2017-10-04 16:33:43 +00:00
|
|
|
/*
|
2010-05-17 22:18:00 +00:00
|
|
|
* Copyright (C) 2007-2010 Lawrence Livermore National Security, LLC.
|
|
|
|
* Copyright (C) 2007 The Regents of the University of California.
|
|
|
|
* Produced at Lawrence Livermore National Laboratory (cf, DISCLAIMER).
|
|
|
|
* Written by Brian Behlendorf <behlendorf1@llnl.gov>.
|
2008-05-26 04:38:26 +00:00
|
|
|
* UCRL-CODE-235197
|
|
|
|
*
|
2010-05-17 22:18:00 +00:00
|
|
|
* This file is part of the SPL, Solaris Porting Layer.
|
|
|
|
*
|
|
|
|
* The SPL is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version.
|
2008-05-26 04:38:26 +00:00
|
|
|
*
|
2010-05-17 22:18:00 +00:00
|
|
|
* The SPL is distributed in the hope that it will be useful, but WITHOUT
|
2008-05-26 04:38:26 +00:00
|
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License along
|
2010-05-17 22:18:00 +00:00
|
|
|
* with the SPL. If not, see <http://www.gnu.org/licenses/>.
|
2018-02-07 19:49:38 +00:00
|
|
|
*
|
2010-05-17 22:18:00 +00:00
|
|
|
* Solaris Porting Layer (SPL) Generic Implementation.
|
2017-10-04 16:33:43 +00:00
|
|
|
*/
|
2008-05-26 04:38:26 +00:00
|
|
|
|
2008-03-04 18:22:31 +00:00
|
|
|
#include <sys/sysmacros.h>
|
2009-02-19 19:26:17 +00:00
|
|
|
#include <sys/systeminfo.h>
|
2008-03-14 00:04:01 +00:00
|
|
|
#include <sys/vmsystm.h>
|
2008-03-14 20:56:26 +00:00
|
|
|
#include <sys/kmem.h>
|
2014-12-08 18:04:42 +00:00
|
|
|
#include <sys/kmem_cache.h>
|
|
|
|
#include <sys/vmem.h>
|
2008-05-05 20:18:49 +00:00
|
|
|
#include <sys/mutex.h>
|
2009-09-25 21:14:35 +00:00
|
|
|
#include <sys/rwlock.h>
|
2009-01-05 23:08:03 +00:00
|
|
|
#include <sys/taskq.h>
|
2010-11-30 17:51:46 +00:00
|
|
|
#include <sys/tsd.h>
|
2011-02-25 21:26:19 +00:00
|
|
|
#include <sys/zmod.h>
|
2008-03-31 20:42:36 +00:00
|
|
|
#include <sys/debug.h>
|
2008-04-18 23:39:58 +00:00
|
|
|
#include <sys/proc.h>
|
2008-05-08 23:21:47 +00:00
|
|
|
#include <sys/kstat.h>
|
2009-07-10 17:56:32 +00:00
|
|
|
#include <sys/file.h>
|
2020-06-11 20:25:39 +00:00
|
|
|
#include <sys/sunddi.h>
|
2014-12-08 18:04:42 +00:00
|
|
|
#include <linux/ctype.h>
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
#include <sys/disp.h>
|
|
|
|
#include <sys/random.h>
|
2022-01-22 00:56:46 +00:00
|
|
|
#include <sys/string.h>
|
2008-04-12 04:27:59 +00:00
|
|
|
#include <linux/kmod.h>
|
2019-11-01 17:41:03 +00:00
|
|
|
#include <linux/mod_compat.h>
|
2019-11-21 17:32:57 +00:00
|
|
|
#include <sys/cred.h>
|
|
|
|
#include <sys/vnode.h>
|
2008-04-12 04:27:59 +00:00
|
|
|
|
2013-03-12 01:16:36 +00:00
|
|
|
unsigned long spl_hostid = 0;
|
2008-04-12 04:27:59 +00:00
|
|
|
EXPORT_SYMBOL(spl_hostid);
|
2022-01-14 23:37:55 +00:00
|
|
|
|
2022-01-21 16:07:15 +00:00
|
|
|
/* CSTYLED */
|
2011-04-11 19:49:50 +00:00
|
|
|
module_param(spl_hostid, ulong, 0644);
|
|
|
|
MODULE_PARM_DESC(spl_hostid, "The system hostid.");
|
2008-03-31 20:42:36 +00:00
|
|
|
|
2016-10-05 00:26:36 +00:00
|
|
|
proc_t p0;
|
2008-02-27 19:09:51 +00:00
|
|
|
EXPORT_SYMBOL(p0);
|
2008-02-27 21:56:51 +00:00
|
|
|
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
/*
|
|
|
|
* Xorshift Pseudo Random Number Generator based on work by Sebastiano Vigna
|
|
|
|
*
|
|
|
|
* "Further scramblings of Marsaglia's xorshift generators"
|
|
|
|
* http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
|
|
|
|
*
|
|
|
|
* random_get_pseudo_bytes() is an API function on Illumos whose sole purpose
|
|
|
|
* is to provide bytes containing random numbers. It is mapped to /dev/urandom
|
|
|
|
* on Illumos, which uses a "FIPS 186-2 algorithm". No user of the SPL's
|
|
|
|
* random_get_pseudo_bytes() needs bytes that are of cryptographic quality, so
|
|
|
|
* we can implement it using a fast PRNG that we seed using Linux' actual
|
|
|
|
* equivalent to random_get_pseudo_bytes(). We do this by providing each CPU
|
|
|
|
* with an independent seed so that all calls to random_get_pseudo_bytes() are
|
|
|
|
* free of atomic instructions.
|
|
|
|
*
|
|
|
|
* A consequence of using a fast PRNG is that using random_get_pseudo_bytes()
|
|
|
|
* to generate words larger than 128 bits will paradoxically be limited to
|
|
|
|
* `2^128 - 1` possibilities. This is because we have a sequence of `2^128 - 1`
|
|
|
|
* 128-bit words and selecting the first will implicitly select the second. If
|
2019-08-30 21:32:18 +00:00
|
|
|
* a caller finds this behavior undesirable, random_get_bytes() should be used
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
* instead.
|
|
|
|
*
|
|
|
|
* XXX: Linux interrupt handlers that trigger within the critical section
|
|
|
|
* formed by `s[1] = xp[1];` and `xp[0] = s[0];` and call this function will
|
|
|
|
* see the same numbers. Nothing in the code currently calls this in an
|
|
|
|
* interrupt handler, so this is considered to be okay. If that becomes a
|
|
|
|
* problem, we could create a set of per-cpu variables for interrupt handlers
|
|
|
|
* and use them when in_interrupt() from linux/preempt_mask.h evaluates to
|
|
|
|
* true.
