJoel Fernandes (Google)#. `Early Boot`_
168907335c16SJoel Fernandes (Google)#. `Interrupts and NMIs`_
169007335c16SJoel Fernandes (Google)#. `Loadable Modules`_
169107335c16SJoel Fernandes (Google)#. `Hotplug CPU`_
169207335c16SJoel Fernandes (Google)#. `Scheduler and RCU`_
169307335c16SJoel Fernandes (Google)#. `Tracing and RCU`_
169471cb46aeSJoel Fernandes (Google)#. `Accesses to User Memory and RCU`_
169507335c16SJoel Fernandes (Google)#. `Energy Efficiency`_
169607335c16SJoel Fernandes (Google)#. `Scheduling-Clock Interrupts and RCU`_
169707335c16SJoel Fernandes (Google)#. `Memory Efficiency`_
169807335c16SJoel Fernandes (Google)#. `Performance, Scalability, Response Time, and Reliability`_
1699ccc9971eSMauro Carvalho Chehab
1700ccc9971eSMauro Carvalho ChehabThis list is probably incomplete, but it does give a feel for the most
1701ccc9971eSMauro Carvalho Chehabnotable Linux-kernel complications. Each of the following sections
1702ccc9971eSMauro Carvalho Chehabcovers one of the above topics.
1703ccc9971eSMauro Carvalho Chehab
1704ccc9971eSMauro Carvalho ChehabConfiguration
1705ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~
1706ccc9971eSMauro Carvalho Chehab
1707ccc9971eSMauro Carvalho ChehabRCU's goal is automatic configuration, so that almost nobody needs to
1708ccc9971eSMauro Carvalho Chehabworry about RCU's ``Kconfig`` options. And for almost all users, RCU
1709ccc9971eSMauro Carvalho Chehabdoes in fact work well “out of the box.”
1710ccc9971eSMauro Carvalho Chehab
1711ccc9971eSMauro Carvalho ChehabHowever, there are specialized use cases that are handled by kernel boot
1712ccc9971eSMauro Carvalho Chehabparameters and ``Kconfig`` options. Unfortunately, the ``Kconfig``
1713ccc9971eSMauro Carvalho Chehabsystem will explicitly ask users about new ``Kconfig`` options, which
1714ccc9971eSMauro Carvalho Chehabrequires almost all of them be hidden behind a ``CONFIG_RCU_EXPERT``
1715ccc9971eSMauro Carvalho Chehab``Kconfig`` option.
1716ccc9971eSMauro Carvalho Chehab
1717ccc9971eSMauro Carvalho ChehabThis all should be quite obvious, but the fact remains that Linus
1718ccc9971eSMauro Carvalho ChehabTorvalds recently had to
1719ccc9971eSMauro Carvalho Chehab`remind <https://lkml.kernel.org/g/CA+55aFy4wcCwaL4okTs8wXhGZ5h-ibecy_Meg9C4MNQrUnwMcg@mail.gmail.com>`__
1720ccc9971eSMauro Carvalho Chehabme of this requirement.
1721ccc9971eSMauro Carvalho Chehab
1722ccc9971eSMauro Carvalho ChehabFirmware Interface
1723ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~
1724ccc9971eSMauro Carvalho Chehab
1725ccc9971eSMauro Carvalho ChehabIn many cases, kernel obtains information about the system from the
1726ccc9971eSMauro Carvalho Chehabfirmware, and sometimes things are lost in translation. Or the
1727ccc9971eSMauro Carvalho Chehabtranslation is accurate, but the original message is bogus.
1728ccc9971eSMauro Carvalho Chehab
1729ccc9971eSMauro Carvalho ChehabFor example, some systems' firmware overreports the number of CPUs,
1730ccc9971eSMauro Carvalho Chehabsometimes by a large factor. If RCU naively believed the firmware, as it
1731ccc9971eSMauro Carvalho Chehabused to do, it would create too many per-CPU kthreads. Although the
1732ccc9971eSMauro Carvalho Chehabresulting system will still run correctly, the extra kthreads needlessly
1733ccc9971eSMauro Carvalho Chehabconsume memory and can cause confusion when they show up in ``ps``
1734ccc9971eSMauro Carvalho Chehablistings.
1735ccc9971eSMauro Carvalho Chehab
1736ccc9971eSMauro Carvalho ChehabRCU must therefore wait for a given CPU to actually come online before
1737ccc9971eSMauro Carvalho Chehabit can allow itself to believe that the CPU actually exists. The
1738ccc9971eSMauro Carvalho Chehabresulting “ghost CPUs” (which are never going to come online) cause a
1739ccc9971eSMauro Carvalho Chehabnumber of `interesting
1740ccc9971eSMauro Carvalho Chehabcomplications <https://paulmck.livejournal.com/37494.html>`__.
1741ccc9971eSMauro Carvalho Chehab
1742ccc9971eSMauro Carvalho ChehabEarly Boot
1743ccc9971eSMauro Carvalho Chehab~~~~~~~~~~
1744ccc9971eSMauro Carvalho Chehab
1745ccc9971eSMauro Carvalho ChehabThe Linux kernel's boot sequence is an interesting process, and RCU is
1746ccc9971eSMauro Carvalho Chehabused early, even before ``rcu_init()`` is invoked. In fact, a number of
1747ccc9971eSMauro Carvalho ChehabRCU's primitives can be used as soon as the initial task's
1748ccc9971eSMauro Carvalho Chehab``task_struct`` is available and the boot CPU's per-CPU variables are
1749ccc9971eSMauro Carvalho Chehabset up. The read-side primitives (``rcu_read_lock()``,
1750ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()``, ``rcu_dereference()``, and
1751ccc9971eSMauro Carvalho Chehab``rcu_access_pointer()``) will operate normally very early on, as will
1752ccc9971eSMauro Carvalho Chehab``rcu_assign_pointer()``.
1753ccc9971eSMauro Carvalho Chehab
1754ccc9971eSMauro Carvalho ChehabAlthough ``call_rcu()`` may be invoked at any time during boot,
1755ccc9971eSMauro Carvalho Chehabcallbacks are not guaranteed to be invoked until after all of RCU's
1756ccc9971eSMauro Carvalho Chehabkthreads have been spawned, which occurs at ``early_initcall()`` time.
1757ccc9971eSMauro Carvalho ChehabThis delay in callback invocation is due to the fact that RCU does not
1758ccc9971eSMauro Carvalho Chehabinvoke callbacks until it is fully initialized, and this full
1759ccc9971eSMauro Carvalho Chehabinitialization cannot occur until after the scheduler has initialized
1760ccc9971eSMauro Carvalho Chehabitself to the point where RCU can spawn and run its kthreads. In theory,
1761ccc9971eSMauro Carvalho Chehabit would be possible to invoke callbacks earlier, however, this is not a
1762ccc9971eSMauro Carvalho Chehabpanacea because there would be severe restrictions on what operations
1763ccc9971eSMauro Carvalho Chehabthose callbacks could invoke.
1764ccc9971eSMauro Carvalho Chehab
1765ccc9971eSMauro Carvalho ChehabPerhaps surprisingly, ``synchronize_rcu()`` and
1766ccc9971eSMauro Carvalho Chehab``synchronize_rcu_expedited()``, will operate normally during very early
1767ccc9971eSMauro Carvalho Chehabboot, the reason being that there is only one CPU and preemption is
1768ccc9971eSMauro Carvalho Chehabdisabled. This means that the call ``synchronize_rcu()`` (or friends)
1769ccc9971eSMauro Carvalho Chehabitself is a quiescent state and thus a grace period, so the early-boot
1770ccc9971eSMauro Carvalho Chehabimplementation can be a no-op.
1771ccc9971eSMauro Carvalho Chehab
1772ccc9971eSMauro Carvalho ChehabHowever, once the scheduler has spawned its first kthread, this early
1773ccc9971eSMauro Carvalho Chehabboot trick fails for ``synchronize_rcu()`` (as well as for
1774ccc9971eSMauro Carvalho Chehab``synchronize_rcu_expedited()``) in ``CONFIG_PREEMPT=y`` kernels. The
1775ccc9971eSMauro Carvalho Chehabreason is that an RCU read-side critical section might be preempted,
1776ccc9971eSMauro Carvalho Chehabwhich means that a subsequent ``synchronize_rcu()`` really does have to
1777ccc9971eSMauro Carvalho Chehabwait for something, as opposed to simply returning immediately.
1778ccc9971eSMauro Carvalho ChehabUnfortunately, ``synchronize_rcu()`` can't do this until all of its
1779ccc9971eSMauro Carvalho Chehabkthreads are spawned, which doesn't happen until some time during
1780ccc9971eSMauro Carvalho Chehab``early_initcalls()`` time. But this is no excuse: RCU is nevertheless
1781ccc9971eSMauro Carvalho Chehabrequired to correctly handle synchronous grace periods during this time
1782ccc9971eSMauro Carvalho Chehabperiod. Once all of its kthreads are up and running, RCU starts running
1783ccc9971eSMauro Carvalho Chehabnormally.
1784ccc9971eSMauro Carvalho Chehab
1785ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1786ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
1787ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1788ccc9971eSMauro Carvalho Chehab| How can RCU possibly handle grace periods before all of its kthreads  |
1789ccc9971eSMauro Carvalho Chehab| have been spawned???                                                  |
1790ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1791ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
1792ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1793ccc9971eSMauro Carvalho Chehab| Very carefully!                                                       |
1794ccc9971eSMauro Carvalho Chehab| During the “dead zone” between the time that the scheduler spawns the |
1795ccc9971eSMauro Carvalho Chehab| first task and the time that all of RCU's kthreads have been spawned, |
1796ccc9971eSMauro Carvalho Chehab| all synchronous grace periods are handled by the expedited            |
1797ccc9971eSMauro Carvalho Chehab| grace-period mechanism. At runtime, this expedited mechanism relies   |
1798ccc9971eSMauro Carvalho Chehab| on workqueues, but during the dead zone the requesting task itself    |
1799ccc9971eSMauro Carvalho Chehab| drives the desired expedited grace period. Because dead-zone          |
1800ccc9971eSMauro Carvalho Chehab| execution takes place within task context, everything works. Once the |
1801ccc9971eSMauro Carvalho Chehab| dead zone ends, expedited grace periods go back to using workqueues,  |
1802ccc9971eSMauro Carvalho Chehab| as is required to avoid problems that would otherwise occur when a    |
1803ccc9971eSMauro Carvalho Chehab| user task received a POSIX signal while driving an expedited grace    |
1804ccc9971eSMauro Carvalho Chehab| period.                                                               |
1805ccc9971eSMauro Carvalho Chehab|                                                                       |
1806ccc9971eSMauro Carvalho Chehab| And yes, this does mean that it is unhelpful to send POSIX signals to |
1807ccc9971eSMauro Carvalho Chehab| random tasks between the time that the scheduler spawns its first     |
1808ccc9971eSMauro Carvalho Chehab| kthread and the time that RCU's kthreads have all been spawned. If    |
1809ccc9971eSMauro Carvalho Chehab| there ever turns out to be a good reason for sending POSIX signals    |
1810ccc9971eSMauro Carvalho Chehab| during that time, appropriate adjustments will be made. (If it turns  |
1811ccc9971eSMauro Carvalho Chehab| out that POSIX signals are sent during this time for no good reason,  |
1812ccc9971eSMauro Carvalho Chehab| other adjustments will be made, appropriate or otherwise.)            |
1813ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1814ccc9971eSMauro Carvalho Chehab
1815ccc9971eSMauro Carvalho ChehabI learned of these boot-time requirements as a result of a series of
1816ccc9971eSMauro Carvalho Chehabsystem hangs.
1817ccc9971eSMauro Carvalho Chehab
1818ccc9971eSMauro Carvalho ChehabInterrupts and NMIs
1819ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~
1820ccc9971eSMauro Carvalho Chehab
1821ccc9971eSMauro Carvalho ChehabThe Linux kernel has interrupts, and RCU read-side critical sections are
1822ccc9971eSMauro Carvalho Chehablegal within interrupt handlers and within interrupt-disabled regions of
1823ccc9971eSMauro Carvalho Chehabcode, as are invocations of ``call_rcu()``.
1824ccc9971eSMauro Carvalho Chehab
1825ccc9971eSMauro Carvalho ChehabSome Linux-kernel architectures can enter an interrupt handler from
1826ccc9971eSMauro Carvalho Chehabnon-idle process context, and then just never leave it, instead
1827ccc9971eSMauro Carvalho Chehabstealthily transitioning back to process context. This trick is
1828ccc9971eSMauro Carvalho Chehabsometimes used to invoke system calls from inside the kernel. These
1829ccc9971eSMauro Carvalho Chehab“half-interrupts” mean that RCU has to be very careful about how it
1830ccc9971eSMauro Carvalho Chehabcounts interrupt nesting levels. I learned of this requirement the hard
1831ccc9971eSMauro Carvalho Chehabway during a rewrite of RCU's dyntick-idle code.
1832ccc9971eSMauro Carvalho Chehab
1833ccc9971eSMauro Carvalho ChehabThe Linux kernel has non-maskable interrupts (NMIs), and RCU read-side
1834ccc9971eSMauro Carvalho Chehabcritical sections are legal within NMI handlers. Thankfully, RCU
1835ccc9971eSMauro Carvalho Chehabupdate-side primitives, including ``call_rcu()``, are prohibited within
1836ccc9971eSMauro Carvalho ChehabNMI handlers.
1837ccc9971eSMauro Carvalho Chehab
1838ccc9971eSMauro Carvalho ChehabThe name notwithstanding, some Linux-kernel architectures can have
1839ccc9971eSMauro Carvalho Chehabnested NMIs, which RCU must handle correctly. Andy Lutomirski `surprised
1840ccc9971eSMauro Carvalho Chehabme <https://lkml.kernel.org/r/CALCETrXLq1y7e_dKFPgou-FKHB6Pu-r8+t-6Ds+8=va7anBWDA@mail.gmail.com>`__
1841ccc9971eSMauro Carvalho Chehabwith this requirement; he also kindly surprised me with `an
1842ccc9971eSMauro Carvalho Chehabalgorithm <https://lkml.kernel.org/r/CALCETrXSY9JpW3uE6H8WYk81sg56qasA2aqmjMPsq5dOtzso=g@mail.gmail.com>`__
1843ccc9971eSMauro Carvalho Chehabthat meets this requirement.
1844ccc9971eSMauro Carvalho Chehab
1845ccc9971eSMauro Carvalho ChehabFurthermore, NMI handlers can be interrupted by what appear to RCU to be
1846ccc9971eSMauro Carvalho Chehabnormal interrupts. One way that this can happen is for code that
1847ccc9971eSMauro Carvalho Chehabdirectly invokes ``rcu_irq_enter()`` and ``rcu_irq_exit()`` to be called
1848ccc9971eSMauro Carvalho Chehabfrom an NMI handler. This astonishing fact of life prompted the current
1849ccc9971eSMauro Carvalho Chehabcode structure, which has ``rcu_irq_enter()`` invoking
1850ccc9971eSMauro Carvalho Chehab``rcu_nmi_enter()`` and ``rcu_irq_exit()`` invoking ``rcu_nmi_exit()``.
1851ccc9971eSMauro Carvalho ChehabAnd yes, I also learned of this requirement the hard way.
1852ccc9971eSMauro Carvalho Chehab
1853ccc9971eSMauro Carvalho ChehabLoadable Modules
1854ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~
1855ccc9971eSMauro Carvalho Chehab
1856ccc9971eSMauro Carvalho ChehabThe Linux kernel has loadable modules, and these modules can also be
1857ccc9971eSMauro Carvalho Chehabunloaded. After a given module has been unloaded, any attempt to call
1858ccc9971eSMauro Carvalho Chehabone of its functions results in a segmentation fault. The module-unload
1859ccc9971eSMauro Carvalho Chehabfunctions must therefore cancel any delayed calls to loadable-module
1860ccc9971eSMauro Carvalho Chehabfunctions, for example, any outstanding ``mod_timer()`` must be dealt
1861ccc9971eSMauro Carvalho Chehabwith via ``del_timer_sync()`` or similar.
1862ccc9971eSMauro Carvalho Chehab
1863ccc9971eSMauro Carvalho ChehabUnfortunately, there is no way to cancel an RCU callback; once you
1864ccc9971eSMauro Carvalho Chehabinvoke ``call_rcu()``, the callback function is eventually going to be
1865ccc9971eSMauro Carvalho Chehabinvoked, unless the system goes down first. Because it is normally
1866ccc9971eSMauro Carvalho Chehabconsidered socially irresponsible to crash the system in response to a
1867ccc9971eSMauro Carvalho Chehabmodule unload request, we need some other way to deal with in-flight RCU
1868ccc9971eSMauro Carvalho Chehabcallbacks.
1869ccc9971eSMauro Carvalho Chehab
1870ccc9971eSMauro Carvalho ChehabRCU therefore provides ``rcu_barrier()``, which waits until all
1871ccc9971eSMauro Carvalho Chehabin-flight RCU callbacks have been invoked. If a module uses
1872ccc9971eSMauro Carvalho Chehab``call_rcu()``, its exit function should therefore prevent any future
1873ccc9971eSMauro Carvalho Chehabinvocation of ``call_rcu()``, then invoke ``rcu_barrier()``. In theory,
1874ccc9971eSMauro Carvalho Chehabthe underlying module-unload code could invoke ``rcu_barrier()``
1875ccc9971eSMauro Carvalho Chehabunconditionally, but in practice this would incur unacceptable
1876ccc9971eSMauro Carvalho Chehablatencies.
1877ccc9971eSMauro Carvalho Chehab
1878ccc9971eSMauro Carvalho ChehabNikita Danilov noted this requirement for an analogous
1879ccc9971eSMauro Carvalho Chehabfilesystem-unmount situation, and Dipankar Sarma incorporated
1880ccc9971eSMauro Carvalho Chehab``rcu_barrier()`` into RCU. The need for ``rcu_barrier()`` for module
1881ccc9971eSMauro Carvalho Chehabunloading became apparent later.
1882ccc9971eSMauro Carvalho Chehab
1883ccc9971eSMauro Carvalho Chehab.. important::
1884ccc9971eSMauro Carvalho Chehab
1885ccc9971eSMauro Carvalho Chehab   The ``rcu_barrier()`` function is not, repeat,
1886ccc9971eSMauro Carvalho Chehab   *not*, obligated to wait for a grace period. It is instead only required
1887ccc9971eSMauro Carvalho Chehab   to wait for RCU callbacks that have already been posted. Therefore, if
1888ccc9971eSMauro Carvalho Chehab   there are no RCU callbacks posted anywhere in the system,
1889ccc9971eSMauro Carvalho Chehab   ``rcu_barrier()`` is within its rights to return immediately. Even if
1890ccc9971eSMauro Carvalho Chehab   there are callbacks posted, ``rcu_barrier()`` does not necessarily need
1891ccc9971eSMauro Carvalho Chehab   to wait for a grace period.
1892ccc9971eSMauro Carvalho Chehab
1893ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1894ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
1895ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1896ccc9971eSMauro Carvalho Chehab| Wait a minute! Each RCU callbacks must wait for a grace period to     |
1897ccc9971eSMauro Carvalho Chehab| complete, and ``rcu_barrier()`` must wait for each pre-existing       |
1898ccc9971eSMauro Carvalho Chehab| callback to be invoked. Doesn't ``rcu_barrier()`` therefore need to   |
1899ccc9971eSMauro Carvalho Chehab| wait for a full grace period if there is even one callback posted     |
1900ccc9971eSMauro Carvalho Chehab| anywhere in the system?                                               |
1901ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1902ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
1903ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1904ccc9971eSMauro Carvalho Chehab| Absolutely not!!!                                                     |
1905ccc9971eSMauro Carvalho Chehab| Yes, each RCU callbacks must wait for a grace period to complete, but |
1906ccc9971eSMauro Carvalho Chehab| it might well be partly (or even completely) finished waiting by the  |
1907ccc9971eSMauro Carvalho Chehab| time ``rcu_barrier()`` is invoked. In that case, ``rcu_barrier()``    |
1908ccc9971eSMauro Carvalho Chehab| need only wait for the remaining portion of the grace period to       |
1909ccc9971eSMauro Carvalho Chehab| elapse. So even if there are quite a few callbacks posted,            |
1910ccc9971eSMauro Carvalho Chehab| ``rcu_barrier()`` might well return quite quickly.                    |
1911ccc9971eSMauro Carvalho Chehab|                                                                       |
1912ccc9971eSMauro Carvalho Chehab| So if you need to wait for a grace period as well as for all          |
1913ccc9971eSMauro Carvalho Chehab| pre-existing callbacks, you will need to invoke both                  |
1914ccc9971eSMauro Carvalho Chehab| ``synchronize_rcu()`` and ``rcu_barrier()``. If latency is a concern, |
1915ccc9971eSMauro Carvalho Chehab| you can always use workqueues to invoke them concurrently.            |
1916ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
1917ccc9971eSMauro Carvalho Chehab
1918ccc9971eSMauro Carvalho ChehabHotplug CPU
1919ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~
1920ccc9971eSMauro Carvalho Chehab
1921ccc9971eSMauro Carvalho ChehabThe Linux kernel supports CPU hotplug, which means that CPUs can come
1922ccc9971eSMauro Carvalho Chehaband go. It is of course illegal to use any RCU API member from an
1923ccc9971eSMauro Carvalho Chehaboffline CPU, with the exception of `SRCU <#Sleepable%20RCU>`__ read-side
1924ccc9971eSMauro Carvalho Chehabcritical sections. This requirement was present from day one in
1925ccc9971eSMauro Carvalho ChehabDYNIX/ptx, but on the other hand, the Linux kernel's CPU-hotplug
1926ccc9971eSMauro Carvalho Chehabimplementation is “interesting.”
1927ccc9971eSMauro Carvalho Chehab
1928ccc9971eSMauro Carvalho ChehabThe Linux-kernel CPU-hotplug implementation has notifiers that are used
1929ccc9971eSMauro Carvalho Chehabto allow the various kernel subsystems (including RCU) to respond
1930ccc9971eSMauro Carvalho Chehabappropriately to a given CPU-hotplug operation. Most RCU operations may
1931ccc9971eSMauro Carvalho Chehabbe invoked from CPU-hotplug notifiers, including even synchronous
1932a0432607SJoel Fernandes (Google)grace-period operations such as (``synchronize_rcu()`` and
1933a0432607SJoel Fernandes (Google)``synchronize_rcu_expedited()``).  However, these synchronous operations
1934a0432607SJoel Fernandes (Google)do block and therefore cannot be invoked from notifiers that execute via
1935a0432607SJoel Fernandes (Google)``stop_machine()``, specifically those between the ``CPUHP_AP_OFFLINE``
1936a0432607SJoel Fernandes (Google)and ``CPUHP_AP_ONLINE`` states.
1937ccc9971eSMauro Carvalho Chehab
1938a0432607SJoel Fernandes (Google)In addition, all-callback-wait operations such as ``rcu_barrier()`` may
1939a0432607SJoel Fernandes (Google)not be invoked from any CPU-hotplug notifier.  This restriction is due
1940a0432607SJoel Fernandes (Google)to the fact that there are phases of CPU-hotplug operations where the
1941a0432607SJoel Fernandes (Google)outgoing CPU's callbacks will not be invoked until after the CPU-hotplug
1942a0432607SJoel Fernandes (Google)operation ends, which could also result in deadlock. Furthermore,
1943a0432607SJoel Fernandes (Google)``rcu_barrier()`` blocks CPU-hotplug operations during its execution,
1944a0432607SJoel Fernandes (Google)which results in another type of deadlock when invoked from a CPU-hotplug
1945a0432607SJoel Fernandes (Google)notifier.
1946a0432607SJoel Fernandes (Google)
1947a0432607SJoel Fernandes (Google)Finally, RCU must avoid deadlocks due to interaction between hotplug,
1948a0432607SJoel Fernandes (Google)timers and grace period processing. It does so by maintaining its own set
1949a0432607SJoel Fernandes (Google)of books that duplicate the centrally maintained ``cpu_online_mask``,
1950a0432607SJoel Fernandes (Google)and also by reporting quiescent states explicitly when a CPU goes
1951a0432607SJoel Fernandes (Google)offline.  This explicit reporting of quiescent states avoids any need
1952a0432607SJoel Fernandes (Google)for the force-quiescent-state loop (FQS) to report quiescent states for
1953a0432607SJoel Fernandes (Google)offline CPUs.  However, as a debugging measure, the FQS loop does splat
1954a0432607SJoel Fernandes (Google)if offline CPUs block an RCU grace period for too long.
