Received: by 10.223.185.116 with SMTP id b49csp4090159wrg;
        Tue, 6 Mar 2018 09:37:15 -0800 (PST)
X-Google-Smtp-Source: AG47ELs35pwbxzmzycR9FcDa64LSoOKBo4F1/Q342aWZg4jG1wdPypPKq9jC+IUKf50+4FzfJVBj
X-Received: by 2002:a17:902:8b82:: with SMTP id ay2-v6mr17303529plb.12.1520357835486;
        Tue, 06 Mar 2018 09:37:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520357835; cv=none;
        d=google.com; s=arc-20160816;
        b=ldmFovnnj2Hj6eoaaQwDW7OXMQm+RejhKJQd56kDTuTJdVi714gT0/9Ih9zinAhVnD
         +YH123Sl5JgWh0CQNi+lxDIl4xzFlpgpBtNLecrtsZOYKCCn1ns43iLm9J1btF24HrbG
         FpKBpFJiLDVvumJrwSsobMwvb1/mpkPItBkFpIQVhcx8hicR1HuowfxbGrHsg5CJm+De
         ui/GyOH1x8WDdKxgQY8EkFkUoG9MzAWHUZE+wxyjnePvmmCgHDJxXezRqD8v7j73Jbpt
         ThRRH9k+muuV/2Mgqbn/7e+NXXdJsTEP6auwIGQtOaN8YLtdobeC13EZUHn8TAeP49n7
         jQNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=3CyxaJO8E+XTkBdfgxgAHHS+kn0i2yjWoH7HjmfplFY=;
        b=TXHSlCVXXgSC+jSAny86x+KCEsDFLj8+sUE3xix1DbvypoSuDB5zmB/NoGm6prj5FA
         piCA5qVyZIMBxIas7F4He3902TBc+HUZVF9ER0BuMoMJK/4iHGI2H/tDBL0wp40oHOCA
         s8EgPGcEpfvyEdsZ/z7LDRWQNUcPSu6lF4LZEfeGAtWbG79acHDgt23xOHXN+a/W0f5b
         XXYeF/GKvh3cIfitY+JwVaKJF/sn+QoMkDBsvyLaBYVHPoemkI923sYIBpkcLCZo3Wah
         Hp05gQ+KBmgAYfe7NIppUFbeidZOD0l53LU2eZZlnIrbuyflF76Qp4uKtWmwIeyk88YV
         slDg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=htUYcz24;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o14-v6si11523620pli.572.2018.03.06.09.37.01;
        Tue, 06 Mar 2018 09:37:15 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@gmail.com header.s=20161025 header.b=htUYcz24;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753902AbeCFRfg (ORCPT
        <rfc822;paul.schmitz.hallo.parkuhr@gmail.com> + 99 others);
        Tue, 6 Mar 2018 12:35:36 -0500
Received: from mail-yb0-f194.google.com ([209.85.213.194]:44213 "EHLO
        mail-yb0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750782AbeCFRff (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 6 Mar 2018 12:35:35 -0500
Received: by mail-yb0-f194.google.com with SMTP id h19-v6so7358551ybj.11
        for <linux-kernel@vger.kernel.org>; Tue, 06 Mar 2018 09:35:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=3CyxaJO8E+XTkBdfgxgAHHS+kn0i2yjWoH7HjmfplFY=;
        b=htUYcz24GZtQZEUdoV6h+oLOBtWDAOiIh5AjYGNaR+2dn3pCNbyzXHVLJ3JPkjPcjS
         2bsWRvJk0nyfAHx77KfffDB51gKc0fvGYeN31SUpJO3Ko/9P/p/H/nNXZtZ+Mn1vQLFO
         kQlYglZgeDgFDYRLyxuJ+E7a9ZUTeKk0M7xE4nvlvonuwhupb7FMa8sB0fFiF30XuFZS
         0qOnQuOkp3nMFFjXbwic4PLd/OrWU1lGFECo+fW4pspqugIQn9P3R1BireCk1qK3rzTO
         ha65l03uUXPa08sRmNdfkqj50akh0e4JV9V16sW7KGyWMFf2ZCtROyGrdydUXMWZHUQd
         YPQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :in-reply-to:references;
        bh=3CyxaJO8E+XTkBdfgxgAHHS+kn0i2yjWoH7HjmfplFY=;
        b=pLOuaAmwUoLVnKsC7ERNRiq6xwogu7DJLQZLb3k4T+/dbUJ3GCZI8zVqPO0JbaxIVT
         zwPM7XWlSddO7BC6cS3bT8ZVeNf38BTSvCg2ciF2owlfpDLLnZr8XfThS96f8Ui1XoVz
         HfJPLtxipEj4lbp8xx/E54Wdg1Vk+mpeoJlrR9GfD5E3c3JHQzuphCN/JrmnKF9n6uwS
         N6UyHYl+lW2vunargRK+FzUOL31Xwyd1zSQGc79dsFw+13QgmS+fe9MGbTprQYT9vuRa
         RpLzH7P2EpFUhxYtysgICG3SGs1xZtG7zMBnWNKQP1O8SzxtdAh4Q+DkqdWgFu0yFSFT
         Tpfw==
X-Gm-Message-State: APf1xPDmiQfmHUvpFkyu91QB7+YPLWv6hwuY6n+YAAzejuU1hWmXnvMC
        +L/K7IIQo66k02x2PtHLCdg=
X-Received: by 2002:a25:4b83:: with SMTP id y125-v6mr12344895yba.335.1520357734684;
        Tue, 06 Mar 2018 09:35:34 -0800 (PST)
Received: from localhost ([199.201.65.3])
        by smtp.gmail.com with ESMTPSA id i6sm2622387ywa.0.2018.03.06.09.35.30
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 06 Mar 2018 09:35:33 -0800 (PST)
From:   Tejun Heo <tj@kernel.org>
To:     torvalds@linux-foundation.org, jannh@google.com,
        paulmck@linux.vnet.ibm.com, bcrl@kvack.org,
        viro@zeniv.linux.org.uk, kent.overstreet@gmail.com
Cc:     security@kernel.org, linux-kernel@vger.kernel.org,
        kernel-team@fb.com, Tejun Heo <tj@kernel.org>
Subject: [PATCH 6/7] percpu_ref: Update doc to dissuade users from depending on internal RCU grace periods
Date:   Tue,  6 Mar 2018 09:33:15 -0800
Message-Id: <20180306173316.3088458-6-tj@kernel.org>
X-Mailer: git-send-email 2.9.5
In-Reply-To: <20180306173316.3088458-1-tj@kernel.org>
References: <20180306172657.3060270-1-tj@kernel.org>
 <20180306173316.3088458-1-tj@kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

