Re: SIGSEGVs after 39a167560a61 ("rseq: Optimize event setting")

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Thomas Gleixner <tglx@kernel.org>
To: Dmitry Vyukov <dvyukov@google.com>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: David Matlack <dmatlack@google.com>,
	Marco Elver <elver@google.com>,
	Peter Zijlstra <peterz@infradead.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Michael Jeanson <mjeanson@efficios.com>,
	Jens Axboe <axboe@kernel.dk>,
	"Paul E. McKenney" <paulmck@kernel.org>, X86 ML <x86@kernel.org>,
	Sean Christopherson <seanjc@google.com>,
	Wei Liu <wei.liu@kernel.org>
Subject: Re: SIGSEGVs after 39a167560a61 ("rseq: Optimize event setting")
Date: Wed, 28 Jan 2026 14:16:31 +0100	[thread overview]
Message-ID: <874io5andc.ffs@tglx> (raw)
In-Reply-To: <CACT4Y+YKR253_nuBhGhtjKf1QmhBRMkrqDwBPieadic3kybE+w@mail.gmail.com>

On Wed, Jan 28 2026 at 12:40, Dmitry Vyukov wrote:
> On Wed, 28 Jan 2026 at 12:28, Mathieu Desnoyers
> <mathieu.desnoyers@efficios.com> wrote:
>> I suspect that tcmalloc's aliasing of the rseq cpu_id_start field
>> with its own data structure, corrupting its content, and expecting the
>> kernel to update it on every preemption does not work anymore, because
>> the kernel only updates it when the cpu_id actually changes.
>
> I can't recall now why tcmalloc would need updates on every
> preemption... Do you know why?

From the tcmalloc docs:

    "To understand that the cached pointer is not valid anymore when a
     thread is rescheduled to another CPU, we overlap the top 4 bytes of
     the cached address with `__rseq_abi.cpu_id_start`. When a thread is
     rescheduled the kernel overwrites `cpu_id_start` with the current
     CPU number, which gives us the signal that the cached address is not
     valid anymore."

That's still the case as the kernel updates the CPU number when the task
is migrated to a different CPU. What it not longer does is updating the
CPU number for the preemption case on the same CPU because that's just a
massive waste of CPU cycles.

Now the interesting part of that documentation:

    "To distinguish the high part of the cached address from the CPU
     number, we set the top bit in the cached address, real CPU numbers
     (`<2^31`) do not have this bit set.

     With these arrangements, slabs address calculation on
     allocation/deallocation fast paths reduces to load and check of the
     cached address:

     ```
     slabs = __rseq_abi[-4];
     if ((slabs & (1 << 63)) == 0) goto slowpath;
     slabs &= ~(1 << 63);
     ```"

which means the code fiddles in rseq_abi::cpu_id_start. That never
worked on a RSEQ DEBUG enabled kernel because the kernel detects that
user space fiddled with data which is defined as USER_RO in the ABI and
kills the offender.

I have not looked at the code, but I suspect that this is also
(undocumented) abused as a light weight preemption indicator and that
indication is not longer given as the kernel only updates when the CPU
number changed.

As this was never correctly using the ABI (enable CONFIG_RSEQ_DEBUG on a
pre 6.19 kernel and watch the show or ask David) this is a pure tcmalloc
problem and not a regression. And no, we are not catering to that abuse
for the cost of performance regressions which have been observed after
glibc enabled rseq.

Thanks,

        tglx

next prev parent reply	other threads:[~2026-01-28 13:16 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-01-26 19:46 SIGSEGVs after 39a167560a61 ("rseq: Optimize event setting") David Matlack
2026-01-26 20:47 ` Peter Zijlstra
2026-01-26 20:49   ` Peter Zijlstra
2026-01-26 21:50   ` Thomas Gleixner
2026-01-26 22:27     ` David Matlack
2026-01-26 22:35       ` Mathieu Desnoyers
2026-01-27 20:34         ` Mathieu Desnoyers
2026-01-28  8:54           ` Dmitry Vyukov
2026-01-28 11:28             ` Mathieu Desnoyers
2026-01-28 11:40               ` Dmitry Vyukov
2026-01-28 13:16                 ` Thomas Gleixner [this message]
2026-02-02  7:11                   ` Dmitry Vyukov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=874io5andc.ffs@tglx \
    --to=tglx@kernel.org \
    --cc=axboe@kernel.dk \
    --cc=dmatlack@google.com \
    --cc=dvyukov@google.com \
    --cc=elver@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mathieu.desnoyers@efficios.com \
    --cc=mjeanson@efficios.com \
    --cc=paulmck@kernel.org \
    --cc=peterz@infradead.org \
    --cc=seanjc@google.com \
    --cc=wei.liu@kernel.org \
    --cc=x86@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox