aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPaul E. McKenney <paulmck@us.ibm.com>2006-06-25 08:48:44 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-06-25 13:01:17 -0400
commit165d6c78ee24127dde5c750b2af0a239f9c11d1a (patch)
treea9329b5b24893588114441f43d576dfa310e5f43
parent76d42bd96984832c4ea8bc8cbd74e496ac31409e (diff)
[PATCH] RCU documentation: self-limiting updates and call_rcu()
An update to the RCU documentation calling out the self-limiting-update-rate advantages of synchronize_rcu(), and describing how to use call_rcu() in a way that results in self-limiting updates. Self-limiting updates are important to avoiding RCU-induced OOM in face of denial-of-service attacks. Signed-off-by: Paul E. McKenney <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r--Documentation/RCU/checklist.txt44
-rw-r--r--Documentation/RCU/whatisRCU.txt12
2 files changed, 52 insertions, 4 deletions
diff --git a/Documentation/RCU/checklist.txt b/Documentation/RCU/checklist.txt
index 49e27cc19385..1d50cf0c905e 100644
--- a/Documentation/RCU/checklist.txt
+++ b/Documentation/RCU/checklist.txt
@@ -144,9 +144,47 @@ over a rather long period of time, but improvements are always welcome!
144 whether the increased speed is worth it. 144 whether the increased speed is worth it.
145 145
1468. Although synchronize_rcu() is a bit slower than is call_rcu(), 1468. Although synchronize_rcu() is a bit slower than is call_rcu(),
147 it usually results in simpler code. So, unless update performance 147 it usually results in simpler code. So, unless update
148 is important or the updaters cannot block, synchronize_rcu() 148 performance is critically important or the updaters cannot block,
149 should be used in preference to call_rcu(). 149 synchronize_rcu() should be used in preference to call_rcu().
150
151 An especially important property of the synchronize_rcu()
152 primitive is that it automatically self-limits: if grace periods
153 are delayed for whatever reason, then the synchronize_rcu()
154 primitive will correspondingly delay updates. In contrast,
155 code using call_rcu() should explicitly limit update rate in
156 cases where grace periods are delayed, as failing to do so can
157 result in excessive realtime latencies or even OOM conditions.
158
159 Ways of gaining this self-limiting property when using call_rcu()
160 include:
161
162 a. Keeping a count of the number of data-structure elements
163 used by the RCU-protected data structure, including those
164 waiting for a grace period to elapse. Enforce a limit
165 on this number, stalling updates as needed to allow
166 previously deferred frees to complete.
167
168 Alternatively, limit only the number awaiting deferred
169 free rather than the total number of elements.
170
171 b. Limiting update rate. For example, if updates occur only
172 once per hour, then no explicit rate limiting is required,
173 unless your system is already badly broken. The dcache
174 subsystem takes this approach -- updates are guarded
175 by a global lock, limiting their rate.
176
177 c. Trusted update -- if updates can only be done manually by
178 superuser or some other trusted user, then it might not
179 be necessary to automatically limit them. The theory
180 here is that superuser already has lots of ways to crash
181 the machine.
182
183 d. Use call_rcu_bh() rather than call_rcu(), in order to take
184 advantage of call_rcu_bh()'s faster grace periods.
185
186 e. Periodically invoke synchronize_rcu(), permitting a limited
187 number of updates per grace period.
150 188
1519. All RCU list-traversal primitives, which include 1899. All RCU list-traversal primitives, which include
152 list_for_each_rcu(), list_for_each_entry_rcu(), 190 list_for_each_rcu(), list_for_each_entry_rcu(),
diff --git a/Documentation/RCU/whatisRCU.txt b/Documentation/RCU/whatisRCU.txt
index 6e459420ee9f..4f41a60e5111 100644
--- a/Documentation/RCU/whatisRCU.txt
+++ b/Documentation/RCU/whatisRCU.txt
@@ -184,7 +184,17 @@ synchronize_rcu()
184 blocking, it registers a function and argument which are invoked 184 blocking, it registers a function and argument which are invoked
185 after all ongoing RCU read-side critical sections have completed. 185 after all ongoing RCU read-side critical sections have completed.
186 This callback variant is particularly useful in situations where 186 This callback variant is particularly useful in situations where
187 it is illegal to block. 187 it is illegal to block or where update-side performance is
188 critically important.
189
190 However, the call_rcu() API should not be used lightly, as use
191 of the synchronize_rcu() API generally results in simpler code.
192 In addition, the synchronize_rcu() API has the nice property
193 of automatically limiting update rate should grace periods
194 be delayed. This property results in system resilience in face
195 of denial-of-service attacks. Code using call_rcu() should limit
196 update rate in order to gain this same sort of resilience. See
197 checklist.txt for some approaches to limiting the update rate.
188 198
189rcu_assign_pointer() 199rcu_assign_pointer()
190 200