|
|
|
|
*/
|
2020-02-06 17:26:13 +00:00
|
|
|
void __percpu *spl_pseudo_entropy;
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* spl_rand_next()/spl_rand_jump() are copied from the following CC-0 licensed
|
|
|
|
* file:
|
|
|
|
*
|
|
|
|
* http://xorshift.di.unimi.it/xorshift128plus.c
|
|
|
|
*/
|
|
|
|
|
|
|
|
static inline uint64_t
|
2018-02-24 18:05:37 +00:00
|
|
|
spl_rand_next(uint64_t *s)
|
|
|
|
{
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
uint64_t s1 = s[0];
|
|
|
|
const uint64_t s0 = s[1];
|
|
|
|
s[0] = s0;
|
|
|
|
s1 ^= s1 << 23; // a
|
|
|
|
s[1] = s1 ^ s0 ^ (s1 >> 18) ^ (s0 >> 5); // b, c
|
|
|
|
return (s[1] + s0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void
|
2018-02-24 18:05:37 +00:00
|
|
|
spl_rand_jump(uint64_t *s)
|
|
|
|
{
|
2018-02-07 19:49:38 +00:00
|
|
|
static const uint64_t JUMP[] =
|
|
|
|
{ 0x8a5cd789635d2dff, 0x121fd2155c472f96 };
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
|
|
|
uint64_t s0 = 0;
|
|
|
|
uint64_t s1 = 0;
|
|
|
|
int i, b;
|
2018-02-07 19:49:38 +00:00
|
|
|
for (i = 0; i < sizeof (JUMP) / sizeof (*JUMP); i++)
|
|
|
|
for (b = 0; b < 64; b++) {
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
if (JUMP[i] & 1ULL << b) {
|
|
|
|
s0 ^= s[0];
|
|
|
|
s1 ^= s[1];
|
|
|
|
}
|
|
|
|
(void) spl_rand_next(s);
|
|
|
|
}
|
|
|
|
|
|
|
|
s[0] = s0;
|
|
|
|
s[1] = s1;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
random_get_pseudo_bytes(uint8_t *ptr, size_t len)
|
|
|
|
{
|
|
|
|
uint64_t *xp, s[2];
|
|
|
|
|
|
|
|
ASSERT(ptr);
|
|
|
|
|
2020-02-06 17:26:13 +00:00
|
|
|
xp = get_cpu_ptr(spl_pseudo_entropy);
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
|
|
|
s[0] = xp[0];
|
|
|
|
s[1] = xp[1];
|
|
|
|
|
|
|
|
while (len) {
|
|
|
|
union {
|
|
|
|
uint64_t ui64;
|
|
|
|
uint8_t byte[sizeof (uint64_t)];
|
|
|
|
}entropy;
|
|
|
|
int i = MIN(len, sizeof (uint64_t));
|
|
|
|
|
|
|
|
len -= i;
|
|
|
|
entropy.ui64 = spl_rand_next(s);
|
|
|
|
|
|
|
|
while (i--)
|
|
|
|
*ptr++ = entropy.byte[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
xp[0] = s[0];
|
|
|
|
xp[1] = s[1];
|
|
|
|
|
2020-02-06 17:26:13 +00:00
|
|
|
put_cpu_ptr(spl_pseudo_entropy);
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(random_get_pseudo_bytes);
|
|
|
|
|
2010-07-12 19:38:34 +00:00
|
|
|
#if BITS_PER_LONG == 32
|
2020-06-17 20:02:34 +00:00
|
|
|
|
2008-08-11 22:42:04 +00:00
|
|
|
/*
|
2010-07-12 19:38:34 +00:00
|
|
|
* Support 64/64 => 64 division on a 32-bit platform. While the kernel
|
|
|
|
* provides a div64_u64() function for this we do not use it because the
|
|
|
|
* implementation is flawed. There are cases which return incorrect
|
|
|
|
* results as late as linux-2.6.35. Until this is fixed upstream the
|
|
|
|
* spl must provide its own implementation.
|
|
|
|
*
|
|
|
|
* This implementation is a slightly modified version of the algorithm
|
|
|
|
* proposed by the book 'Hacker's Delight'. The original source can be
|
|
|
|
* found here and is available for use without restriction.
|
|
|
|
*
|
|
|
|
* http://www.hackersdelight.org/HDcode/newCode/divDouble.c
|
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Calculate number of leading of zeros for a 64-bit value.
|
|
|
|
*/
|
|
|
|
static int
|
2018-02-24 18:05:37 +00:00
|
|
|
nlz64(uint64_t x)
|
|
|
|
{
|
2010-07-12 19:38:34 +00:00
|
|
|
register int n = 0;
|
|
|
|
|
|
|
|
if (x == 0)
|
2018-02-07 19:49:38 +00:00
|
|
|
return (64);
|
2010-07-12 19:38:34 +00:00
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
if (x <= 0x00000000FFFFFFFFULL) { n = n + 32; x = x << 32; }
|
|
|
|
if (x <= 0x0000FFFFFFFFFFFFULL) { n = n + 16; x = x << 16; }
|
|
|
|
if (x <= 0x00FFFFFFFFFFFFFFULL) { n = n + 8; x = x << 8; }
|
|
|
|
if (x <= 0x0FFFFFFFFFFFFFFFULL) { n = n + 4; x = x << 4; }
|
|
|
|
if (x <= 0x3FFFFFFFFFFFFFFFULL) { n = n + 2; x = x << 2; }
|
|
|
|
if (x <= 0x7FFFFFFFFFFFFFFFULL) { n = n + 1; }
|
2010-07-12 19:38:34 +00:00
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
return (n);
|
2010-07-12 19:38:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Newer kernels have a div_u64() function but we define our own
|
2019-08-30 21:32:18 +00:00
|
|
|
* to simplify portability between kernel versions.
|
2010-07-12 19:38:34 +00:00
|
|
|
*/
|
|
|
|
static inline uint64_t
|
|
|
|
__div_u64(uint64_t u, uint32_t v)
|
|
|
|
{
|
|
|
|
(void) do_div(u, v);
|
2018-02-07 19:49:38 +00:00
|
|
|
return (u);
|
2010-07-12 19:38:34 +00:00
|
|
|
}
|
|
|
|
|
2020-06-17 20:02:34 +00:00
|
|
|
/*
|
|
|
|
* Turn off missing prototypes warning for these functions. They are
|
|
|
|
* replacements for libgcc-provided functions and will never be called
|
|
|
|
* directly.
|
|
|
|
*/
|
|
|
|
#pragma GCC diagnostic push
|
|
|
|
#pragma GCC diagnostic ignored "-Wmissing-prototypes"
|
|
|
|
|
2010-07-12 19:38:34 +00:00
|
|
|
/*
|
|
|
|
* Implementation of 64-bit unsigned division for 32-bit machines.
|
|
|
|
*
|
|
|
|
* First the procedure takes care of the case in which the divisor is a
|
|
|
|
* 32-bit quantity. There are two subcases: (1) If the left half of the
|
|
|
|
* dividend is less than the divisor, one execution of do_div() is all that
|
|
|
|
* is required (overflow is not possible). (2) Otherwise it does two
|
|
|
|
* divisions, using the grade school method.