1955a0432607SJoel Fernandes (Google)
1956a0432607SJoel Fernandes (Google)An offline CPU's quiescent state will be reported either:
1957*a1b9dbb7SMauro Carvalho Chehab
1958a0432607SJoel Fernandes (Google)1.  As the CPU goes offline using RCU's hotplug notifier (``rcu_report_dead()``).
1959a0432607SJoel Fernandes (Google)2.  When grace period initialization (``rcu_gp_init()``) detects a
1960a0432607SJoel Fernandes (Google)    race either with CPU offlining or with a task unblocking on a leaf
1961a0432607SJoel Fernandes (Google)    ``rcu_node`` structure whose CPUs are all offline.
1962a0432607SJoel Fernandes (Google)
1963a0432607SJoel Fernandes (Google)The CPU-online path (``rcu_cpu_starting()``) should never need to report
1964a0432607SJoel Fernandes (Google)a quiescent state for an offline CPU.  However, as a debugging measure,
1965a0432607SJoel Fernandes (Google)it does emit a warning if a quiescent state was not already reported
1966a0432607SJoel Fernandes (Google)for that CPU.
1967a0432607SJoel Fernandes (Google)
1968a0432607SJoel Fernandes (Google)During the checking/modification of RCU's hotplug bookkeeping, the
1969a0432607SJoel Fernandes (Google)corresponding CPU's leaf node lock is held. This avoids race conditions
1970a0432607SJoel Fernandes (Google)between RCU's hotplug notifier hooks, the grace period initialization
1971a0432607SJoel Fernandes (Google)code, and the FQS loop, all of which refer to or modify this bookkeeping.
1972ccc9971eSMauro Carvalho Chehab
1973ccc9971eSMauro Carvalho ChehabScheduler and RCU
1974ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~
1975ccc9971eSMauro Carvalho Chehab
1976e4453d8aSPaul E. McKenneyRCU makes use of kthreads, and it is necessary to avoid excessive CPU-time
1977e4453d8aSPaul E. McKenneyaccumulation by these kthreads. This requirement was no surprise, but
1978e4453d8aSPaul E. McKenneyRCU's violation of it when running context-switch-heavy workloads when
1979e4453d8aSPaul E. McKenneybuilt with ``CONFIG_NO_HZ_FULL=y`` `did come as a surprise
1980ccc9971eSMauro Carvalho Chehab[PDF] <http://www.rdrop.com/users/paulmck/scalability/paper/BareMetal.2015.01.15b.pdf>`__.
1981ccc9971eSMauro Carvalho ChehabRCU has made good progress towards meeting this requirement, even for
1982ccc9971eSMauro Carvalho Chehabcontext-switch-heavy ``CONFIG_NO_HZ_FULL=y`` workloads, but there is
1983ccc9971eSMauro Carvalho Chehabroom for further improvement.
1984ccc9971eSMauro Carvalho Chehab
1985e4453d8aSPaul E. McKenneyThere is no longer any prohibition against holding any of
1986e4453d8aSPaul E. McKenneyscheduler's runqueue or priority-inheritance spinlocks across an
1987e4453d8aSPaul E. McKenney``rcu_read_unlock()``, even if interrupts and preemption were enabled
1988e4453d8aSPaul E. McKenneysomewhere within the corresponding RCU read-side critical section.
1989e4453d8aSPaul E. McKenneyTherefore, it is now perfectly legal to execute ``rcu_read_lock()``
1990e4453d8aSPaul E. McKenneywith preemption enabled, acquire one of the scheduler locks, and hold
1991e4453d8aSPaul E. McKenneythat lock across the matching ``rcu_read_unlock()``.
1992ccc9971eSMauro Carvalho Chehab
1993e4453d8aSPaul E. McKenneySimilarly, the RCU flavor consolidation has removed the need for negative
1994e4453d8aSPaul E. McKenneynesting.  The fact that interrupt-disabled regions of code act as RCU
1995e4453d8aSPaul E. McKenneyread-side critical sections implicitly avoids earlier issues that used
1996e4453d8aSPaul E. McKenneyto result in destructive recursion via interrupt handler's use of RCU.
1997ccc9971eSMauro Carvalho Chehab
1998ccc9971eSMauro Carvalho ChehabTracing and RCU
1999ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~
2000ccc9971eSMauro Carvalho Chehab
2001ccc9971eSMauro Carvalho ChehabIt is possible to use tracing on RCU code, but tracing itself uses RCU.
2002d7424e28SJoel Fernandes (Google)For this reason, ``rcu_dereference_raw_check()`` is provided for use
2003ccc9971eSMauro Carvalho Chehabby tracing, which avoids the destructive recursion that could otherwise
2004ccc9971eSMauro Carvalho Chehabensue. This API is also used by virtualization in some architectures,
2005ccc9971eSMauro Carvalho Chehabwhere RCU readers execute in environments in which tracing cannot be
2006ccc9971eSMauro Carvalho Chehabused. The tracing folks both located the requirement and provided the
2007ccc9971eSMauro Carvalho Chehabneeded fix, so this surprise requirement was relatively painless.
2008ccc9971eSMauro Carvalho Chehab
200971cb46aeSJoel Fernandes (Google)Accesses to User Memory and RCU
201071cb46aeSJoel Fernandes (Google)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
201171cb46aeSJoel Fernandes (Google)
201271cb46aeSJoel Fernandes (Google)The kernel needs to access user-space memory, for example, to access data
201371cb46aeSJoel Fernandes (Google)referenced by system-call parameters.  The ``get_user()`` macro does this job.
201471cb46aeSJoel Fernandes (Google)
201571cb46aeSJoel Fernandes (Google)However, user-space memory might well be paged out, which means that
201671cb46aeSJoel Fernandes (Google)``get_user()`` might well page-fault and thus block while waiting for the
201771cb46aeSJoel Fernandes (Google)resulting I/O to complete.  It would be a very bad thing for the compiler to
201871cb46aeSJoel Fernandes (Google)reorder a ``get_user()`` invocation into an RCU read-side critical section.
201971cb46aeSJoel Fernandes (Google)
202071cb46aeSJoel Fernandes (Google)For example, suppose that the source code looked like this:
202171cb46aeSJoel Fernandes (Google)
202271cb46aeSJoel Fernandes (Google)  ::
202371cb46aeSJoel Fernandes (Google)
202471cb46aeSJoel Fernandes (Google)       1 rcu_read_lock();
202571cb46aeSJoel Fernandes (Google)       2 p = rcu_dereference(gp);
202671cb46aeSJoel Fernandes (Google)       3 v = p->value;
202771cb46aeSJoel Fernandes (Google)       4 rcu_read_unlock();
202871cb46aeSJoel Fernandes (Google)       5 get_user(user_v, user_p);
202971cb46aeSJoel Fernandes (Google)       6 do_something_with(v, user_v);
203071cb46aeSJoel Fernandes (Google)
203171cb46aeSJoel Fernandes (Google)The compiler must not be permitted to transform this source code into
203271cb46aeSJoel Fernandes (Google)the following:
203371cb46aeSJoel Fernandes (Google)
203471cb46aeSJoel Fernandes (Google)  ::
203571cb46aeSJoel Fernandes (Google)
203671cb46aeSJoel Fernandes (Google)       1 rcu_read_lock();
203771cb46aeSJoel Fernandes (Google)       2 p = rcu_dereference(gp);
203871cb46aeSJoel Fernandes (Google)       3 get_user(user_v, user_p); // BUG: POSSIBLE PAGE FAULT!!!
203971cb46aeSJoel Fernandes (Google)       4 v = p->value;
204071cb46aeSJoel Fernandes (Google)       5 rcu_read_unlock();
204171cb46aeSJoel Fernandes (Google)       6 do_something_with(v, user_v);
204271cb46aeSJoel Fernandes (Google)
204371cb46aeSJoel Fernandes (Google)If the compiler did make this transformation in a ``CONFIG_PREEMPT=n`` kernel
204471cb46aeSJoel Fernandes (Google)build, and if ``get_user()`` did page fault, the result would be a quiescent
204571cb46aeSJoel Fernandes (Google)state in the middle of an RCU read-side critical section.  This misplaced
204671cb46aeSJoel Fernandes (Google)quiescent state could result in line 4 being a use-after-free access,
204771cb46aeSJoel Fernandes (Google)which could be bad for your kernel's actuarial statistics.  Similar examples
204871cb46aeSJoel Fernandes (Google)can be constructed with the call to ``get_user()`` preceding the
204971cb46aeSJoel Fernandes (Google)``rcu_read_lock()``.
205071cb46aeSJoel Fernandes (Google)
205171cb46aeSJoel Fernandes (Google)Unfortunately, ``get_user()`` doesn't have any particular ordering properties,
205271cb46aeSJoel Fernandes (Google)and in some architectures the underlying ``asm`` isn't even marked
205371cb46aeSJoel Fernandes (Google)``volatile``.  And even if it was marked ``volatile``, the above access to
205471cb46aeSJoel Fernandes (Google)``p->value`` is not volatile, so the compiler would not have any reason to keep
205571cb46aeSJoel Fernandes (Google)those two accesses in order.
205671cb46aeSJoel Fernandes (Google)
205771cb46aeSJoel Fernandes (Google)Therefore, the Linux-kernel definitions of ``rcu_read_lock()`` and
205871cb46aeSJoel Fernandes (Google)``rcu_read_unlock()`` must act as compiler barriers, at least for outermost
205971cb46aeSJoel Fernandes (Google)instances of ``rcu_read_lock()`` and ``rcu_read_unlock()`` within a nested set
206071cb46aeSJoel Fernandes (Google)of RCU read-side critical sections.
206171cb46aeSJoel Fernandes (Google)
2062ccc9971eSMauro Carvalho ChehabEnergy Efficiency
2063ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~
2064ccc9971eSMauro Carvalho Chehab
2065ccc9971eSMauro Carvalho ChehabInterrupting idle CPUs is considered socially unacceptable, especially
2066ccc9971eSMauro Carvalho Chehabby people with battery-powered embedded systems. RCU therefore conserves
2067ccc9971eSMauro Carvalho Chehabenergy by detecting which CPUs are idle, including tracking CPUs that
2068ccc9971eSMauro Carvalho Chehabhave been interrupted from idle. This is a large part of the
2069ccc9971eSMauro Carvalho Chehabenergy-efficiency requirement, so I learned of this via an irate phone
2070ccc9971eSMauro Carvalho Chehabcall.
2071ccc9971eSMauro Carvalho Chehab
2072ccc9971eSMauro Carvalho ChehabBecause RCU avoids interrupting idle CPUs, it is illegal to execute an
2073ccc9971eSMauro Carvalho ChehabRCU read-side critical section on an idle CPU. (Kernels built with
2074ccc9971eSMauro Carvalho Chehab``CONFIG_PROVE_RCU=y`` will splat if you try it.) The ``RCU_NONIDLE()``
2075ccc9971eSMauro Carvalho Chehabmacro and ``_rcuidle`` event tracing is provided to work around this
2076ccc9971eSMauro Carvalho Chehabrestriction. In addition, ``rcu_is_watching()`` may be used to test
2077ccc9971eSMauro Carvalho Chehabwhether or not it is currently legal to run RCU read-side critical
2078ccc9971eSMauro Carvalho Chehabsections on this CPU. I learned of the need for diagnostics on the one
2079ccc9971eSMauro Carvalho Chehabhand and ``RCU_NONIDLE()`` on the other while inspecting idle-loop code.
2080ccc9971eSMauro Carvalho ChehabSteven Rostedt supplied ``_rcuidle`` event tracing, which is used quite
2081ccc9971eSMauro Carvalho Chehabheavily in the idle loop. However, there are some restrictions on the
2082ccc9971eSMauro Carvalho Chehabcode placed within ``RCU_NONIDLE()``:
2083ccc9971eSMauro Carvalho Chehab
2084ccc9971eSMauro Carvalho Chehab#. Blocking is prohibited. In practice, this is not a serious
2085ccc9971eSMauro Carvalho Chehab   restriction given that idle tasks are prohibited from blocking to
2086ccc9971eSMauro Carvalho Chehab   begin with.