percpu_ref internally uses sched-RCU to implement the percpu -> atomic
mode switching and the documentation suggested that this could be
depended upon.  This doesn't seem like a good idea.

* percpu_ref uses sched-RCU which has different grace periods regular
  RCU.  Users may combine percpu_ref with regular RCU usage and
  incorrectly believe that regular RCU grace periods are performed by
  percpu_ref.  This can lead to, for example, use-after-free due to
  premature freeing.

* percpu_ref has a grace period when switching from percpu to atomic
  mode.  It doesn't have one between the last put and release.  This
  distinction is subtle and can lead to surprising bugs.

* percpu_ref allows starting in and switching to atomic mode manually
  for debugging and other purposes.  This means that there may not be
  any grace periods from kill to release.

This patch makes it clear that the grace periods are percpu_ref's
internal implementation detail and can't be depended upon by the
users.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
---
 include/linux/percpu-refcount.h | 18 ++++++++++++------
 lib/percpu-refcount.c           |  2 ++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/include/linux/percpu-refcount.h b/include/linux/percpu-refcount.h
index 864d167..009cdf3 100644
--- a/include/linux/percpu-refcount.h
+++ b/include/linux/percpu-refcount.h
@@ -30,10 +30,14 @@
  * calls io_destroy() or the process exits.
  *
  * In the aio code, kill_ioctx() is called when we wish to destroy a kioctx; it
- * calls percpu_ref_kill(), then hlist_del_rcu() and synchronize_rcu() to remove
- * the kioctx from the proccess's list of kioctxs - after that, there can't be
- * any new users of the kioctx (from lookup_ioctx()) and it's then safe to drop
- * the initial ref with percpu_ref_put().
+ * removes the kioctx from the proccess's table of kioctxs and kills percpu_ref.
+ * After that, there can't be any new users of the kioctx (from lookup_ioctx())
+ * and it's then safe to drop the initial ref with percpu_ref_put().
+ *
+ * Note that the free path, free_ioctx(), needs to go through explicit call_rcu()
+ * to synchronize with RCU protected lookup_ioctx().  percpu_ref operations don't
+ * imply RCU grace periods of any kind and if a user wants to combine percpu_ref
+ * with RCU protection, it must be done explicitly.
  *
  * Code that does a two stage shutdown like this often needs some kind of
  * explicit synchronization to ensure the initial refcount can only be dropped
@@ -113,8 +117,10 @@ void percpu_ref_reinit(struct percpu_ref *ref);
  * Must be used to drop the initial ref on a percpu refcount; must be called
  * precisely once before shutdown.
  *
- * Puts @ref in non percpu mode, then does a call_rcu() before gathering up the
- * percpu counters and dropping the initial ref.
+ * Switches @ref into atomic mode before gathering up the percpu counters
+ * and dropping the initial ref.
+ *
+ * There are no implied RCU grace periods between kill and release.
  */
 static inline void percpu_ref_kill(struct percpu_ref *ref)
 {
diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
index 30e7dd8..9f96fa7 100644
--- a/lib/percpu-refcount.c
+++ b/lib/percpu-refcount.c
@@ -322,6 +322,8 @@ EXPORT_SYMBOL_GPL(percpu_ref_switch_to_percpu);
  * This function normally doesn't block and can be called from any context
  * but it may block if @confirm_kill is specified and @ref is in the
  * process of switching to atomic mode by percpu_ref_switch_to_atomic().
+ *
+ * There are no implied RCU grace periods between kill and release.
  */
 void percpu_ref_kill_and_confirm(struct percpu_ref *ref,
 				 percpu_ref_func_t *confirm_kill)
-- 
2.9.5