|
2008-08-11 22:42:04 +00:00
|
|
|
*/
|
2010-06-03 05:01:14 +00:00
|
|
|
uint64_t
|
2010-07-12 19:38:34 +00:00
|
|
|
__udivdi3(uint64_t u, uint64_t v)
|
2008-08-11 22:42:04 +00:00
|
|
|
{
|
2010-07-12 19:38:34 +00:00
|
|
|
uint64_t u0, u1, v1, q0, q1, k;
|
|
|
|
int n;
|
|
|
|
|
|
|
|
if (v >> 32 == 0) { // If v < 2**32:
|
|
|
|
if (u >> 32 < v) { // If u/v cannot overflow,
|
2018-02-07 19:49:38 +00:00
|
|
|
return (__div_u64(u, v)); // just do one division.
|
2010-07-12 19:38:34 +00:00
|
|
|
} else { // If u/v would overflow:
|
|
|
|
u1 = u >> 32; // Break u into two halves.
|
|
|
|
u0 = u & 0xFFFFFFFF;
|
|
|
|
q1 = __div_u64(u1, v); // First quotient digit.
|
|
|
|
k = u1 - q1 * v; // First remainder, < v.
|
|
|
|
u0 += (k << 32);
|
|
|
|
q0 = __div_u64(u0, v); // Seconds quotient digit.
|
2018-02-07 19:49:38 +00:00
|
|
|
return ((q1 << 32) + q0);
|
2010-07-12 19:38:34 +00:00
|
|
|
}
|
|
|
|
} else { // If v >= 2**32:
|
|
|
|
n = nlz64(v); // 0 <= n <= 31.
|
|
|
|
v1 = (v << n) >> 32; // Normalize divisor, MSB is 1.
|
|
|
|
u1 = u >> 1; // To ensure no overflow.
|
|
|
|
q1 = __div_u64(u1, v1); // Get quotient from
|
|
|
|
q0 = (q1 << n) >> 31; // Undo normalization and
|
|
|
|
// division of u by 2.
|
|
|
|
if (q0 != 0) // Make q0 correct or
|
|
|
|
q0 = q0 - 1; // too small by 1.
|
|
|
|
if ((u - q0 * v) >= v)
|
|
|
|
q0 = q0 + 1; // Now q0 is correct.
|
2012-05-02 00:15:28 +00:00
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
return (q0);
|
2010-07-12 19:38:34 +00:00
|
|
|
}
|
2008-11-03 20:34:17 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__udivdi3);
|
|
|
|
|
2018-02-15 01:01:15 +00:00
|
|
|
#ifndef abs64
|
2022-01-21 16:07:15 +00:00
|
|
|
/* CSTYLED */
|
2018-02-15 01:01:15 +00:00
|
|
|
#define abs64(x) ({ uint64_t t = (x) >> 63; ((x) ^ t) - t; })
|
|
|
|
#endif
|
|
|
|
|
2008-11-03 20:34:17 +00:00
|
|
|
/*
|
2010-07-12 19:38:34 +00:00
|
|
|
* Implementation of 64-bit signed division for 32-bit machines.
|
|
|
|
*/
|
|
|
|
int64_t
|
|
|
|
__divdi3(int64_t u, int64_t v)
|
|
|
|
{
|
|
|
|
int64_t q, t;
|
|
|
|
q = __udivdi3(abs64(u), abs64(v));
|
|
|
|
t = (u ^ v) >> 63; // If u, v have different
|
2018-02-07 19:49:38 +00:00
|
|
|
return ((q ^ t) - t); // signs, negate q.
|
2010-07-12 19:38:34 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__divdi3);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Implementation of 64-bit unsigned modulo for 32-bit machines.
|
2008-11-03 20:34:17 +00:00
|
|
|
*/
|
2010-06-03 05:01:14 +00:00
|
|
|
uint64_t
|
|
|
|
__umoddi3(uint64_t dividend, uint64_t divisor)
|
2008-11-03 20:34:17 +00:00
|
|
|
{
|
2010-06-03 05:01:14 +00:00
|
|
|
return (dividend - (divisor * __udivdi3(dividend, divisor)));
|
2008-08-11 22:42:04 +00:00
|
|
|
}
|
2008-11-03 20:34:17 +00:00
|
|
|
EXPORT_SYMBOL(__umoddi3);
|
2010-07-12 19:38:34 +00:00
|
|
|
|
2020-06-17 20:02:34 +00:00
|
|
|
/* 64-bit signed modulo for 32-bit machines. */
|
|
|
|
int64_t
|
|
|
|
__moddi3(int64_t n, int64_t d)
|
|
|
|
{
|
|
|
|
int64_t q;
|
|
|
|
boolean_t nn = B_FALSE;
|
|
|
|
|
|
|
|
if (n < 0) {
|
|
|
|
nn = B_TRUE;
|
|
|
|
n = -n;
|
|
|
|
}
|
|
|
|
if (d < 0)
|
|
|
|
d = -d;
|
|
|
|
|
|
|
|
q = __umoddi3(n, d);
|
|
|
|
|
|
|
|
return (nn ? -q : q);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__moddi3);
|
|
|
|
|
2017-08-03 17:41:42 +00:00
|
|
|
/*
|
|
|
|
* Implementation of 64-bit unsigned division/modulo for 32-bit machines.
|
|
|
|
*/
|
|
|
|
uint64_t
|
|
|
|
__udivmoddi4(uint64_t n, uint64_t d, uint64_t *r)
|
|
|
|
{
|
|
|
|
uint64_t q = __udivdi3(n, d);
|
|
|
|
if (r)
|
|
|
|
*r = n - d * q;
|
|
|
|
return (q);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__udivmoddi4);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Implementation of 64-bit signed division/modulo for 32-bit machines.
|
|
|
|
*/
|
|
|
|
int64_t
|
|
|
|
__divmoddi4(int64_t n, int64_t d, int64_t *r)
|
|
|
|
{
|
|
|
|
int64_t q, rr;
|
|
|
|
boolean_t nn = B_FALSE;
|
|
|
|
boolean_t nd = B_FALSE;
|
|
|
|
if (n < 0) {
|
|
|
|
nn = B_TRUE;
|
|
|
|
n = -n;
|
|
|
|
}
|
|
|
|
if (d < 0) {
|
|
|
|
nd = B_TRUE;
|
|
|
|
d = -d;
|
|
|
|
}
|
|
|
|
|
|
|
|
q = __udivmoddi4(n, d, (uint64_t *)&rr);
|
|
|
|
|
|
|
|
if (nn != nd)
|
|
|
|
q = -q;
|
|
|
|
if (nn)
|
|
|
|
rr = -rr;
|
|
|
|
if (r)
|
|
|
|
*r = rr;
|
|
|
|
return (q);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__divmoddi4);
|
|
|
|
|
2012-05-02 00:15:28 +00:00
|
|
|
#if defined(__arm) || defined(__arm__)
|
|
|
|
/*
|
2012-05-15 05:45:09 +00:00
|
|
|
* Implementation of 64-bit (un)signed division for 32-bit arm machines.