2087ccc9971eSMauro Carvalho Chehab#. Although nesting ``RCU_NONIDLE()`` is permitted, they cannot nest
2088ccc9971eSMauro Carvalho Chehab   indefinitely deeply. However, given that they can be nested on the
2089ccc9971eSMauro Carvalho Chehab   order of a million deep, even on 32-bit systems, this should not be a
2090ccc9971eSMauro Carvalho Chehab   serious restriction. This nesting limit would probably be reached
2091ccc9971eSMauro Carvalho Chehab   long after the compiler OOMed or the stack overflowed.
2092ccc9971eSMauro Carvalho Chehab#. Any code path that enters ``RCU_NONIDLE()`` must sequence out of that
2093ccc9971eSMauro Carvalho Chehab   same ``RCU_NONIDLE()``. For example, the following is grossly
2094ccc9971eSMauro Carvalho Chehab   illegal:
2095ccc9971eSMauro Carvalho Chehab
2096ccc9971eSMauro Carvalho Chehab      ::
2097ccc9971eSMauro Carvalho Chehab
2098ccc9971eSMauro Carvalho Chehab	  1     RCU_NONIDLE({
2099ccc9971eSMauro Carvalho Chehab	  2       do_something();
2100ccc9971eSMauro Carvalho Chehab	  3       goto bad_idea;  /* BUG!!! */
2101ccc9971eSMauro Carvalho Chehab	  4       do_something_else();});
2102ccc9971eSMauro Carvalho Chehab	  5   bad_idea:
2103ccc9971eSMauro Carvalho Chehab
2104ccc9971eSMauro Carvalho Chehab
2105ccc9971eSMauro Carvalho Chehab   It is just as illegal to transfer control into the middle of
2106ccc9971eSMauro Carvalho Chehab   ``RCU_NONIDLE()``'s argument. Yes, in theory, you could transfer in
2107ccc9971eSMauro Carvalho Chehab   as long as you also transferred out, but in practice you could also
2108ccc9971eSMauro Carvalho Chehab   expect to get sharply worded review comments.
2109ccc9971eSMauro Carvalho Chehab
2110ccc9971eSMauro Carvalho ChehabIt is similarly socially unacceptable to interrupt an ``nohz_full`` CPU
2111ccc9971eSMauro Carvalho Chehabrunning in userspace. RCU must therefore track ``nohz_full`` userspace
2112ccc9971eSMauro Carvalho Chehabexecution. RCU must therefore be able to sample state at two points in
2113ccc9971eSMauro Carvalho Chehabtime, and be able to determine whether or not some other CPU spent any
2114ccc9971eSMauro Carvalho Chehabtime idle and/or executing in userspace.
2115ccc9971eSMauro Carvalho Chehab
2116ccc9971eSMauro Carvalho ChehabThese energy-efficiency requirements have proven quite difficult to
2117ccc9971eSMauro Carvalho Chehabunderstand and to meet, for example, there have been more than five
2118ccc9971eSMauro Carvalho Chehabclean-sheet rewrites of RCU's energy-efficiency code, the last of which
2119ccc9971eSMauro Carvalho Chehabwas finally able to demonstrate `real energy savings running on real
2120ccc9971eSMauro Carvalho Chehabhardware
2121ccc9971eSMauro Carvalho Chehab[PDF] <http://www.rdrop.com/users/paulmck/realtime/paper/AMPenergy.2013.04.19a.pdf>`__.
2122ccc9971eSMauro Carvalho ChehabAs noted earlier, I learned of many of these requirements via angry
2123ccc9971eSMauro Carvalho Chehabphone calls: Flaming me on the Linux-kernel mailing list was apparently
2124ccc9971eSMauro Carvalho Chehabnot sufficient to fully vent their ire at RCU's energy-efficiency bugs!
2125ccc9971eSMauro Carvalho Chehab
2126ccc9971eSMauro Carvalho ChehabScheduling-Clock Interrupts and RCU
2127ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2128ccc9971eSMauro Carvalho Chehab
2129ccc9971eSMauro Carvalho ChehabThe kernel transitions between in-kernel non-idle execution, userspace
2130ccc9971eSMauro Carvalho Chehabexecution, and the idle loop. Depending on kernel configuration, RCU
2131ccc9971eSMauro Carvalho Chehabhandles these states differently:
2132ccc9971eSMauro Carvalho Chehab
2133ccc9971eSMauro Carvalho Chehab+-----------------+------------------+------------------+-----------------+
2134ccc9971eSMauro Carvalho Chehab| ``HZ`` Kconfig  | In-Kernel        | Usermode         | Idle            |
2135ccc9971eSMauro Carvalho Chehab+=================+==================+==================+=================+
2136ccc9971eSMauro Carvalho Chehab| ``HZ_PERIODIC`` | Can rely on      | Can rely on      | Can rely on     |
2137ccc9971eSMauro Carvalho Chehab|                 | scheduling-clock | scheduling-clock | RCU's           |
2138ccc9971eSMauro Carvalho Chehab|                 | interrupt.       | interrupt and    | dyntick-idle    |
2139ccc9971eSMauro Carvalho Chehab|                 |                  | its detection    | detection.      |
2140ccc9971eSMauro Carvalho Chehab|                 |                  | of interrupt     |                 |
2141ccc9971eSMauro Carvalho Chehab|                 |                  | from usermode.   |                 |
2142ccc9971eSMauro Carvalho Chehab+-----------------+------------------+------------------+-----------------+
2143ccc9971eSMauro Carvalho Chehab| ``NO_HZ_IDLE``  | Can rely on      | Can rely on      | Can rely on     |
2144ccc9971eSMauro Carvalho Chehab|                 | scheduling-clock | scheduling-clock | RCU's           |
2145ccc9971eSMauro Carvalho Chehab|                 | interrupt.       | interrupt and    | dyntick-idle    |
2146ccc9971eSMauro Carvalho Chehab|                 |                  | its detection    | detection.      |
2147ccc9971eSMauro Carvalho Chehab|                 |                  | of interrupt     |                 |
2148ccc9971eSMauro Carvalho Chehab|                 |                  | from usermode.   |                 |
2149ccc9971eSMauro Carvalho Chehab+-----------------+------------------+------------------+-----------------+
2150ccc9971eSMauro Carvalho Chehab| ``NO_HZ_FULL``  | Can only         | Can rely on      | Can rely on     |
2151ccc9971eSMauro Carvalho Chehab|                 | sometimes rely   | RCU's            | RCU's           |
2152ccc9971eSMauro Carvalho Chehab|                 | on               | dyntick-idle     | dyntick-idle    |
2153ccc9971eSMauro Carvalho Chehab|                 | scheduling-clock | detection.       | detection.      |
2154ccc9971eSMauro Carvalho Chehab|                 | interrupt. In    |                  |                 |
2155ccc9971eSMauro Carvalho Chehab|                 | other cases, it  |                  |                 |
2156ccc9971eSMauro Carvalho Chehab|                 | is necessary to  |                  |                 |
2157ccc9971eSMauro Carvalho Chehab|                 | bound kernel     |                  |                 |
2158ccc9971eSMauro Carvalho Chehab|                 | execution times  |                  |                 |
2159ccc9971eSMauro Carvalho Chehab|                 | and/or use       |                  |                 |
2160ccc9971eSMauro Carvalho Chehab|                 | IPIs.            |                  |                 |
2161ccc9971eSMauro Carvalho Chehab+-----------------+------------------+------------------+-----------------+
2162ccc9971eSMauro Carvalho Chehab
2163ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2164ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
2165ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2166ccc9971eSMauro Carvalho Chehab| Why can't ``NO_HZ_FULL`` in-kernel execution rely on the              |
2167ccc9971eSMauro Carvalho Chehab| scheduling-clock interrupt, just like ``HZ_PERIODIC`` and             |
2168ccc9971eSMauro Carvalho Chehab| ``NO_HZ_IDLE`` do?                                                    |
2169ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2170ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
2171ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2172ccc9971eSMauro Carvalho Chehab| Because, as a performance optimization, ``NO_HZ_FULL`` does not       |
2173ccc9971eSMauro Carvalho Chehab| necessarily re-enable the scheduling-clock interrupt on entry to each |
2174ccc9971eSMauro Carvalho Chehab| and every system call.                                                |
2175ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2176ccc9971eSMauro Carvalho Chehab
2177ccc9971eSMauro Carvalho ChehabHowever, RCU must be reliably informed as to whether any given CPU is
2178ccc9971eSMauro Carvalho Chehabcurrently in the idle loop, and, for ``NO_HZ_FULL``, also whether that
2179ccc9971eSMauro Carvalho ChehabCPU is executing in usermode, as discussed
2180ccc9971eSMauro Carvalho Chehab`earlier <#Energy%20Efficiency>`__. It also requires that the
2181ccc9971eSMauro Carvalho Chehabscheduling-clock interrupt be enabled when RCU needs it to be:
2182ccc9971eSMauro Carvalho Chehab
2183ccc9971eSMauro Carvalho Chehab#. If a CPU is either idle or executing in usermode, and RCU believes it
2184ccc9971eSMauro Carvalho Chehab   is non-idle, the scheduling-clock tick had better be running.
2185ccc9971eSMauro Carvalho Chehab   Otherwise, you will get RCU CPU stall warnings. Or at best, very long
2186ccc9971eSMauro Carvalho Chehab   (11-second) grace periods, with a pointless IPI waking the CPU from
2187ccc9971eSMauro Carvalho Chehab   time to time.
2188ccc9971eSMauro Carvalho Chehab#. If a CPU is in a portion of the kernel that executes RCU read-side
2189ccc9971eSMauro Carvalho Chehab   critical sections, and RCU believes this CPU to be idle, you will get
2190ccc9971eSMauro Carvalho Chehab   random memory corruption. **DON'T DO THIS!!!**
2191ccc9971eSMauro Carvalho Chehab   This is one reason to test with lockdep, which will complain about
2192ccc9971eSMauro Carvalho Chehab   this sort of thing.
2193ccc9971eSMauro Carvalho Chehab#. If a CPU is in a portion of the kernel that is absolutely positively
2194ccc9971eSMauro Carvalho Chehab   no-joking guaranteed to never execute any RCU read-side critical
21957f45d6f8SRandy Dunlap   sections, and RCU believes this CPU to be idle, no problem. This
2196ccc9971eSMauro Carvalho Chehab   sort of thing is used by some architectures for light-weight
2197ccc9971eSMauro Carvalho Chehab   exception handlers, which can then avoid the overhead of
2198ccc9971eSMauro Carvalho Chehab   ``rcu_irq_enter()`` and ``rcu_irq_exit()`` at exception entry and
2199ccc9971eSMauro Carvalho Chehab   exit, respectively. Some go further and avoid the entireties of
2200ccc9971eSMauro Carvalho Chehab   ``irq_enter()`` and ``irq_exit()``.
2201ccc9971eSMauro Carvalho Chehab   Just make very sure you are running some of your tests with
2202ccc9971eSMauro Carvalho Chehab   ``CONFIG_PROVE_RCU=y``, just in case one of your code paths was in
2203ccc9971eSMauro Carvalho Chehab   fact joking about not doing RCU read-side critical sections.
2204ccc9971eSMauro Carvalho Chehab#. If a CPU is executing in the kernel with the scheduling-clock
2205ccc9971eSMauro Carvalho Chehab   interrupt disabled and RCU believes this CPU to be non-idle, and if
2206ccc9971eSMauro Carvalho Chehab   the CPU goes idle (from an RCU perspective) every few jiffies, no
2207ccc9971eSMauro Carvalho Chehab   problem. It is usually OK for there to be the occasional gap between
2208ccc9971eSMauro Carvalho Chehab   idle periods of up to a second or so.
2209ccc9971eSMauro Carvalho Chehab   If the gap grows too long, you get RCU CPU stall warnings.
2210ccc9971eSMauro Carvalho Chehab#. If a CPU is either idle or executing in usermode, and RCU believes it
2211ccc9971eSMauro Carvalho Chehab   to be idle, of course no problem.
2212ccc9971eSMauro Carvalho Chehab#. If a CPU is executing in the kernel, the kernel code path is passing
2213ccc9971eSMauro Carvalho Chehab   through quiescent states at a reasonable frequency (preferably about
2214ccc9971eSMauro Carvalho Chehab   once per few jiffies, but the occasional excursion to a second or so
2215ccc9971eSMauro Carvalho Chehab   is usually OK) and the scheduling-clock interrupt is enabled, of
2216ccc9971eSMauro Carvalho Chehab   course no problem.
