Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6389999imu; Mon, 21 Jan 2019 08:06:37 -0800 (PST) X-Google-Smtp-Source: ALg8bN41E2+nQVJi5JvWdBF4WesdZLbhRAmE+ak4xupKEn63D6P2r+D84ccH/uVH5FYJmGeRXmzY X-Received: by 2002:a17:902:850c:: with SMTP id bj12mr30241175plb.46.1548086797584; Mon, 21 Jan 2019 08:06:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548086797; cv=none; d=google.com; s=arc-20160816; b=J/WClzm82FTmWsxnVve+wGo4yFojdSbc9EafZL7C52Hu9f3SxijFMLfASetQmt2kFU McBNDzy5ZHWbP8Vq9m078Kl0h8MLWIKIk39IT8qaTGi5hXkqXj2kYiLwgLL0DNAowEvO OTG7Yvva0mv/2WhRmJH2urDcMTvdBpSXHH1RxAPq1a1Ag90ZxB64m3iPvnpIDPceZqBZ 48lfDKKPibx7O6u2/DqGfSri3vins5lqTuLX7lyFWW3TtCB2MjY5o9/AvYFI+rDGe6I0 1kTyU8bE4rpXEf9/T5G9QtQ2nky2RUMDz2ccgStTJBD243Kf9429k30biv6cxZFaPB+X 2sDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=RYCdzZUl0fdyEFTC+ZPUw7zQu1n/YlT9KjRjIig+ywg=; b=Rhj44UJblEegAueMkF9uO2FpA+aZLp80nmZkIFcvMLcf5J7m6jxr5ZZilnCwkMuyFf yTHRnWSgA24s/q/2F/mhmIO6ss9K8wgXLMI2PX1I7mPSiJi3me9SIm9bErnxqhHSwfZz 6z05z6HUdd//Yx24JRn8K/e4YmY7uO7yaqnAjahnYuYkVh/kykP7kcFgQY3yEyO37c3r LxarxNv8pZjCBiPadd2BDhwvcMxa7e11D0ObRksdYEugWU88jLS3jLqQUQaArKJeF0xS B+yeF7AE/9uEXJsFLMfIEkbNDec3By06doVjL6qYCRBGYrUf6bq0bOqMjgcwBFv1Kll0 gQlA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j5si12912107pfg.254.2019.01.21.08.06.16; Mon, 21 Jan 2019 08:06:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729566AbfAUQFF (ORCPT + 99 others); Mon, 21 Jan 2019 11:05:05 -0500 Received: from netrider.rowland.org ([192.131.102.5]:54551 "HELO netrider.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1728761AbfAUQFF (ORCPT ); Mon, 21 Jan 2019 11:05:05 -0500 Received: (qmail 24530 invoked by uid 500); 21 Jan 2019 11:05:03 -0500 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 21 Jan 2019 11:05:03 -0500 Date: Mon, 21 Jan 2019 11:05:03 -0500 (EST) From: Alan Stern X-X-Sender: stern@netrider.rowland.org To: Peter Zijlstra cc: Dmitry Vyukov , Elena Reshetova , Andrea Parri , Kees Cook , "Paul E. McKenney" , Will Deacon , Andrew Morton , Andrey Ryabinin , Anders Roxell , Mark Rutland , LKML Subject: Re: [PATCH] kcov: convert kcov.refcount to refcount_t In-Reply-To: <20190121131816.GC17749@hirez.programming.kicks-ass.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 21 Jan 2019, Peter Zijlstra wrote: > On Mon, Jan 21, 2019 at 10:52:37AM +0100, Dmitry Vyukov wrote: > > On Wed, Jan 16, 2019 at 1:51 PM Dmitry Vyukov wrote: > > > > KCOV uses refcounts in a very simple canonical way, so no hidden > > > ordering implied. > > > > > > Am I missing something or refcount_dec_and_test does not in fact > > > provide ACQUIRE ordering? > > > > > > +case 5) - decrement-based RMW ops that return a value > > > +----------------------------------------------------- > > > + > > > +Function changes: > > > + atomic_dec_and_test() --> refcount_dec_and_test() > > > + atomic_sub_and_test() --> refcount_sub_and_test() > > > + no atomic counterpart --> refcount_dec_if_one() > > > + atomic_add_unless(&var, -1, 1) --> refcount_dec_not_one(&var) > > > + > > > +Memory ordering guarantees changes: > > > + fully ordered --> RELEASE ordering + control dependency > > > > > > I think that's against the expected refcount guarantees. When I > > > privatize an atomic_dec_and_test I would expect that not only stores, > > > but also loads act on a quiescent object. But loads can hoist outside > > > of the control dependency. > > > > > > Consider the following example, is it the case that the BUG_ON can still fire? > > > > > > struct X { > > > refcount_t rc; // == 2 > > > int done1, done2; // == 0 > > > }; > > > > > > // thread 1: > > > x->done1 = 1; > > > if (refcount_dec_and_test(&x->rc)) > > > BUG_ON(!x->done2); > > > > > > // thread 2: > > > x->done2 = 1; > > > if (refcount_dec_and_test(&x->rc)) > > > BUG_ON(!x->done1); > > I'm the one responsible for that refcount_t ordering. > > The rationale for REL+CTRL is that for the final put we want to ensure > all prior load/store are complete, because any later access could be a > UAF; consider: > > > P0() > { > x->foo=0; > if (refcount_dec_and_test(&x->rc)) > free(x); > } > > P1() > { > x->bar=1; > if (refcount_dec_and_test(&->rc)) > free(x); > } > > > without release, if would be possible for either (foo,bar) store to > happen after the free(). > > Additionally we also need the CTRL to ensure that the actual free() > happens _after_ the dec_and_test, freeing early would be bad. > > But after these two requirements, the basic refcounting works. > > > The refcount_dec_and_test guarantees look too weak to me, see the > > example above. Shouldn't refcount_dec_and_test returning true give the > > object in fully quiescent state? Why only control dependency? Loads > > can hoist across control dependency, no? > > Yes, loads can escape like you say. > > Any additional ordering; like the one you have above; are not strictly > required for the proper functioning of the refcount. Rather, you rely on > additional ordering and will need to provide this explicitly: > > > if (refcount_dec_and_text(&x->rc)) { > /* > * Comment that explains what we order against.... > */ > smp_mb__after_atomic(); > BUG_ON(!x->done*); > free(x); > } > > > Also; these patches explicitly mention that refcount_t is weaker, > specifically to make people aware of this difference. > > A full smp_mb() (or two) would also be much more expensive on a number > of platforms and in the vast majority of the cases it is not required. How about adding smp_rmb() into refcount_dec_and_test()? That would give acq+rel semantics, which seems to be what people will expect. And it wouldn't be nearly as expensive as a full smp_mb(). Alan Stern