|
|
|
|
*
|
|
|
|
* Run-time ABI for the ARM Architecture (page 20). A pair of (unsigned)
|
|
|
|
* long longs is returned in {{r0, r1}, {r2,r3}}, the quotient in {r0, r1},
|
|
|
|
* and the remainder in {r2, r3}. The return type is specifically left
|
|
|
|
* set to 'void' to ensure the compiler does not overwrite these registers
|
|
|
|
* during the return. All results are in registers as per ABI
|
2012-05-02 00:15:28 +00:00
|
|
|
*/
|
2012-05-15 05:45:09 +00:00
|
|
|
void
|
2012-05-02 00:15:28 +00:00
|
|
|
__aeabi_uldivmod(uint64_t u, uint64_t v)
|
|
|
|
{
|
2012-05-15 05:45:09 +00:00
|
|
|
uint64_t res;
|
|
|
|
uint64_t mod;
|
|
|
|
|
|
|
|
res = __udivdi3(u, v);
|
|
|
|
mod = __umoddi3(u, v);
|
|
|
|
{
|
|
|
|
register uint32_t r0 asm("r0") = (res & 0xFFFFFFFF);
|
|
|
|
register uint32_t r1 asm("r1") = (res >> 32);
|
|
|
|
register uint32_t r2 asm("r2") = (mod & 0xFFFFFFFF);
|
|
|
|
register uint32_t r3 asm("r3") = (mod >> 32);
|
|
|
|
|
|
|
|
asm volatile(""
|
2022-01-21 16:07:15 +00:00
|
|
|
: "+r"(r0), "+r"(r1), "+r"(r2), "+r"(r3) /* output */
|
|
|
|
: "r"(r0), "r"(r1), "r"(r2), "r"(r3)); /* input */
|
2012-05-15 05:45:09 +00:00
|
|
|
|
|
|
|
return; /* r0; */
|
|
|
|
}
|
2012-05-02 00:15:28 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__aeabi_uldivmod);
|
|
|
|
|
2012-05-15 05:45:09 +00:00
|
|
|
void
|
2012-05-02 00:15:28 +00:00
|
|
|
__aeabi_ldivmod(int64_t u, int64_t v)
|
|
|
|
{
|
2012-05-15 05:45:09 +00:00
|
|
|
int64_t res;
|
|
|
|
uint64_t mod;
|
|
|
|
|
|
|
|
res = __divdi3(u, v);
|
|
|
|
mod = __umoddi3(u, v);
|
|
|
|
{
|
|
|
|
register uint32_t r0 asm("r0") = (res & 0xFFFFFFFF);
|
|
|
|
register uint32_t r1 asm("r1") = (res >> 32);
|
|
|
|
register uint32_t r2 asm("r2") = (mod & 0xFFFFFFFF);
|
|
|
|
register uint32_t r3 asm("r3") = (mod >> 32);
|
|
|
|
|
|
|
|
asm volatile(""
|
2022-01-21 16:07:15 +00:00
|
|
|
: "+r"(r0), "+r"(r1), "+r"(r2), "+r"(r3) /* output */
|
|
|
|
: "r"(r0), "r"(r1), "r"(r2), "r"(r3)); /* input */
|
2012-05-15 05:45:09 +00:00
|
|
|
|
|
|
|
return; /* r0; */
|
|
|
|
}
|
2012-05-02 00:15:28 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(__aeabi_ldivmod);
|
|
|
|
#endif /* __arm || __arm__ */
|
2020-06-17 20:02:34 +00:00
|
|
|
|
|
|
|
#pragma GCC diagnostic pop
|
|
|
|
|
2009-05-20 17:08:37 +00:00
|
|
|
#endif /* BITS_PER_LONG */
|
2008-08-11 22:42:04 +00:00
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
/*
|
|
|
|
* NOTE: The strtoxx behavior is solely based on my reading of the Solaris
|
2009-01-13 17:30:59 +00:00
|
|
|
* ddi_strtol(9F) man page. I have not verified the behavior of these
|
|
|
|
* functions against their Solaris counterparts. It is possible that I
|
2009-05-20 17:08:37 +00:00
|
|
|
* may have misinterpreted the man page or the man page is incorrect.
|
2009-01-13 17:30:59 +00:00
|
|
|
*/
|
2008-12-06 00:23:57 +00:00
|
|
|
int ddi_strtol(const char *, char **, int, long *);
|
|
|
|
int ddi_strtoull(const char *, char **, int, unsigned long long *);
|
|
|
|
int ddi_strtoll(const char *, char **, int, long long *);
|
|
|
|
|
2022-05-07 17:54:29 +00:00
|
|
|
#define define_ddi_strtox(type, valtype) \
|
|
|
|
int ddi_strto##type(const char *str, char **endptr, \
|
2018-02-07 19:49:38 +00:00
|
|
|
int base, valtype *result) \
|
2008-12-06 00:23:57 +00:00
|
|
|
{ \
|
2009-01-13 17:30:59 +00:00
|
|
|
valtype last_value, value = 0; \
|
|
|
|
char *ptr = (char *)str; \
|
2022-05-07 17:54:29 +00:00
|
|
|
int digit, minus = 0; \
|
|
|
|
\
|
|
|
|
while (strchr(" \t\n\r\f", *ptr)) \
|
|
|
|
++ptr; \
|
2009-01-13 17:30:59 +00:00
|
|
|
\
|
|
|
|
if (strlen(ptr) == 0) \
|
2018-02-07 19:49:38 +00:00
|
|
|
return (EINVAL); \
|
2009-01-13 17:30:59 +00:00
|
|
|
\
|
2022-05-07 17:54:29 +00:00
|
|
|
switch (*ptr) { \
|
|
|
|
case '-': \
|
|
|
|
minus = 1; \
|
|
|
|
zfs_fallthrough; \
|
|
|
|
case '+': \
|
|
|
|
++ptr; \
|
|
|
|
break; \
|
|
|
|
} \
|
|
|
|
\
|
2009-01-13 17:30:59 +00:00
|
|
|
/* Auto-detect base based on prefix */ \
|
|
|
|
if (!base) { \
|
|
|
|
if (str[0] == '0') { \
|
2018-02-07 19:49:38 +00:00
|
|
|
if (tolower(str[1]) == 'x' && isxdigit(str[2])) { \
|
2009-01-13 17:30:59 +00:00
|
|
|
base = 16; /* hex */ \
|
|
|
|
ptr += 2; \
|
|
|
|
} else if (str[1] >= '0' && str[1] < 8) { \
|
|
|
|
base = 8; /* octal */ \
|
|
|
|
ptr += 1; \
|
|
|
|
} else { \
|
2018-02-07 19:49:38 +00:00
|
|
|
return (EINVAL); \
|
2009-01-13 17:30:59 +00:00
|
|
|
} \
|
|
|
|
} else { \
|
|
|
|
base = 10; /* decimal */ \