2217ccc9971eSMauro Carvalho Chehab   If the gap between a successive pair of quiescent states grows too
2218ccc9971eSMauro Carvalho Chehab   long, you get RCU CPU stall warnings.
2219ccc9971eSMauro Carvalho Chehab
2220ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2221ccc9971eSMauro Carvalho Chehab| **Quick Quiz**:                                                       |
2222ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2223ccc9971eSMauro Carvalho Chehab| But what if my driver has a hardware interrupt handler that can run   |
2224ccc9971eSMauro Carvalho Chehab| for many seconds? I cannot invoke ``schedule()`` from an hardware     |
2225ccc9971eSMauro Carvalho Chehab| interrupt handler, after all!                                         |
2226ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2227ccc9971eSMauro Carvalho Chehab| **Answer**:                                                           |
2228ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2229ccc9971eSMauro Carvalho Chehab| One approach is to do ``rcu_irq_exit();rcu_irq_enter();`` every so    |
2230ccc9971eSMauro Carvalho Chehab| often. But given that long-running interrupt handlers can cause other |
2231ccc9971eSMauro Carvalho Chehab| problems, not least for response time, shouldn't you work to keep     |
2232ccc9971eSMauro Carvalho Chehab| your interrupt handler's runtime within reasonable bounds?            |
2233ccc9971eSMauro Carvalho Chehab+-----------------------------------------------------------------------+
2234ccc9971eSMauro Carvalho Chehab
2235ccc9971eSMauro Carvalho ChehabBut as long as RCU is properly informed of kernel state transitions
2236ccc9971eSMauro Carvalho Chehabbetween in-kernel execution, usermode execution, and idle, and as long
2237ccc9971eSMauro Carvalho Chehabas the scheduling-clock interrupt is enabled when RCU needs it to be,
2238ccc9971eSMauro Carvalho Chehabyou can rest assured that the bugs you encounter will be in some other
2239ccc9971eSMauro Carvalho Chehabpart of RCU or some other part of the kernel!
2240ccc9971eSMauro Carvalho Chehab
2241ccc9971eSMauro Carvalho ChehabMemory Efficiency
2242ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~
2243ccc9971eSMauro Carvalho Chehab
2244ccc9971eSMauro Carvalho ChehabAlthough small-memory non-realtime systems can simply use Tiny RCU, code
2245ccc9971eSMauro Carvalho Chehabsize is only one aspect of memory efficiency. Another aspect is the size
2246ccc9971eSMauro Carvalho Chehabof the ``rcu_head`` structure used by ``call_rcu()`` and
2247ccc9971eSMauro Carvalho Chehab``kfree_rcu()``. Although this structure contains nothing more than a
2248ccc9971eSMauro Carvalho Chehabpair of pointers, it does appear in many RCU-protected data structures,
2249ccc9971eSMauro Carvalho Chehabincluding some that are size critical. The ``page`` structure is a case
2250ccc9971eSMauro Carvalho Chehabin point, as evidenced by the many occurrences of the ``union`` keyword
2251ccc9971eSMauro Carvalho Chehabwithin that structure.
2252ccc9971eSMauro Carvalho Chehab
2253ccc9971eSMauro Carvalho ChehabThis need for memory efficiency is one reason that RCU uses hand-crafted
2254ccc9971eSMauro Carvalho Chehabsingly linked lists to track the ``rcu_head`` structures that are
2255ccc9971eSMauro Carvalho Chehabwaiting for a grace period to elapse. It is also the reason why
2256ccc9971eSMauro Carvalho Chehab``rcu_head`` structures do not contain debug information, such as fields
2257ccc9971eSMauro Carvalho Chehabtracking the file and line of the ``call_rcu()`` or ``kfree_rcu()`` that
2258ccc9971eSMauro Carvalho Chehabposted them. Although this information might appear in debug-only kernel
2259ccc9971eSMauro Carvalho Chehabbuilds at some point, in the meantime, the ``->func`` field will often
2260ccc9971eSMauro Carvalho Chehabprovide the needed debug information.
2261ccc9971eSMauro Carvalho Chehab
2262ccc9971eSMauro Carvalho ChehabHowever, in some cases, the need for memory efficiency leads to even
2263ccc9971eSMauro Carvalho Chehabmore extreme measures. Returning to the ``page`` structure, the
2264ccc9971eSMauro Carvalho Chehab``rcu_head`` field shares storage with a great many other structures
2265ccc9971eSMauro Carvalho Chehabthat are used at various points in the corresponding page's lifetime. In
2266ccc9971eSMauro Carvalho Chehaborder to correctly resolve certain `race
2267ccc9971eSMauro Carvalho Chehabconditions <https://lkml.kernel.org/g/1439976106-137226-1-git-send-email-kirill.shutemov@linux.intel.com>`__,
2268ccc9971eSMauro Carvalho Chehabthe Linux kernel's memory-management subsystem needs a particular bit to
2269ccc9971eSMauro Carvalho Chehabremain zero during all phases of grace-period processing, and that bit
2270ccc9971eSMauro Carvalho Chehabhappens to map to the bottom bit of the ``rcu_head`` structure's
2271ccc9971eSMauro Carvalho Chehab``->next`` field. RCU makes this guarantee as long as ``call_rcu()`` is
2272ccc9971eSMauro Carvalho Chehabused to post the callback, as opposed to ``kfree_rcu()`` or some future
2273ccc9971eSMauro Carvalho Chehab“lazy” variant of ``call_rcu()`` that might one day be created for
2274ccc9971eSMauro Carvalho Chehabenergy-efficiency purposes.
2275ccc9971eSMauro Carvalho Chehab
2276ccc9971eSMauro Carvalho ChehabThat said, there are limits. RCU requires that the ``rcu_head``
2277ccc9971eSMauro Carvalho Chehabstructure be aligned to a two-byte boundary, and passing a misaligned
2278ccc9971eSMauro Carvalho Chehab``rcu_head`` structure to one of the ``call_rcu()`` family of functions
2279ccc9971eSMauro Carvalho Chehabwill result in a splat. It is therefore necessary to exercise caution
2280ccc9971eSMauro Carvalho Chehabwhen packing structures containing fields of type ``rcu_head``. Why not
2281ccc9971eSMauro Carvalho Chehaba four-byte or even eight-byte alignment requirement? Because the m68k
2282ccc9971eSMauro Carvalho Chehabarchitecture provides only two-byte alignment, and thus acts as
2283ccc9971eSMauro Carvalho Chehabalignment's least common denominator.
2284ccc9971eSMauro Carvalho Chehab
2285ccc9971eSMauro Carvalho ChehabThe reason for reserving the bottom bit of pointers to ``rcu_head``
2286ccc9971eSMauro Carvalho Chehabstructures is to leave the door open to “lazy” callbacks whose
2287ccc9971eSMauro Carvalho Chehabinvocations can safely be deferred. Deferring invocation could
2288ccc9971eSMauro Carvalho Chehabpotentially have energy-efficiency benefits, but only if the rate of
2289ccc9971eSMauro Carvalho Chehabnon-lazy callbacks decreases significantly for some important workload.
2290ccc9971eSMauro Carvalho ChehabIn the meantime, reserving the bottom bit keeps this option open in case
2291ccc9971eSMauro Carvalho Chehabit one day becomes useful.
2292ccc9971eSMauro Carvalho Chehab
2293ccc9971eSMauro Carvalho ChehabPerformance, Scalability, Response Time, and Reliability
2294ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2295ccc9971eSMauro Carvalho Chehab
2296ccc9971eSMauro Carvalho ChehabExpanding on the `earlier
2297ccc9971eSMauro Carvalho Chehabdiscussion <#Performance%20and%20Scalability>`__, RCU is used heavily by
2298ccc9971eSMauro Carvalho Chehabhot code paths in performance-critical portions of the Linux kernel's
2299ccc9971eSMauro Carvalho Chehabnetworking, security, virtualization, and scheduling code paths. RCU
2300ccc9971eSMauro Carvalho Chehabmust therefore use efficient implementations, especially in its
2301ccc9971eSMauro Carvalho Chehabread-side primitives. To that end, it would be good if preemptible RCU's
2302ccc9971eSMauro Carvalho Chehabimplementation of ``rcu_read_lock()`` could be inlined, however, doing
2303ccc9971eSMauro Carvalho Chehabthis requires resolving ``#include`` issues with the ``task_struct``
2304ccc9971eSMauro Carvalho Chehabstructure.
2305ccc9971eSMauro Carvalho Chehab
2306ccc9971eSMauro Carvalho ChehabThe Linux kernel supports hardware configurations with up to 4096 CPUs,
2307ccc9971eSMauro Carvalho Chehabwhich means that RCU must be extremely scalable. Algorithms that involve
2308ccc9971eSMauro Carvalho Chehabfrequent acquisitions of global locks or frequent atomic operations on
2309ccc9971eSMauro Carvalho Chehabglobal variables simply cannot be tolerated within the RCU
2310ccc9971eSMauro Carvalho Chehabimplementation. RCU therefore makes heavy use of a combining tree based
2311ccc9971eSMauro Carvalho Chehabon the ``rcu_node`` structure. RCU is required to tolerate all CPUs
2312ccc9971eSMauro Carvalho Chehabcontinuously invoking any combination of RCU's runtime primitives with
2313ccc9971eSMauro Carvalho Chehabminimal per-operation overhead. In fact, in many cases, increasing load
2314ccc9971eSMauro Carvalho Chehabmust *decrease* the per-operation overhead, witness the batching
2315ccc9971eSMauro Carvalho Chehaboptimizations for ``synchronize_rcu()``, ``call_rcu()``,
2316ccc9971eSMauro Carvalho Chehab``synchronize_rcu_expedited()``, and ``rcu_barrier()``. As a general
2317ccc9971eSMauro Carvalho Chehabrule, RCU must cheerfully accept whatever the rest of the Linux kernel
2318ccc9971eSMauro Carvalho Chehabdecides to throw at it.
2319ccc9971eSMauro Carvalho Chehab
2320ccc9971eSMauro Carvalho ChehabThe Linux kernel is used for real-time workloads, especially in
2321ccc9971eSMauro Carvalho Chehabconjunction with the `-rt
2322ccc9971eSMauro Carvalho Chehabpatchset <https://rt.wiki.kernel.org/index.php/Main_Page>`__. The
2323ccc9971eSMauro Carvalho Chehabreal-time-latency response requirements are such that the traditional
2324ccc9971eSMauro Carvalho Chehabapproach of disabling preemption across RCU read-side critical sections
2325ccc9971eSMauro Carvalho Chehabis inappropriate. Kernels built with ``CONFIG_PREEMPT=y`` therefore use
2326ccc9971eSMauro Carvalho Chehaban RCU implementation that allows RCU read-side critical sections to be
2327ccc9971eSMauro Carvalho Chehabpreempted. This requirement made its presence known after users made it
2328ccc9971eSMauro Carvalho Chehabclear that an earlier `real-time
2329ccc9971eSMauro Carvalho Chehabpatch <https://lwn.net/Articles/107930/>`__ did not meet their needs, in
2330ccc9971eSMauro Carvalho Chehabconjunction with some `RCU
2331ccc9971eSMauro Carvalho Chehabissues <https://lkml.kernel.org/g/20050318002026.GA2693@us.ibm.com>`__
2332ccc9971eSMauro Carvalho Chehabencountered by a very early version of the -rt patchset.
2333ccc9971eSMauro Carvalho Chehab
2334ccc9971eSMauro Carvalho ChehabIn addition, RCU must make do with a sub-100-microsecond real-time
2335ccc9971eSMauro Carvalho Chehablatency budget. In fact, on smaller systems with the -rt patchset, the
2336ccc9971eSMauro Carvalho ChehabLinux kernel provides sub-20-microsecond real-time latencies for the
2337ccc9971eSMauro Carvalho Chehabwhole kernel, including RCU. RCU's scalability and latency must
2338ccc9971eSMauro Carvalho Chehabtherefore be sufficient for these sorts of configurations. To my
2339ccc9971eSMauro Carvalho Chehabsurprise, the sub-100-microsecond real-time latency budget `applies to
2340ccc9971eSMauro Carvalho Chehabeven the largest systems
2341ccc9971eSMauro Carvalho Chehab[PDF] <http://www.rdrop.com/users/paulmck/realtime/paper/bigrt.2013.01.31a.LCA.pdf>`__,
2342ccc9971eSMauro Carvalho Chehabup to and including systems with 4096 CPUs. This real-time requirement
2343ccc9971eSMauro Carvalho Chehabmotivated the grace-period kthread, which also simplified handling of a
2344ccc9971eSMauro Carvalho Chehabnumber of race conditions.
