Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935683AbdGTMnI (ORCPT ); Thu, 20 Jul 2017 08:43:08 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:44203 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933994AbdGTMnG (ORCPT ); Thu, 20 Jul 2017 08:43:06 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Ingo Molnar Cc: Andrew Morton , Davidlohr Bueso , Elena Reshetova , linux-kernel@vger.kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, mingo@redhat.com, adobriyan@gmail.com, serge@hallyn.com, arozansk@redhat.com, keescook@chromium.org, Hans Liljestrand , David Windsor References: <1499417992-3238-1-git-send-email-elena.reshetova@intel.com> <1499417992-3238-2-git-send-email-elena.reshetova@intel.com> <87bmottgo4.fsf@xmission.com> <20170719153546.37567fbf77861653172fa263@linux-foundation.org> <20170719225427.GD14395@linux-80c1.suse> <20170719155833.641a283467bf6b89a7d2e56b@linux-foundation.org> <20170720093402.55alnsgsodgs4mfk@gmail.com> Date: Thu, 20 Jul 2017 07:34:55 -0500 In-Reply-To: <20170720093402.55alnsgsodgs4mfk@gmail.com> (Ingo Molnar's message of "Thu, 20 Jul 2017 11:34:02 +0200") Message-ID: <878tjj8exc.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1dYAn9-0006zH-39;;;mid=<878tjj8exc.fsf@xmission.com>;;;hst=in02.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18u7T0ez4QA+fnHrvzt+Ozcq8lvjWiMmvU= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.0 TVD_RCVD_IP Message was received from an IP address * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.7 XMSubLong Long Subject * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa07 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Ingo Molnar X-Spam-Relay-Country: X-Spam-Timing: total 5543 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 2.5 (0.0%), b_tie_ro: 1.75 (0.0%), parse: 0.85 (0.0%), extract_message_metadata: 15 (0.3%), get_uri_detail_list: 1.84 (0.0%), tests_pri_-1000: 8 (0.1%), tests_pri_-950: 1.18 (0.0%), tests_pri_-900: 1.00 (0.0%), tests_pri_-400: 24 (0.4%), check_bayes: 23 (0.4%), b_tokenize: 8 (0.1%), b_tok_get_all: 8 (0.2%), b_comp_prob: 2.5 (0.0%), b_tok_touch_all: 3.0 (0.1%), b_finish: 0.59 (0.0%), tests_pri_0: 207 (3.7%), check_dkim_signature: 0.50 (0.0%), check_dkim_adsp: 3.9 (0.1%), tests_pri_500: 5280 (95.3%), poll_dns_idle: 5274 (95.1%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2448 Lines: 70 Ingo Molnar writes: > * Andrew Morton wrote: > >> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso wrote: >> >> > On Wed, 19 Jul 2017, Andrew Morton wrote: >> > >> > >I do rather dislike these conversions from the point of view of >> > >performance overhead and general code bloat. But I seem to have lost >> > >that struggle and I don't think any of these are fastpath(?). >> > >> > Well, since we now have fd25d19 (locking/refcount: Create unchecked atomic_t >> > implementation), performance is supposed to be ok. >> >> Sure, things are OK for people who disable the feature. > > So with the WIP fast-refcount series from Kees: > > [PATCH v6 0/2] x86: Implement fast refcount overflow protection > > I believe the robustness difference between optimized-refcount_t and > full-refcount_t will be marginal. > > I.e. we'll be able to have both higher API safety _and_ performance. > >> But for people who want to enable the feature we really should minimize the cost >> by avoiding blindly converting sites which simply don't need it: simple, safe, >> old, well-tested code. Why go and slow down such code? Need to apply some >> common sense here... > > It's old, well-tested code _for existing, sane parameters_, until someone finds a > decade old bug in one of these with an insane parameters no-one stumbled upon so > far, and builds an exploit on top of it. > > Only by touching all these places do we have a chance to improve things measurably > in terms of reducing the probability of bugs. The more I hear people pushing the upsides of refcount_t without considering the downsides the more I dislike it. - refcount_t is really the wrong thing because it uses saturation semantics. So by definition it includes a bug. - refcount_t will only really prevent something if there is an extra increment. That is not the kind of bug people are likely to make. - refcount_t won't help if you have an extra decrement. The bad use-after-free will still happen. - refcount_t won't help if there is a memory stomp. As with an extra decrement the bad use-after-free will still happen. So all I see is a huge amount of code churn to implement a buggy (by definition) refcounting API, that risks adding new bugs and only truly helps with bugs that are unlikely in the first place. I really don't think this is an obvious slam dunk. Eric