|
|
|
|
} \
|
|
|
|
} \
|
|
|
|
\
|
|
|
|
while (1) { \
|
|
|
|
if (isdigit(*ptr)) \
|
|
|
|
digit = *ptr - '0'; \
|
|
|
|
else if (isalpha(*ptr)) \
|
|
|
|
digit = tolower(*ptr) - 'a' + 10; \
|
|
|
|
else \
|
|
|
|
break; \
|
|
|
|
\
|
|
|
|
if (digit >= base) \
|
|
|
|
break; \
|
2008-12-06 00:23:57 +00:00
|
|
|
\
|
2009-01-13 17:30:59 +00:00
|
|
|
last_value = value; \
|
|
|
|
value = value * base + digit; \
|
|
|
|
if (last_value > value) /* Overflow */ \
|
2018-02-07 19:49:38 +00:00
|
|
|
return (ERANGE); \
|
2008-12-06 00:23:57 +00:00
|
|
|
\
|
2009-01-13 17:30:59 +00:00
|
|
|
ptr++; \
|
2008-12-06 00:23:57 +00:00
|
|
|
} \
|
|
|
|
\
|
2022-05-07 17:54:29 +00:00
|
|
|
*result = minus ? -value : value; \
|
2009-01-13 17:30:59 +00:00
|
|
|
\
|
|
|
|
if (endptr) \
|
2022-05-07 17:23:28 +00:00
|
|
|
*endptr = ptr; \
|
2009-01-13 17:30:59 +00:00
|
|
|
\
|
2018-02-07 19:49:38 +00:00
|
|
|
return (0); \
|
2008-12-06 00:23:57 +00:00
|
|
|
} \
|
|
|
|
|
|
|
|
define_ddi_strtox(l, long)
|
2022-05-07 17:54:29 +00:00
|
|
|
define_ddi_strtox(ull, unsigned long long)
|
2008-12-06 00:23:57 +00:00
|
|
|
define_ddi_strtox(ll, long long)
|
|
|
|
|
|
|
|
EXPORT_SYMBOL(ddi_strtol);
|
|
|
|
EXPORT_SYMBOL(ddi_strtoll);
|
|
|
|
EXPORT_SYMBOL(ddi_strtoull);
|
2008-03-12 21:33:28 +00:00
|
|
|
|
2009-07-10 17:56:32 +00:00
|
|
|
int
|
|
|
|
ddi_copyin(const void *from, void *to, size_t len, int flags)
|
|
|
|
{
|
|
|
|
/* Fake ioctl() issued by kernel, 'from' is a kernel address */
|
|
|
|
if (flags & FKIOCTL) {
|
|
|
|
memcpy(to, from, len);
|
2018-02-07 19:49:38 +00:00
|
|
|
return (0);
|
2009-07-10 17:56:32 +00:00
|
|
|
}
|
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
return (copyin(from, to, len));
|
2009-07-10 17:56:32 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(ddi_copyin);
|
|
|
|
|
|
|
|
int
|
|
|
|
ddi_copyout(const void *from, void *to, size_t len, int flags)
|
|
|
|
{
|
|
|
|
/* Fake ioctl() issued by kernel, 'from' is a kernel address */
|
|
|
|
if (flags & FKIOCTL) {
|
|
|
|
memcpy(to, from, len);
|
2018-02-07 19:49:38 +00:00
|
|
|
return (0);
|
2009-07-10 17:56:32 +00:00
|
|
|
}
|
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
return (copyout(from, to, len));
|
2009-07-10 17:56:32 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(ddi_copyout);
|
|
|
|
|
2019-11-21 17:32:57 +00:00
|
|
|
static ssize_t
|
|
|
|
spl_kernel_read(struct file *file, void *buf, size_t count, loff_t *pos)
|
|
|
|
{
|
|
|
|
#if defined(HAVE_KERNEL_READ_PPOS)
|
|
|
|
return (kernel_read(file, buf, count, pos));
|
|
|
|
#else
|
|
|
|
mm_segment_t saved_fs;
|
|
|
|
ssize_t ret;
|
|
|
|
|
|
|
|
saved_fs = get_fs();
|
|
|
|
set_fs(KERNEL_DS);
|
|
|
|
|
|
|
|
ret = vfs_read(file, (void __user *)buf, count, pos);
|
|
|
|
|
|
|
|
set_fs(saved_fs);
|
|
|
|
|
|
|
|
return (ret);
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2020-06-15 18:30:37 +00:00
|
|
|
static int
|
2019-11-21 17:32:57 +00:00
|
|
|
spl_getattr(struct file *filp, struct kstat *stat)
|
|
|
|
{
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
ASSERT(filp);
|
|
|
|
ASSERT(stat);
|
|
|
|
|
|
|
|
#if defined(HAVE_4ARGS_VFS_GETATTR)
|
|
|
|
rc = vfs_getattr(&filp->f_path, stat, STATX_BASIC_STATS,
|
|
|
|
AT_STATX_SYNC_AS_STAT);
|
|
|
|
#elif defined(HAVE_2ARGS_VFS_GETATTR)
|
|
|
|
rc = vfs_getattr(&filp->f_path, stat);
|
2021-05-25 22:44:09 +00:00
|
|
|
#elif defined(HAVE_3ARGS_VFS_GETATTR)
|
2019-11-21 17:32:57 +00:00
|
|
|
rc = vfs_getattr(filp->f_path.mnt, filp->f_dentry, stat);
|
2021-05-25 22:44:09 +00:00
|
|
|
#else
|
|
|
|
#error "No available vfs_getattr()"
|
2019-11-21 17:32:57 +00:00
|
|
|
#endif
|
|
|
|
if (rc)
|
|
|
|
return (-rc);
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2011-06-20 19:53:56 +00:00
|
|
|
/*
|
|
|
|
* Read the unique system identifier from the /etc/hostid file.
|
|
|
|
*
|
|
|
|
* The behavior of /usr/bin/hostid on Linux systems with the
|
|
|
|
* regular eglibc and coreutils is:
|
|
|
|
*
|
|
|
|
* 1. Generate the value if the /etc/hostid file does not exist
|
|
|
|
* or if the /etc/hostid file is less than four bytes in size.
|
|
|
|
*
|
|
|
|
* 2. If the /etc/hostid file is at least 4 bytes, then return
|
|
|
|
* the first four bytes [0..3] in native endian order.
|
|
|
|
*
|
|
|
|
* 3. Always ignore bytes [4..] if they exist in the file.
|
|
|
|
*
|
|
|
|
* Only the first four bytes are significant, even on systems that
|
|
|
|
* have a 64-bit word size.