2345ccc9971eSMauro Carvalho Chehab
2346ccc9971eSMauro Carvalho ChehabRCU must avoid degrading real-time response for CPU-bound threads,
2347ccc9971eSMauro Carvalho Chehabwhether executing in usermode (which is one use case for
2348ccc9971eSMauro Carvalho Chehab``CONFIG_NO_HZ_FULL=y``) or in the kernel. That said, CPU-bound loops in
2349ccc9971eSMauro Carvalho Chehabthe kernel must execute ``cond_resched()`` at least once per few tens of
2350ccc9971eSMauro Carvalho Chehabmilliseconds in order to avoid receiving an IPI from RCU.
2351ccc9971eSMauro Carvalho Chehab
2352ccc9971eSMauro Carvalho ChehabFinally, RCU's status as a synchronization primitive means that any RCU
2353ccc9971eSMauro Carvalho Chehabfailure can result in arbitrary memory corruption that can be extremely
2354ccc9971eSMauro Carvalho Chehabdifficult to debug. This means that RCU must be extremely reliable,
2355ccc9971eSMauro Carvalho Chehabwhich in practice also means that RCU must have an aggressive
2356ccc9971eSMauro Carvalho Chehabstress-test suite. This stress-test suite is called ``rcutorture``.
2357ccc9971eSMauro Carvalho Chehab
2358ccc9971eSMauro Carvalho ChehabAlthough the need for ``rcutorture`` was no surprise, the current
2359ccc9971eSMauro Carvalho Chehabimmense popularity of the Linux kernel is posing interesting—and perhaps
2360ccc9971eSMauro Carvalho Chehabunprecedented—validation challenges. To see this, keep in mind that
2361ccc9971eSMauro Carvalho Chehabthere are well over one billion instances of the Linux kernel running
2362ccc9971eSMauro Carvalho Chehabtoday, given Android smartphones, Linux-powered televisions, and
2363ccc9971eSMauro Carvalho Chehabservers. This number can be expected to increase sharply with the advent
2364ccc9971eSMauro Carvalho Chehabof the celebrated Internet of Things.
2365ccc9971eSMauro Carvalho Chehab
2366ccc9971eSMauro Carvalho ChehabSuppose that RCU contains a race condition that manifests on average
2367ccc9971eSMauro Carvalho Chehabonce per million years of runtime. This bug will be occurring about
2368ccc9971eSMauro Carvalho Chehabthree times per *day* across the installed base. RCU could simply hide
2369ccc9971eSMauro Carvalho Chehabbehind hardware error rates, given that no one should really expect
2370ccc9971eSMauro Carvalho Chehabtheir smartphone to last for a million years. However, anyone taking too
2371ccc9971eSMauro Carvalho Chehabmuch comfort from this thought should consider the fact that in most
2372ccc9971eSMauro Carvalho Chehabjurisdictions, a successful multi-year test of a given mechanism, which
2373ccc9971eSMauro Carvalho Chehabmight include a Linux kernel, suffices for a number of types of
2374ccc9971eSMauro Carvalho Chehabsafety-critical certifications. In fact, rumor has it that the Linux
2375ccc9971eSMauro Carvalho Chehabkernel is already being used in production for safety-critical
2376ccc9971eSMauro Carvalho Chehabapplications. I don't know about you, but I would feel quite bad if a
2377ccc9971eSMauro Carvalho Chehabbug in RCU killed someone. Which might explain my recent focus on
2378ccc9971eSMauro Carvalho Chehabvalidation and verification.
2379ccc9971eSMauro Carvalho Chehab
2380ccc9971eSMauro Carvalho ChehabOther RCU Flavors
2381ccc9971eSMauro Carvalho Chehab-----------------
2382ccc9971eSMauro Carvalho Chehab
2383ccc9971eSMauro Carvalho ChehabOne of the more surprising things about RCU is that there are now no
2384ccc9971eSMauro Carvalho Chehabfewer than five *flavors*, or API families. In addition, the primary
2385ccc9971eSMauro Carvalho Chehabflavor that has been the sole focus up to this point has two different
2386ccc9971eSMauro Carvalho Chehabimplementations, non-preemptible and preemptible. The other four flavors
2387ccc9971eSMauro Carvalho Chehabare listed below, with requirements for each described in a separate
2388ccc9971eSMauro Carvalho Chehabsection.
2389ccc9971eSMauro Carvalho Chehab
239007335c16SJoel Fernandes (Google)#. `Bottom-Half Flavor (Historical)`_
239107335c16SJoel Fernandes (Google)#. `Sched Flavor (Historical)`_
239207335c16SJoel Fernandes (Google)#. `Sleepable RCU`_
239307335c16SJoel Fernandes (Google)#. `Tasks RCU`_
2394ccc9971eSMauro Carvalho Chehab
2395ccc9971eSMauro Carvalho ChehabBottom-Half Flavor (Historical)
2396ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2397ccc9971eSMauro Carvalho Chehab
2398ccc9971eSMauro Carvalho ChehabThe RCU-bh flavor of RCU has since been expressed in terms of the other
2399ccc9971eSMauro Carvalho ChehabRCU flavors as part of a consolidation of the three flavors into a
2400ccc9971eSMauro Carvalho Chehabsingle flavor. The read-side API remains, and continues to disable
2401ccc9971eSMauro Carvalho Chehabsoftirq and to be accounted for by lockdep. Much of the material in this
2402ccc9971eSMauro Carvalho Chehabsection is therefore strictly historical in nature.
2403ccc9971eSMauro Carvalho Chehab
2404ccc9971eSMauro Carvalho ChehabThe softirq-disable (AKA “bottom-half”, hence the “_bh” abbreviations)
2405ccc9971eSMauro Carvalho Chehabflavor of RCU, or *RCU-bh*, was developed by Dipankar Sarma to provide a
2406ccc9971eSMauro Carvalho Chehabflavor of RCU that could withstand the network-based denial-of-service
2407ccc9971eSMauro Carvalho Chehabattacks researched by Robert Olsson. These attacks placed so much
2408ccc9971eSMauro Carvalho Chehabnetworking load on the system that some of the CPUs never exited softirq
2409ccc9971eSMauro Carvalho Chehabexecution, which in turn prevented those CPUs from ever executing a
2410ccc9971eSMauro Carvalho Chehabcontext switch, which, in the RCU implementation of that time, prevented
2411ccc9971eSMauro Carvalho Chehabgrace periods from ever ending. The result was an out-of-memory
2412ccc9971eSMauro Carvalho Chehabcondition and a system hang.
2413ccc9971eSMauro Carvalho Chehab
2414ccc9971eSMauro Carvalho ChehabThe solution was the creation of RCU-bh, which does
2415ccc9971eSMauro Carvalho Chehab``local_bh_disable()`` across its read-side critical sections, and which
2416ccc9971eSMauro Carvalho Chehabuses the transition from one type of softirq processing to another as a
2417ccc9971eSMauro Carvalho Chehabquiescent state in addition to context switch, idle, user mode, and
2418ccc9971eSMauro Carvalho Chehaboffline. This means that RCU-bh grace periods can complete even when
2419ccc9971eSMauro Carvalho Chehabsome of the CPUs execute in softirq indefinitely, thus allowing
2420ccc9971eSMauro Carvalho Chehabalgorithms based on RCU-bh to withstand network-based denial-of-service
2421ccc9971eSMauro Carvalho Chehabattacks.
2422ccc9971eSMauro Carvalho Chehab
2423ccc9971eSMauro Carvalho ChehabBecause ``rcu_read_lock_bh()`` and ``rcu_read_unlock_bh()`` disable and
2424ccc9971eSMauro Carvalho Chehabre-enable softirq handlers, any attempt to start a softirq handlers
2425ccc9971eSMauro Carvalho Chehabduring the RCU-bh read-side critical section will be deferred. In this
2426ccc9971eSMauro Carvalho Chehabcase, ``rcu_read_unlock_bh()`` will invoke softirq processing, which can
2427ccc9971eSMauro Carvalho Chehabtake considerable time. One can of course argue that this softirq
2428ccc9971eSMauro Carvalho Chehaboverhead should be associated with the code following the RCU-bh
2429ccc9971eSMauro Carvalho Chehabread-side critical section rather than ``rcu_read_unlock_bh()``, but the
2430ccc9971eSMauro Carvalho Chehabfact is that most profiling tools cannot be expected to make this sort
2431ccc9971eSMauro Carvalho Chehabof fine distinction. For example, suppose that a three-millisecond-long
2432ccc9971eSMauro Carvalho ChehabRCU-bh read-side critical section executes during a time of heavy
2433ccc9971eSMauro Carvalho Chehabnetworking load. There will very likely be an attempt to invoke at least
2434ccc9971eSMauro Carvalho Chehabone softirq handler during that three milliseconds, but any such
2435ccc9971eSMauro Carvalho Chehabinvocation will be delayed until the time of the
2436ccc9971eSMauro Carvalho Chehab``rcu_read_unlock_bh()``. This can of course make it appear at first
2437ccc9971eSMauro Carvalho Chehabglance as if ``rcu_read_unlock_bh()`` was executing very slowly.
2438ccc9971eSMauro Carvalho Chehab
2439ccc9971eSMauro Carvalho ChehabThe `RCU-bh
2440ccc9971eSMauro Carvalho ChehabAPI <https://lwn.net/Articles/609973/#RCU%20Per-Flavor%20API%20Table>`__
2441ccc9971eSMauro Carvalho Chehabincludes ``rcu_read_lock_bh()``, ``rcu_read_unlock_bh()``,
2442ccc9971eSMauro Carvalho Chehab``rcu_dereference_bh()``, ``rcu_dereference_bh_check()``,
2443ccc9971eSMauro Carvalho Chehab``synchronize_rcu_bh()``, ``synchronize_rcu_bh_expedited()``,
2444ccc9971eSMauro Carvalho Chehab``call_rcu_bh()``, ``rcu_barrier_bh()``, and
2445ccc9971eSMauro Carvalho Chehab``rcu_read_lock_bh_held()``. However, the update-side APIs are now
2446ccc9971eSMauro Carvalho Chehabsimple wrappers for other RCU flavors, namely RCU-sched in
2447ccc9971eSMauro Carvalho ChehabCONFIG_PREEMPT=n kernels and RCU-preempt otherwise.
2448ccc9971eSMauro Carvalho Chehab
2449ccc9971eSMauro Carvalho ChehabSched Flavor (Historical)
2450ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~~~~~~~~~~~~~
2451ccc9971eSMauro Carvalho Chehab
2452ccc9971eSMauro Carvalho ChehabThe RCU-sched flavor of RCU has since been expressed in terms of the
2453ccc9971eSMauro Carvalho Chehabother RCU flavors as part of a consolidation of the three flavors into a
2454ccc9971eSMauro Carvalho Chehabsingle flavor. The read-side API remains, and continues to disable
2455ccc9971eSMauro Carvalho Chehabpreemption and to be accounted for by lockdep. Much of the material in
2456ccc9971eSMauro Carvalho Chehabthis section is therefore strictly historical in nature.
2457ccc9971eSMauro Carvalho Chehab
2458ccc9971eSMauro Carvalho ChehabBefore preemptible RCU, waiting for an RCU grace period had the side
2459ccc9971eSMauro Carvalho Chehabeffect of also waiting for all pre-existing interrupt and NMI handlers.
2460ccc9971eSMauro Carvalho ChehabHowever, there are legitimate preemptible-RCU implementations that do
2461ccc9971eSMauro Carvalho Chehabnot have this property, given that any point in the code outside of an
2462ccc9971eSMauro Carvalho ChehabRCU read-side critical section can be a quiescent state. Therefore,
2463ccc9971eSMauro Carvalho Chehab*RCU-sched* was created, which follows “classic” RCU in that an
24647f45d6f8SRandy DunlapRCU-sched grace period waits for pre-existing interrupt and NMI
2465ccc9971eSMauro Carvalho Chehabhandlers. In kernels built with ``CONFIG_PREEMPT=n``, the RCU and
2466ccc9971eSMauro Carvalho ChehabRCU-sched APIs have identical implementations, while kernels built with
2467ccc9971eSMauro Carvalho Chehab``CONFIG_PREEMPT=y`` provide a separate implementation for each.
