Received: by 2002:a25:f815:0:0:0:0:0 with SMTP id u21csp3355453ybd; Tue, 25 Jun 2019 00:53:01 -0700 (PDT) X-Google-Smtp-Source: APXvYqw4kqeGTt+dXPiSUKypds/6NsZw+ONnskBR47pC3hXhT7XobERG6bO6b7B55jcCW6UkaV12 X-Received: by 2002:a17:902:aa83:: with SMTP id d3mr127980919plr.74.1561449181284; Tue, 25 Jun 2019 00:53:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561449181; cv=none; d=google.com; s=arc-20160816; b=DVkSnnkbLKUsSqJ7eq5i+51hbxyzuoY7esCiLrlpLzGE2g9yeXKXQjIsqZUAt0bVmy 7K64Z6MTVaEr+EKGC4mMzx98ESFmb9TwDj1PVv+1LLEiepFx31TlGxki7ABr7i8Wk8ty v2fB85U4eC6xQApg0dLLG2C3E/cFfrJSRZAlc0fO3zPd7sL6wAcWz6+mFmDJnaRtkfXW 5kDwUXDCtzdJwAGFbC4PTDy4miS9nu5Yn67wD3jJhCjtbPjjFtoZ4YcstrVIcKILHHcC 7dl8qJE9alnU1D367JYz0s5MDAnNi9nuQNCScXUgSfj5rsVynii+xQFaVehs1K/0lPuD 6xnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=EfE9b6iC+ztQ2vj5wKDIVg9bT9RfKnT+aDZ7Xh8JmQE=; b=kMGv4u/cBLXqXlPXfY06y7KyWts4nVIB7ykTqedeYVAqUxQrcqt0plb5V48RnGceNn Cxjvj17ybGLZ2HbWvccsQER+aUNxXNQm7FbFi+JP8cvK7xAHiXQkkfh/jYHkwipT73gr ytfojSzFEYOWPJ/e8ska34uSbQZKBQSp0z8S9ygG/fgp/f3nQ+3lCS9AFaTbNV+7FOIS wFgyHbn82bHTzMLhzPz6PABQtewWcZUhWBg6CGMoA6uPKvWTj8eq9FtLQMXpyML5BR5k 4OiSjzdGI2S0ekzQckNXgHqm6KjGIpZFNR2DDyHAJKqipoBmGilJEYtpVkFglcsh/OvG oC1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=PSt1cdfG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ci5si12694868plb.45.2019.06.25.00.52.45; Tue, 25 Jun 2019 00:53:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=PSt1cdfG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728206AbfFYHe7 (ORCPT + 99 others); Tue, 25 Jun 2019 03:34:59 -0400 Received: from merlin.infradead.org ([205.233.59.134]:54252 "EHLO merlin.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726846AbfFYHe6 (ORCPT ); Tue, 25 Jun 2019 03:34:58 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=EfE9b6iC+ztQ2vj5wKDIVg9bT9RfKnT+aDZ7Xh8JmQE=; b=PSt1cdfG8jH5IrxOFwBR1B7iF JopUIkQmRjHxy5FprH9Y9CT7pNwP2YVqEqKo8zs1R7JVlb0XlkpvWvDzyT/iV0M726xXDDr5LAztO +clzTA2iC4AVb5yD2D0yaHL8M1nGCoVcywSlRINOe6I6HWIOVZORlh/9C5BAk+4Pe6zgbun+JUf/e slVVCpJLcSsz0tYF3bVjdB9286lk2vtmB7eBZ0K+d/xiufG0TuVMCQs6wQOQY+JfJGHnxgNb+T7bF KTIygfAloBmKQn/5WzScPCwqIV95gzFkI96M7ypN2EJxsIVWZG4UVAZ6OUoZ0KszrzoN8t3rFlXUh 34boJnm5Q==; Received: from j217100.upc-j.chello.nl ([24.132.217.100] helo=hirez.programming.kicks-ass.net) by merlin.infradead.org with esmtpsa (Exim 4.92 #3 (Red Hat Linux)) id 1hffxx-0002XT-5n; Tue, 25 Jun 2019 07:34:09 +0000 Received: by hirez.programming.kicks-ass.net (Postfix, from userid 1000) id EDA9E209FFF54; Tue, 25 Jun 2019 09:34:07 +0200 (CEST) Date: Tue, 25 Jun 2019 09:34:07 +0200 From: Peter Zijlstra To: Jann Horn Cc: Joel Fernandes , kernel list , Oleg Nesterov , Mathieu Desnoyers , Matthew Wilcox , Will Deacon , "Paul E . McKenney" , Elena Reshetova , Kees Cook , kernel-team , Kernel Hardening , Andrew Morton , "Eric W. Biederman" , Greg Kroah-Hartman , Michal Hocko Subject: Re: [PATCH RFC v2] Convert struct pid count to refcount_t Message-ID: <20190625073407.GP3436@hirez.programming.kicks-ass.net> References: <20190624184534.209896-1-joel@joelfernandes.org> <20190624185214.GA211230@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 24, 2019 at 09:10:15PM +0200, Jann Horn wrote: > That part of the documentation only talks about cases where you have a > control dependency on the return value of the refcount operation. But > refcount_inc() does not return a value, so this isn't relevant for > refcount_inc(). > > Also, AFAIU, the control dependency mentioned in the documentation has > to exist *in the caller* - it's just pointing out that if you write > code like the following, you have a control dependency between the > refcount operation and the write: > > if (refcount_inc_not_zero(&obj->refcount)) { > WRITE_ONCE(obj->x, y); > } > > For more information on the details of this stuff, try reading the > section "CONTROL DEPENDENCIES" of Documentation/memory-barriers.txt. IIRC the argument went as follows: - if you use refcount_inc(), you've already got a stable object and have ACQUIRED it otherwise, typically through locking. - if you use refcount_inc_not_zero(), you have a semi stable object (RCU), but you still need to ensure any changes to the object happen after acquiring a reference, and this is where the control dependency comes in as Jann already explained. Specifically, it would be bad to allow STOREs to happen before we know the refcount isn't 0, as that would be a UaF. Also see the comment in lib/refcount.c.