|
|
|
|
*
|
|
|
|
* See:
|
|
|
|
*
|
|
|
|
* eglibc: sysdeps/unix/sysv/linux/gethostid.c
|
|
|
|
* coreutils: src/hostid.c
|
|
|
|
*
|
|
|
|
* Notes:
|
|
|
|
*
|
|
|
|
* The /etc/hostid file on Solaris is a text file that often reads:
|
|
|
|
*
|
|
|
|
* # DO NOT EDIT
|
|
|
|
* "0123456789"
|
|
|
|
*
|
|
|
|
* Directly copying this file to Linux results in a constant
|
|
|
|
* hostid of 4f442023 because the default comment constitutes
|
|
|
|
* the first four bytes of the file.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2022-01-14 23:37:55 +00:00
|
|
|
static char *spl_hostid_path = HW_HOSTID_PATH;
|
2011-06-20 19:53:56 +00:00
|
|
|
module_param(spl_hostid_path, charp, 0444);
|
|
|
|
MODULE_PARM_DESC(spl_hostid_path, "The system hostid file (/etc/hostid)");
|
|
|
|
|
|
|
|
static int
|
2017-07-10 19:24:52 +00:00
|
|
|
hostid_read(uint32_t *hostid)
|
2011-06-20 19:53:56 +00:00
|
|
|
{
|
|
|
|
uint64_t size;
|
2017-07-10 19:24:52 +00:00
|
|
|
uint32_t value = 0;
|
|
|
|
int error;
|
2019-11-21 17:32:57 +00:00
|
|
|
loff_t off;
|
|
|
|
struct file *filp;
|
|
|
|
struct kstat stat;
|
|
|
|
|
|
|
|
filp = filp_open(spl_hostid_path, 0, 0);
|
2011-06-20 19:53:56 +00:00
|
|
|
|
2019-11-21 17:32:57 +00:00
|
|
|
if (IS_ERR(filp))
|
2017-07-10 19:24:52 +00:00
|
|
|
return (ENOENT);
|
2011-06-20 19:53:56 +00:00
|
|
|
|
2019-11-21 17:32:57 +00:00
|
|
|
error = spl_getattr(filp, &stat);
|
2017-07-10 19:24:52 +00:00
|
|
|
if (error) {
|
2019-11-21 17:32:57 +00:00
|
|
|
filp_close(filp, 0);
|
2017-07-10 19:24:52 +00:00
|
|
|
return (error);
|
2011-06-20 19:53:56 +00:00
|
|
|
}
|
2019-11-21 17:32:57 +00:00
|
|
|
size = stat.size;
|
2021-11-02 20:02:57 +00:00
|
|
|
// cppcheck-suppress sizeofwithnumericparameter
|
2018-02-07 19:49:38 +00:00
|
|
|
if (size < sizeof (HW_HOSTID_MASK)) {
|
2019-11-21 17:32:57 +00:00
|
|
|
filp_close(filp, 0);
|
2017-07-10 19:24:52 +00:00
|
|
|
return (EINVAL);
|
2011-06-20 19:53:56 +00:00
|
|
|
}
|
|
|
|
|
2019-11-21 17:32:57 +00:00
|
|
|
off = 0;
|
2017-07-10 19:24:52 +00:00
|
|
|
/*
|
|
|
|
* Read directly into the variable like eglibc does.
|
|
|
|
* Short reads are okay; native behavior is preserved.
|
|
|
|
*/
|
2019-11-21 17:32:57 +00:00
|
|
|
error = spl_kernel_read(filp, &value, sizeof (value), &off);
|
2017-07-10 19:24:52 +00:00
|
|
|
if (error < 0) {
|
2019-11-21 17:32:57 +00:00
|
|
|
filp_close(filp, 0);
|
2017-07-10 19:24:52 +00:00
|
|
|
return (EIO);
|
2011-06-20 19:53:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Mask down to 32 bits like coreutils does. */
|
2017-07-10 19:24:52 +00:00
|
|
|
*hostid = (value & HW_HOSTID_MASK);
|
2019-11-21 17:32:57 +00:00
|
|
|
filp_close(filp, 0);
|
2017-07-10 19:24:52 +00:00
|
|
|
|
2018-02-07 19:49:38 +00:00
|
|
|
return (0);
|
2011-06-20 19:53:56 +00:00
|
|
|
}
|
|
|
|
|
2017-07-10 19:24:52 +00:00
|
|
|
/*
|
|
|
|
* Return the system hostid. Preferentially use the spl_hostid module option
|
|
|
|
* when set, otherwise use the value in the /etc/hostid file.
|
|
|
|
*/
|
2009-02-19 19:26:17 +00:00
|
|
|
uint32_t
|
|
|
|
zone_get_hostid(void *zone)
|
|
|
|
{
|
2017-07-10 19:24:52 +00:00
|
|
|
uint32_t hostid;
|
2009-02-19 19:26:17 +00:00
|
|
|
|
2017-07-10 19:24:52 +00:00
|
|
|
ASSERT3P(zone, ==, NULL);
|
2012-07-05 07:22:03 +00:00
|
|
|
|
2017-07-10 19:24:52 +00:00
|
|
|
if (spl_hostid != 0)
|
|
|
|
return ((uint32_t)(spl_hostid & HW_HOSTID_MASK));
|
2012-07-05 07:22:03 +00:00
|
|
|
|
2017-07-10 19:24:52 +00:00
|
|
|
if (hostid_read(&hostid) == 0)
|
|
|
|
return (hostid);
|
2015-01-23 07:01:03 +00:00
|
|
|
|
2017-07-10 19:24:52 +00:00
|
|
|
return (0);
|
2009-02-19 19:26:17 +00:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL(zone_get_hostid);
|
|
|
|
|
2014-12-08 18:04:42 +00:00
|
|
|
static int
|
|
|
|
spl_kvmem_init(void)
|
|
|
|
{
|
|
|
|
int rc = 0;
|
|
|
|
|
|
|
|
rc = spl_kmem_init();
|
|
|
|
if (rc)
|
2015-12-02 22:52:46 +00:00
|
|
|
return (rc);
|
2014-12-08 18:04:42 +00:00
|
|
|
|
|
|
|
rc = spl_vmem_init();
|
2015-12-02 22:52:46 +00:00
|
|
|
if (rc) {
|
|
|
|
spl_kmem_fini();
|
|
|
|
return (rc);
|
|
|
|
}
|
2014-12-08 18:04:42 +00:00
|
|
|
|
|
|
|
return (rc);
|
|
|
|
}
|
|
|
|
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
/*
|
|
|
|
* We initialize the random number generator with 128 bits of entropy from the
|
|
|
|
* system random number generator. In the improbable case that we have a zero
|
|
|
|
* seed, we fallback to the system jiffies, unless it is also zero, in which
|
|
|
|
* situation we use a preprogrammed seed. We step forward by 2^64 iterations to
|
|
|
|
* initialize each of the per-cpu seeds so that the sequences generated on each
|
|
|
|
* CPU are guaranteed to never overlap in practice.
|
|
|
|
*/
|
Linux SPL module init: Handle memory allocation failures correctly
Upon inspection of our code, I noticed that we assume that
__alloc_percpu() cannot fail, and while it probably never has failed in
practice, technically, it can fail, so we should handle that.
Additionally, we incorrectly assume that `taskq_create()` in
spl_kmem_cache_init() cannot fail. The same remark applies to it.
Lastly, `spl-init()` failures should always return negative error
values, but in some places, we are returning positive 1, which is
incorrect. We change those values to their correct error codes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13847
2022-09-08 17:28:20 +00:00
|
|
|
static int __init
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
spl_random_init(void)
|
|
|
|
{
|
|
|
|
uint64_t s[2];
|
2019-12-14 00:07:48 +00:00
|
|
|
int i = 0;
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
2020-02-06 17:26:13 +00:00
|
|
|
spl_pseudo_entropy = __alloc_percpu(2 * sizeof (uint64_t),
|
|
|
|
sizeof (uint64_t));
|
|
|
|
|
Linux SPL module init: Handle memory allocation failures correctly
Upon inspection of our code, I noticed that we assume that
__alloc_percpu() cannot fail, and while it probably never has failed in
practice, technically, it can fail, so we should handle that.