2468ccc9971eSMauro Carvalho Chehab
2469ccc9971eSMauro Carvalho ChehabNote well that in ``CONFIG_PREEMPT=y`` kernels,
2470ccc9971eSMauro Carvalho Chehab``rcu_read_lock_sched()`` and ``rcu_read_unlock_sched()`` disable and
2471ccc9971eSMauro Carvalho Chehabre-enable preemption, respectively. This means that if there was a
2472ccc9971eSMauro Carvalho Chehabpreemption attempt during the RCU-sched read-side critical section,
2473ccc9971eSMauro Carvalho Chehab``rcu_read_unlock_sched()`` will enter the scheduler, with all the
2474ccc9971eSMauro Carvalho Chehablatency and overhead entailed. Just as with ``rcu_read_unlock_bh()``,
2475ccc9971eSMauro Carvalho Chehabthis can make it look as if ``rcu_read_unlock_sched()`` was executing
2476ccc9971eSMauro Carvalho Chehabvery slowly. However, the highest-priority task won't be preempted, so
2477ccc9971eSMauro Carvalho Chehabthat task will enjoy low-overhead ``rcu_read_unlock_sched()``
2478ccc9971eSMauro Carvalho Chehabinvocations.
2479ccc9971eSMauro Carvalho Chehab
2480ccc9971eSMauro Carvalho ChehabThe `RCU-sched
2481ccc9971eSMauro Carvalho ChehabAPI <https://lwn.net/Articles/609973/#RCU%20Per-Flavor%20API%20Table>`__
2482ccc9971eSMauro Carvalho Chehabincludes ``rcu_read_lock_sched()``, ``rcu_read_unlock_sched()``,
2483ccc9971eSMauro Carvalho Chehab``rcu_read_lock_sched_notrace()``, ``rcu_read_unlock_sched_notrace()``,
2484ccc9971eSMauro Carvalho Chehab``rcu_dereference_sched()``, ``rcu_dereference_sched_check()``,
2485ccc9971eSMauro Carvalho Chehab``synchronize_sched()``, ``synchronize_rcu_sched_expedited()``,
2486ccc9971eSMauro Carvalho Chehab``call_rcu_sched()``, ``rcu_barrier_sched()``, and
2487ccc9971eSMauro Carvalho Chehab``rcu_read_lock_sched_held()``. However, anything that disables
2488ccc9971eSMauro Carvalho Chehabpreemption also marks an RCU-sched read-side critical section, including
2489ccc9971eSMauro Carvalho Chehab``preempt_disable()`` and ``preempt_enable()``, ``local_irq_save()`` and
2490ccc9971eSMauro Carvalho Chehab``local_irq_restore()``, and so on.
2491ccc9971eSMauro Carvalho Chehab
2492ccc9971eSMauro Carvalho ChehabSleepable RCU
2493ccc9971eSMauro Carvalho Chehab~~~~~~~~~~~~~
2494ccc9971eSMauro Carvalho Chehab
2495ccc9971eSMauro Carvalho ChehabFor well over a decade, someone saying “I need to block within an RCU
2496ccc9971eSMauro Carvalho Chehabread-side critical section” was a reliable indication that this someone
2497ccc9971eSMauro Carvalho Chehabdid not understand RCU. After all, if you are always blocking in an RCU
2498ccc9971eSMauro Carvalho Chehabread-side critical section, you can probably afford to use a
2499ccc9971eSMauro Carvalho Chehabhigher-overhead synchronization mechanism. However, that changed with
2500ccc9971eSMauro Carvalho Chehabthe advent of the Linux kernel's notifiers, whose RCU read-side critical
2501ccc9971eSMauro Carvalho Chehabsections almost never sleep, but sometimes need to. This resulted in the
2502ccc9971eSMauro Carvalho Chehabintroduction of `sleepable RCU <https://lwn.net/Articles/202847/>`__, or
2503ccc9971eSMauro Carvalho Chehab*SRCU*.
2504ccc9971eSMauro Carvalho Chehab
2505ccc9971eSMauro Carvalho ChehabSRCU allows different domains to be defined, with each such domain
2506ccc9971eSMauro Carvalho Chehabdefined by an instance of an ``srcu_struct`` structure. A pointer to
2507ccc9971eSMauro Carvalho Chehabthis structure must be passed in to each SRCU function, for example,
2508ccc9971eSMauro Carvalho Chehab``synchronize_srcu(&ss)``, where ``ss`` is the ``srcu_struct``
2509ccc9971eSMauro Carvalho Chehabstructure. The key benefit of these domains is that a slow SRCU reader
2510ccc9971eSMauro Carvalho Chehabin one domain does not delay an SRCU grace period in some other domain.
2511ccc9971eSMauro Carvalho ChehabThat said, one consequence of these domains is that read-side code must
2512ccc9971eSMauro Carvalho Chehabpass a “cookie” from ``srcu_read_lock()`` to ``srcu_read_unlock()``, for
2513ccc9971eSMauro Carvalho Chehabexample, as follows:
2514ccc9971eSMauro Carvalho Chehab
2515ccc9971eSMauro Carvalho Chehab   ::
2516ccc9971eSMauro Carvalho Chehab
2517ccc9971eSMauro Carvalho Chehab       1 int idx;
2518ccc9971eSMauro Carvalho Chehab       2
2519ccc9971eSMauro Carvalho Chehab       3 idx = srcu_read_lock(&ss);
2520ccc9971eSMauro Carvalho Chehab       4 do_something();
2521ccc9971eSMauro Carvalho Chehab       5 srcu_read_unlock(&ss, idx);
2522ccc9971eSMauro Carvalho Chehab
2523ccc9971eSMauro Carvalho ChehabAs noted above, it is legal to block within SRCU read-side critical
2524ccc9971eSMauro Carvalho Chehabsections, however, with great power comes great responsibility. If you
2525ccc9971eSMauro Carvalho Chehabblock forever in one of a given domain's SRCU read-side critical
2526ccc9971eSMauro Carvalho Chehabsections, then that domain's grace periods will also be blocked forever.
2527ccc9971eSMauro Carvalho ChehabOf course, one good way to block forever is to deadlock, which can
2528ccc9971eSMauro Carvalho Chehabhappen if any operation in a given domain's SRCU read-side critical
2529ccc9971eSMauro Carvalho Chehabsection can wait, either directly or indirectly, for that domain's grace
2530ccc9971eSMauro Carvalho Chehabperiod to elapse. For example, this results in a self-deadlock:
2531ccc9971eSMauro Carvalho Chehab
2532ccc9971eSMauro Carvalho Chehab   ::
2533ccc9971eSMauro Carvalho Chehab
2534ccc9971eSMauro Carvalho Chehab       1 int idx;
2535ccc9971eSMauro Carvalho Chehab       2
2536ccc9971eSMauro Carvalho Chehab       3 idx = srcu_read_lock(&ss);
2537ccc9971eSMauro Carvalho Chehab       4 do_something();
2538ccc9971eSMauro Carvalho Chehab       5 synchronize_srcu(&ss);
2539ccc9971eSMauro Carvalho Chehab       6 srcu_read_unlock(&ss, idx);
2540ccc9971eSMauro Carvalho Chehab
2541ccc9971eSMauro Carvalho ChehabHowever, if line 5 acquired a mutex that was held across a
2542ccc9971eSMauro Carvalho Chehab``synchronize_srcu()`` for domain ``ss``, deadlock would still be
2543ccc9971eSMauro Carvalho Chehabpossible. Furthermore, if line 5 acquired a mutex that was held across a
2544ccc9971eSMauro Carvalho Chehab``synchronize_srcu()`` for some other domain ``ss1``, and if an
2545ccc9971eSMauro Carvalho Chehab``ss1``-domain SRCU read-side critical section acquired another mutex
2546ccc9971eSMauro Carvalho Chehabthat was held across as ``ss``-domain ``synchronize_srcu()``, deadlock
2547ccc9971eSMauro Carvalho Chehabwould again be possible. Such a deadlock cycle could extend across an
2548ccc9971eSMauro Carvalho Chehabarbitrarily large number of different SRCU domains. Again, with great
2549ccc9971eSMauro Carvalho Chehabpower comes great responsibility.
2550ccc9971eSMauro Carvalho Chehab
2551ccc9971eSMauro Carvalho ChehabUnlike the other RCU flavors, SRCU read-side critical sections can run
2552ccc9971eSMauro Carvalho Chehabon idle and even offline CPUs. This ability requires that
2553ccc9971eSMauro Carvalho Chehab``srcu_read_lock()`` and ``srcu_read_unlock()`` contain memory barriers,
2554ccc9971eSMauro Carvalho Chehabwhich means that SRCU readers will run a bit slower than would RCU
2555ccc9971eSMauro Carvalho Chehabreaders. It also motivates the ``smp_mb__after_srcu_read_unlock()`` API,
2556ccc9971eSMauro Carvalho Chehabwhich, in combination with ``srcu_read_unlock()``, guarantees a full
2557ccc9971eSMauro Carvalho Chehabmemory barrier.
2558ccc9971eSMauro Carvalho Chehab
2559ccc9971eSMauro Carvalho ChehabAlso unlike other RCU flavors, ``synchronize_srcu()`` may **not** be
2560ccc9971eSMauro Carvalho Chehabinvoked from CPU-hotplug notifiers, due to the fact that SRCU grace
2561ccc9971eSMauro Carvalho Chehabperiods make use of timers and the possibility of timers being
2562ccc9971eSMauro Carvalho Chehabtemporarily “stranded” on the outgoing CPU. This stranding of timers
2563ccc9971eSMauro Carvalho Chehabmeans that timers posted to the outgoing CPU will not fire until late in
2564ccc9971eSMauro Carvalho Chehabthe CPU-hotplug process. The problem is that if a notifier is waiting on
2565ccc9971eSMauro Carvalho Chehaban SRCU grace period, that grace period is waiting on a timer, and that
2566ccc9971eSMauro Carvalho Chehabtimer is stranded on the outgoing CPU, then the notifier will never be
2567ccc9971eSMauro Carvalho Chehabawakened, in other words, deadlock has occurred. This same situation of
2568ccc9971eSMauro Carvalho Chehabcourse also prohibits ``srcu_barrier()`` from being invoked from
2569ccc9971eSMauro Carvalho ChehabCPU-hotplug notifiers.
2570ccc9971eSMauro Carvalho Chehab
2571ccc9971eSMauro Carvalho ChehabSRCU also differs from other RCU flavors in that SRCU's expedited and
2572ccc9971eSMauro Carvalho Chehabnon-expedited grace periods are implemented by the same mechanism. This
2573ccc9971eSMauro Carvalho Chehabmeans that in the current SRCU implementation, expediting a future grace
2574ccc9971eSMauro Carvalho Chehabperiod has the side effect of expediting all prior grace periods that
2575ccc9971eSMauro Carvalho Chehabhave not yet completed. (But please note that this is a property of the
2576ccc9971eSMauro Carvalho Chehabcurrent implementation, not necessarily of future implementations.) In
2577ccc9971eSMauro Carvalho Chehabaddition, if SRCU has been idle for longer than the interval specified
2578ccc9971eSMauro Carvalho Chehabby the ``srcutree.exp_holdoff`` kernel boot parameter (25 microseconds
2579ccc9971eSMauro Carvalho Chehabby default), and if a ``synchronize_srcu()`` invocation ends this idle
2580ccc9971eSMauro Carvalho Chehabperiod, that invocation will be automatically expedited.