Additionally, we incorrectly assume that `taskq_create()` in
spl_kmem_cache_init() cannot fail. The same remark applies to it.
Lastly, `spl-init()` failures should always return negative error
values, but in some places, we are returning positive 1, which is
incorrect. We change those values to their correct error codes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13847
2022-09-08 17:28:20 +00:00
|
|
|
if (!spl_pseudo_entropy)
|
|
|
|
return (-ENOMEM);
|
|
|
|
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
get_random_bytes(s, sizeof (s));
|
|
|
|
|
|
|
|
if (s[0] == 0 && s[1] == 0) {
|
|
|
|
if (jiffies != 0) {
|
|
|
|
s[0] = jiffies;
|
|
|
|
s[1] = ~0 - jiffies;
|
|
|
|
} else {
|
|
|
|
(void) memcpy(s, "improbable seed", sizeof (s));
|
|
|
|
}
|
|
|
|
printk("SPL: get_random_bytes() returned 0 "
|
|
|
|
"when generating random seed. Setting initial seed to "
|
2019-05-08 23:43:55 +00:00
|
|
|
"0x%016llx%016llx.\n", cpu_to_be64(s[0]),
|
|
|
|
cpu_to_be64(s[1]));
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
}
|
|
|
|
|
2016-10-08 03:59:46 +00:00
|
|
|
for_each_possible_cpu(i) {
|
2020-02-06 17:26:13 +00:00
|
|
|
uint64_t *wordp = per_cpu_ptr(spl_pseudo_entropy, i);
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
|
|
|
spl_rand_jump(s);
|
|
|
|
|
|
|
|
wordp[0] = s[0];
|
|
|
|
wordp[1] = s[1];
|
|
|
|
}
|
Linux SPL module init: Handle memory allocation failures correctly
Upon inspection of our code, I noticed that we assume that
__alloc_percpu() cannot fail, and while it probably never has failed in
practice, technically, it can fail, so we should handle that.
Additionally, we incorrectly assume that `taskq_create()` in
spl_kmem_cache_init() cannot fail. The same remark applies to it.
Lastly, `spl-init()` failures should always return negative error
values, but in some places, we are returning positive 1, which is
incorrect. We change those values to their correct error codes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13847
2022-09-08 17:28:20 +00:00
|
|
|
|
|
|
|
return (0);
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
}
|
|
|
|
|
2020-02-06 17:26:13 +00:00
|
|
|
static void
|
|
|
|
spl_random_fini(void)
|
|
|
|
{
|
|
|
|
free_percpu(spl_pseudo_entropy);
|
|
|
|
}
|
|
|
|
|
2014-12-08 18:04:42 +00:00
|
|
|
static void
|
|
|
|
spl_kvmem_fini(void)
|
|
|
|
{
|
|
|
|
spl_vmem_fini();
|
|
|
|
spl_kmem_fini();
|
|
|
|
}
|
|
|
|
|
2015-02-18 23:24:15 +00:00
|
|
|
static int __init
|
|
|
|
spl_init(void)
|
2008-04-18 23:39:58 +00:00
|
|
|
{
|
|
|
|
int rc = 0;
|
2008-04-12 04:27:59 +00:00
|
|
|
|
Linux SPL module init: Handle memory allocation failures correctly
Upon inspection of our code, I noticed that we assume that
__alloc_percpu() cannot fail, and while it probably never has failed in
practice, technically, it can fail, so we should handle that.
Additionally, we incorrectly assume that `taskq_create()` in
spl_kmem_cache_init() cannot fail. The same remark applies to it.
Lastly, `spl-init()` failures should always return negative error
values, but in some places, we are returning positive 1, which is
incorrect. We change those values to their correct error codes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13847
2022-09-08 17:28:20 +00:00
|
|
|
if ((rc = spl_random_init()))
|
|
|
|
goto out0;
|
random_get_pseudo_bytes() need not provide cryptographic strength entropy
Perf profiling of dd on a zvol revealed that my system spent 3.16% of
its time in random_get_pseudo_bytes(). No SPL consumers need
cryptographic strength entropy, so we can reduce our overhead by
changing the implementation to utilize a fast PRNG.
The Linux kernel did not export a suitable PRNG function until it
exported get_random_int() in Linux 3.10. While we could implement an
autotools check so that we use it when it is available or even try to
access the symbol on older kernels where it is not exported using the
fact that it is exported on newer ones as justification, we can instead
implement our own pseudo-random data generator. For this purpose, I have
written one based on a 128-bit pseudo-random number generator proposed
in a paper by Sebastiano Vigna that itself was based on work by the late
George Marsaglia.
http://vigna.di.unimi.it/ftp/papers/xorshiftplus.pdf
Profiling the same benchmark with an earlier variant of this patch that
used a slightly different generator (roughly same number of
instructions) by the same author showed that time spent in
random_get_pseudo_bytes() dropped to 0.06%. That is a factor of 50
improvement. This particular generator algorithm is also well known to
be fast:
http://xorshift.di.unimi.it/#speed
The benchmark numbers there state that it runs at 1.12ns/64-bits or 7.14
GBps of throughput on an Intel Core i7-4770 in what is presumably a
single-threaded context. Using it in `random_get_pseudo_bytes()` in the
manner I have will probably not reach that level of performance, but it
should be fairly high and many times higher than the Linux
`get_random_bytes()` function that we use now, which runs at 16.3 MB/s
on my Intel Xeon E3-1276v3 processor when measured by using dd on
/dev/urandom.
Also, putting this generator's seed into per-CPU variables allows us to
eliminate overhead from both spin locks and CPU memory barriers, which
is NUMA friendly.
We could have alternatively modified consumers to use something like
`gethrtime() % 3` as suggested by both Matthew Ahrens and Tim Chase, but
that has a few potential problems that this approach avoids:
1. Switching to `gethrtime() % 3` in hot code paths today requires
diverging from illumos-gate and does nothing about potential future
patches from illumos-gate that call our slow `random_get_pseudo_bytes()`
in different hot code paths. Reimplementing `random_get_pseudo_bytes()`
with a per-CPU PRNG avoids both of those things entirely, which means
less work for us in the future.
2. Looking at the code that implements `gethrtime()`, I think it is
unlikely to be faster than this per-CPU PRNG implementation of
`random_get_pseudo_bytes()`. It would be best to go with something fast
now so that there is no point in revisiting this from a performance
perspective.
3. `gethrtime() % 3` can vary in behavior from system to system based on
kernel version, architecture and clock source. In comparison, this
per-CPU PRNG is about ~40 lines of code in `random_get_pseudo_bytes()`
that should behave consistently across all systems regardless of kernel
version, system architecture or machine clock source. It is unlikely
that we would ever need to revisit this per-CPU PRNG while the same
cannot be said for `gethrtime() % 3`.
4. `gethrtime()` uses CPU memory barriers and maybe atomic instructions
depending on the clock source, so replacing `random_get_pseudo_bytes()`
with `gethrtime()` in hot code paths could still require a future person
working on NUMA scalability to reimplement it anyway while this per-CPU
PRNG would not by virtue of using neither CPU memory barriers nor atomic
instructions. Note that I did not check various clock sources for the
presence of atomic instructions. There is simply too much code to read
and given the drawbacks versus this per-cpu PRNG, there is no point in
being certain.
5. I have heard of instances where poor quality pseudo-random numbers
caused problems for HPC code in ways that took more than a year to
identify and were remedied by switching to a higher quality source of
pseudo-random numbers. While filesystems are different than HPC code, I
do not think it is impossible for us to have instances where poor
quality pseudo-random numbers can cause problems. Opting for a well
studied PRNG algorithm that passes tests for statistical randomness over
changing callers to use `gethrtime() % 3` bypasses the need to think
about both whether poor quality pseudo-random numbers can cause problems
and the statistical quality of numbers from `gethrtime() % 3`.
6. `gethrtime()` calls `getrawmonotonic()`, which uses seqlocks. This is
probably not a huge issue, but anyone using kgdb would never be able to
step through a seqlock critical section, which is not a problem either
now or with the per-CPU PRNG:
https://en.wikipedia.org/wiki/Seqlock
The only downside that I can see is that this code's memory requirement
is O(N) where N is NR_CPUS, versus the current code and `gethrtime() %
3`, which are O(1), but that should not be a problem. The seeds will use
64KB of memory at the high end (i.e `NR_CPU == 4096`) and 16 bytes of
memory at the low end (i.e. `NR_CPU == 1`). In either case, we should
only use a few hundred bytes of code for text, especially since
`spl_rand_jump()` should be inlined into `spl_random_init()`, which
should be removed during early boot as part of "Freeing unused kernel
memory". In either case, the memory requirements are minuscule.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Tim Chase <tim@chase2k.com>
Closes #372
2014-07-11 22:36:28 +00:00
|
|
|
|
2014-12-08 18:04:42 +00:00
|
|
|
if ((rc = spl_kvmem_init()))
|
2014-11-05 22:30:35 +00:00
|
|
|
goto out1;
|
2008-03-31 20:42:36 +00:00
|
|
|
|
2015-12-02 22:52:46 +00:00
|
|
|
if ((rc = spl_tsd_init()))
|
2019-07-12 21:40:15 +00:00
|
|
|
goto out2;
|
2008-03-14 00:04:01 +00:00
|
|
|
|
2015-12-02 22:52:46 +00:00
|
|
|
if ((rc = spl_taskq_init()))
|
2019-07-12 21:40:15 +00:00
|
|
|
goto out3;
|
2008-05-08 23:21:47 +00:00
|
|
|
|
2015-12-02 22:52:46 +00:00
|
|
|
if ((rc = spl_kmem_cache_init()))
|
2019-07-12 21:40:15 +00:00
|
|
|
goto out4;
|
2009-01-05 23:08:03 +00:00
|
|
|
|
2015-12-02 22:52:46 +00:00
|
|
|
if ((rc = spl_proc_init()))
|
2019-11-21 17:32:57 +00:00
|
|
|
goto out5;
|
2010-11-30 17:51:46 +00:00
|
|
|
|
2015-12-02 22:52:46 +00:00
|
|
|
if ((rc = spl_kstat_init()))
|
2019-11-21 17:32:57 +00:00
|
|
|
goto out6;
|
2011-02-25 21:26:19 +00:00
|
|
|
|
2015-12-02 22:52:46 +00:00
|
|
|
if ((rc = spl_zlib_init()))
|
2019-11-21 17:32:57 +00:00
|
|
|
goto out7;
|
2015-12-02 22:52:46 +00:00
|
|
|
|
2021-02-21 16:19:43 +00:00
|
|
|
if ((rc = spl_zone_init()))
|
|
|
|
goto out8;
|
|
|
|
|
2014-11-05 22:30:35 +00:00
|
|
|
return (rc);
|
2014-10-01 23:58:11 +00:00
|
|
|
|
2021-02-21 16:19:43 +00:00
|
|
|
out8:
|
|
|
|
spl_zlib_fini();
|
2009-09-25 21:14:35 +00:00
|
|
|
out7:
|
2019-11-21 17:32:57 +00:00
|
|
|
spl_kstat_fini();
|
2009-09-25 21:14:35 +00:00
|
|
|
out6:
|
2019-11-21 17:32:57 +00:00
|
|
|
spl_proc_fini();
|
2015-12-02 22:52:46 +00:00
|
|
|
out5:
|
2019-07-12 21:40:15 +00:00
|
|
|
spl_kmem_cache_fini();
|
2009-09-25 21:14:35 +00:00
|
|
|
out4:
|
2019-07-12 21:40:15 +00:00
|
|
|
spl_taskq_fini();
|
2008-05-05 20:18:49 +00:00
|
|
|
out3:
|
2019-07-12 21:40:15 +00:00
|
|
|
spl_tsd_fini();
|
2008-03-31 20:42:36 +00:00
|
|
|
out2:
|
2014-12-08 18:04:42 +00:00
|
|
|
spl_kvmem_fini();
|
2009-09-25 21:14:35 +00:00
|
|
|
out1:
|
Linux SPL module init: Handle memory allocation failures correctly
Upon inspection of our code, I noticed that we assume that
__alloc_percpu() cannot fail, and while it probably never has failed in
practice, technically, it can fail, so we should handle that.
Additionally, we incorrectly assume that `taskq_create()` in
spl_kmem_cache_init() cannot fail. The same remark applies to it.
Lastly, `spl-init()` failures should always return negative error
values, but in some places, we are returning positive 1, which is
incorrect. We change those values to their correct error codes.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13847
2022-09-08 17:28:20 +00:00
|
|
|
spl_random_fini();
|
|
|
|
out0:
|
2015-02-18 23:24:15 +00:00
|
|
|
return (rc);
|
2008-02-27 21:56:51 +00:00
|
|
|
}
|
|
|
|
|
2015-02-18 23:24:15 +00:00
|
|
|
static void __exit
|
2009-10-01 23:06:15 +00:00
|
|
|
spl_fini(void)
|
2008-02-27 21:56:51 +00:00
|
|
|
{
|
2021-02-21 16:19:43 +00:00
|
|
|
spl_zone_fini();
|
2011-11-11 17:03:31 +00:00
|
|
|
spl_zlib_fini();
|
|
|
|
spl_kstat_fini();
|
|
|
|
spl_proc_fini();
|
2015-12-02 22:52:46 +00:00
|
|
|
spl_kmem_cache_fini();
|
2009-01-05 23:08:03 +00:00
|
|
|
spl_taskq_fini();
|
2015-12-02 22:52:46 +00:00
|
|
|
spl_tsd_fini();
|
2014-12-08 18:04:42 +00:00
|
|
|
spl_kvmem_fini();
|
2020-02-06 17:26:13 +00:00
|
|
|
spl_random_fini();
|
2008-02-27 21:56:51 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
module_init(spl_init);
|
|
|
|
module_exit(spl_fini);
|
|
|
|
|
2022-03-31 15:20:50 +00:00
|
|
|
MODULE_DESCRIPTION("Solaris Porting Layer");
|
|
|
|
MODULE_AUTHOR(ZFS_META_AUTHOR);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_VERSION(ZFS_META_VERSION "-" ZFS_META_RELEASE);
|