2581ccc9971eSMauro Carvalho Chehab
2582ccc9971eSMauro Carvalho ChehabAs of v4.12, SRCU's callbacks are maintained per-CPU, eliminating a
2583ccc9971eSMauro Carvalho Chehablocking bottleneck present in prior kernel versions. Although this will
2584ccc9971eSMauro Carvalho Chehaballow users to put much heavier stress on ``call_srcu()``, it is
2585ccc9971eSMauro Carvalho Chehabimportant to note that SRCU does not yet take any special steps to deal
2586ccc9971eSMauro Carvalho Chehabwith callback flooding. So if you are posting (say) 10,000 SRCU
2587ccc9971eSMauro Carvalho Chehabcallbacks per second per CPU, you are probably totally OK, but if you
2588ccc9971eSMauro Carvalho Chehabintend to post (say) 1,000,000 SRCU callbacks per second per CPU, please
2589ccc9971eSMauro Carvalho Chehabrun some tests first. SRCU just might need a few adjustment to deal with
2590ccc9971eSMauro Carvalho Chehabthat sort of load. Of course, your mileage may vary based on the speed
2591ccc9971eSMauro Carvalho Chehabof your CPUs and the size of your memory.
2592ccc9971eSMauro Carvalho Chehab
2593ccc9971eSMauro Carvalho ChehabThe `SRCU
2594ccc9971eSMauro Carvalho ChehabAPI <https://lwn.net/Articles/609973/#RCU%20Per-Flavor%20API%20Table>`__
2595ccc9971eSMauro Carvalho Chehabincludes ``srcu_read_lock()``, ``srcu_read_unlock()``,
2596ccc9971eSMauro Carvalho Chehab``srcu_dereference()``, ``srcu_dereference_check()``,
2597ccc9971eSMauro Carvalho Chehab``synchronize_srcu()``, ``synchronize_srcu_expedited()``,
2598ccc9971eSMauro Carvalho Chehab``call_srcu()``, ``srcu_barrier()``, and ``srcu_read_lock_held()``. It
2599ccc9971eSMauro Carvalho Chehabalso includes ``DEFINE_SRCU()``, ``DEFINE_STATIC_SRCU()``, and
2600ccc9971eSMauro Carvalho Chehab``init_srcu_struct()`` APIs for defining and initializing
2601ccc9971eSMauro Carvalho Chehab``srcu_struct`` structures.
2602ccc9971eSMauro Carvalho Chehab
2603ccc9971eSMauro Carvalho ChehabTasks RCU
2604ccc9971eSMauro Carvalho Chehab~~~~~~~~~
2605ccc9971eSMauro Carvalho Chehab
2606ccc9971eSMauro Carvalho ChehabSome forms of tracing use “trampolines” to handle the binary rewriting
2607ccc9971eSMauro Carvalho Chehabrequired to install different types of probes. It would be good to be
2608ccc9971eSMauro Carvalho Chehabable to free old trampolines, which sounds like a job for some form of
2609ccc9971eSMauro Carvalho ChehabRCU. However, because it is necessary to be able to install a trace
2610ccc9971eSMauro Carvalho Chehabanywhere in the code, it is not possible to use read-side markers such
2611ccc9971eSMauro Carvalho Chehabas ``rcu_read_lock()`` and ``rcu_read_unlock()``. In addition, it does
2612ccc9971eSMauro Carvalho Chehabnot work to have these markers in the trampoline itself, because there
2613ccc9971eSMauro Carvalho Chehabwould need to be instructions following ``rcu_read_unlock()``. Although
2614ccc9971eSMauro Carvalho Chehab``synchronize_rcu()`` would guarantee that execution reached the
2615ccc9971eSMauro Carvalho Chehab``rcu_read_unlock()``, it would not be able to guarantee that execution
2616d93d97cbSPaul E. McKenneyhad completely left the trampoline. Worse yet, in some situations
2617d93d97cbSPaul E. McKenneythe trampoline's protection must extend a few instructions *prior* to
2618d93d97cbSPaul E. McKenneyexecution reaching the trampoline.  For example, these few instructions
2619d93d97cbSPaul E. McKenneymight calculate the address of the trampoline, so that entering the
2620d93d97cbSPaul E. McKenneytrampoline would be pre-ordained a surprisingly long time before execution
2621d93d97cbSPaul E. McKenneyactually reached the trampoline itself.
2622ccc9971eSMauro Carvalho Chehab
2623ccc9971eSMauro Carvalho ChehabThe solution, in the form of `Tasks
2624ccc9971eSMauro Carvalho ChehabRCU <https://lwn.net/Articles/607117/>`__, is to have implicit read-side
2625ccc9971eSMauro Carvalho Chehabcritical sections that are delimited by voluntary context switches, that
2626ccc9971eSMauro Carvalho Chehabis, calls to ``schedule()``, ``cond_resched()``, and
2627ccc9971eSMauro Carvalho Chehab``synchronize_rcu_tasks()``. In addition, transitions to and from
2628ccc9971eSMauro Carvalho Chehabuserspace execution also delimit tasks-RCU read-side critical sections.
2629ccc9971eSMauro Carvalho Chehab
2630ccc9971eSMauro Carvalho ChehabThe tasks-RCU API is quite compact, consisting only of
2631ccc9971eSMauro Carvalho Chehab``call_rcu_tasks()``, ``synchronize_rcu_tasks()``, and
2632ccc9971eSMauro Carvalho Chehab``rcu_barrier_tasks()``. In ``CONFIG_PREEMPT=n`` kernels, trampolines
2633ccc9971eSMauro Carvalho Chehabcannot be preempted, so these APIs map to ``call_rcu()``,
2634ccc9971eSMauro Carvalho Chehab``synchronize_rcu()``, and ``rcu_barrier()``, respectively. In
2635ccc9971eSMauro Carvalho Chehab``CONFIG_PREEMPT=y`` kernels, trampolines can be preempted, and these
2636ccc9971eSMauro Carvalho Chehabthree APIs are therefore implemented by separate functions that check
2637ccc9971eSMauro Carvalho Chehabfor voluntary context switches.
2638ccc9971eSMauro Carvalho Chehab
2639ccc9971eSMauro Carvalho ChehabPossible Future Changes
2640ccc9971eSMauro Carvalho Chehab-----------------------
2641ccc9971eSMauro Carvalho Chehab
2642ccc9971eSMauro Carvalho ChehabOne of the tricks that RCU uses to attain update-side scalability is to
2643ccc9971eSMauro Carvalho Chehabincrease grace-period latency with increasing numbers of CPUs. If this
2644ccc9971eSMauro Carvalho Chehabbecomes a serious problem, it will be necessary to rework the
2645ccc9971eSMauro Carvalho Chehabgrace-period state machine so as to avoid the need for the additional
2646ccc9971eSMauro Carvalho Chehablatency.
2647ccc9971eSMauro Carvalho Chehab
2648ccc9971eSMauro Carvalho ChehabRCU disables CPU hotplug in a few places, perhaps most notably in the
2649ccc9971eSMauro Carvalho Chehab``rcu_barrier()`` operations. If there is a strong reason to use
2650ccc9971eSMauro Carvalho Chehab``rcu_barrier()`` in CPU-hotplug notifiers, it will be necessary to
2651ccc9971eSMauro Carvalho Chehabavoid disabling CPU hotplug. This would introduce some complexity, so
2652ccc9971eSMauro Carvalho Chehabthere had better be a *very* good reason.
2653ccc9971eSMauro Carvalho Chehab
2654ccc9971eSMauro Carvalho ChehabThe tradeoff between grace-period latency on the one hand and
2655ccc9971eSMauro Carvalho Chehabinterruptions of other CPUs on the other hand may need to be
2656ccc9971eSMauro Carvalho Chehabre-examined. The desire is of course for zero grace-period latency as
2657ccc9971eSMauro Carvalho Chehabwell as zero interprocessor interrupts undertaken during an expedited
2658ccc9971eSMauro Carvalho Chehabgrace period operation. While this ideal is unlikely to be achievable,
2659ccc9971eSMauro Carvalho Chehabit is quite possible that further improvements can be made.
2660ccc9971eSMauro Carvalho Chehab
2661ccc9971eSMauro Carvalho ChehabThe multiprocessor implementations of RCU use a combining tree that
2662ccc9971eSMauro Carvalho Chehabgroups CPUs so as to reduce lock contention and increase cache locality.
2663ccc9971eSMauro Carvalho ChehabHowever, this combining tree does not spread its memory across NUMA
2664ccc9971eSMauro Carvalho Chehabnodes nor does it align the CPU groups with hardware features such as
2665ccc9971eSMauro Carvalho Chehabsockets or cores. Such spreading and alignment is currently believed to
2666ccc9971eSMauro Carvalho Chehabbe unnecessary because the hotpath read-side primitives do not access
2667ccc9971eSMauro Carvalho Chehabthe combining tree, nor does ``call_rcu()`` in the common case. If you
2668ccc9971eSMauro Carvalho Chehabbelieve that your architecture needs such spreading and alignment, then
2669ccc9971eSMauro Carvalho Chehabyour architecture should also benefit from the
2670ccc9971eSMauro Carvalho Chehab``rcutree.rcu_fanout_leaf`` boot parameter, which can be set to the
2671ccc9971eSMauro Carvalho Chehabnumber of CPUs in a socket, NUMA node, or whatever. If the number of
2672ccc9971eSMauro Carvalho ChehabCPUs is too large, use a fraction of the number of CPUs. If the number
2673ccc9971eSMauro Carvalho Chehabof CPUs is a large prime number, well, that certainly is an
2674ccc9971eSMauro Carvalho Chehab“interesting” architectural choice! More flexible arrangements might be
2675ccc9971eSMauro Carvalho Chehabconsidered, but only if ``rcutree.rcu_fanout_leaf`` has proven
2676ccc9971eSMauro Carvalho Chehabinadequate, and only if the inadequacy has been demonstrated by a
2677ccc9971eSMauro Carvalho Chehabcarefully run and realistic system-level workload.
2678ccc9971eSMauro Carvalho Chehab
2679ccc9971eSMauro Carvalho ChehabPlease note that arrangements that require RCU to remap CPU numbers will
2680ccc9971eSMauro Carvalho Chehabrequire extremely good demonstration of need and full exploration of
2681ccc9971eSMauro Carvalho Chehabalternatives.
2682ccc9971eSMauro Carvalho Chehab
2683ccc9971eSMauro Carvalho ChehabRCU's various kthreads are reasonably recent additions. It is quite
2684ccc9971eSMauro Carvalho Chehablikely that adjustments will be required to more gracefully handle
2685ccc9971eSMauro Carvalho Chehabextreme loads. It might also be necessary to be able to relate CPU
2686ccc9971eSMauro Carvalho Chehabutilization by RCU's kthreads and softirq handlers to the code that
2687ccc9971eSMauro Carvalho Chehabinstigated this CPU utilization. For example, RCU callback overhead
2688ccc9971eSMauro Carvalho Chehabmight be charged back to the originating ``call_rcu()`` instance, though
2689ccc9971eSMauro Carvalho Chehabprobably not in production kernels.
2690ccc9971eSMauro Carvalho Chehab
2691ccc9971eSMauro Carvalho ChehabAdditional work may be required to provide reasonable forward-progress
2692ccc9971eSMauro Carvalho Chehabguarantees under heavy load for grace periods and for callback
2693ccc9971eSMauro Carvalho Chehabinvocation.
2694ccc9971eSMauro Carvalho Chehab
2695ccc9971eSMauro Carvalho ChehabSummary
2696ccc9971eSMauro Carvalho Chehab-------
2697ccc9971eSMauro Carvalho Chehab
2698ccc9971eSMauro Carvalho ChehabThis document has presented more than two decade's worth of RCU
2699ccc9971eSMauro Carvalho Chehabrequirements. Given that the requirements keep changing, this will not
2700ccc9971eSMauro Carvalho Chehabbe the last word on this subject, but at least it serves to get an
2701ccc9971eSMauro Carvalho Chehabimportant subset of the requirements set forth.
2702ccc9971eSMauro Carvalho Chehab
2703ccc9971eSMauro Carvalho ChehabAcknowledgments
2704ccc9971eSMauro Carvalho Chehab---------------
2705ccc9971eSMauro Carvalho Chehab
2706ccc9971eSMauro Carvalho ChehabI am grateful to Steven Rostedt, Lai Jiangshan, Ingo Molnar, Oleg
2707ccc9971eSMauro Carvalho ChehabNesterov, Borislav Petkov, Peter Zijlstra, Boqun Feng, and Andy
2708ccc9971eSMauro Carvalho ChehabLutomirski for their help in rendering this article human readable, and
2709ccc9971eSMauro Carvalho Chehabto Michelle Rankin for her support of this effort. Other contributions
2710ccc9971eSMauro Carvalho Chehabare acknowledged in the Linux kernel's git archive.
2711