Received: by 10.223.164.202 with SMTP id h10csp335963wrb; Fri, 17 Nov 2017 01:14:16 -0800 (PST) X-Google-Smtp-Source: AGs4zMZWlVlpuwbR3zqopO4OLUGgaUvgdSsfSn8CQYOlezqKjpUxzJ07J/kR0WKdHrunFLf+3Ixx X-Received: by 10.98.31.142 with SMTP id l14mr1377328pfj.62.1510910056858; Fri, 17 Nov 2017 01:14:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510910056; cv=none; d=google.com; s=arc-20160816; b=X5dpPDHX85GYfqIZlsnI8oAImb7AZgrUd0DNVIuAWLHXw9ugRjA7mp44vs5mCIjCuH hAO4PrXmaPkISJwmWHm8UpDJF39GILDDM2aoOUrX60SIpkYzgsjrzAOdhQhqi+aymYHe iU6kSCmJYsUa01rKPtUuAGTnDgFxlmZ4v2S/XZaVmMNPoP9yaKVFC5RpUVplmKOcVXXF rW2scRC50SzdBtUCLj9U3eWkUiYjaGk0+rSckBhEAtPmxnOBEyeylXzVWD/UQyU9gAjB x43uJl/FdQSXVQKtM/y3Uxl+h2hyzS+OoD3FcEhmQu/Cx+ojUZkQqxtn48ZEadJqBJED ZJow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature:dkim-signature :arc-authentication-results; bh=UuYE7HjO0Fh9+AnV801V3gbUvv80P5P1UZkcH7+Ak9o=; b=QuGlJjcSORDCff4zMdMlS1daNgdlzuYdEpiY8ETMHyNzynvHJf7BrbJhw73NCQ+UoX C2+5b/iXhCWYhQ2Rr7sSZyoPc4QPtsUh8t2iNGfTI+cnbVz504So0amJDZy2kea3WI+v 4EbMaDHtFV8ZlW8WYXXQrF229FSiR0ij4fXUVoRErauO9ozuQSb+Nr9n+7SQrRd34Acp uqsGEPLE4pyGTUP+LENpO5xeUK4pnHNKASTo8QrPiEqj1FqC6CjMls7/jQ7kJ1vXupNC /pj70fkl6XgQYFIpaCtiKzYbHXGwBkdGIGtpzjz1kLMjW4Lcptlgn3cSp2P+/6gV+YTI yaPQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=lkrnSQYI; dkim=fail header.i=@chromium.org header.s=google header.b=ctuUn+3y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z188si2381481pgb.121.2017.11.17.01.14.02; Fri, 17 Nov 2017 01:14:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=lkrnSQYI; dkim=fail header.i=@chromium.org header.s=google header.b=ctuUn+3y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966078AbdKPXbo (ORCPT + 92 others); Thu, 16 Nov 2017 18:31:44 -0500 Received: from mail-it0-f66.google.com ([209.85.214.66]:45011 "EHLO mail-it0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966050AbdKPXbg (ORCPT ); Thu, 16 Nov 2017 18:31:36 -0500 Received: by mail-it0-f66.google.com with SMTP id b5so2031087itc.3 for ; Thu, 16 Nov 2017 15:31:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UuYE7HjO0Fh9+AnV801V3gbUvv80P5P1UZkcH7+Ak9o=; b=lkrnSQYIo0r7kNlgN5EwbZSdpnXmZpj0/Z2ybimllTt377DZt63wsIoUmYX3Me74l6 euRl762mWd92K3mWN7jBbwLTM7WSA59mjcMVfOHBROY9Uqd6JA16N6VaYr2fD74dp1oF yA3pCFYEH2LHSAe8vBT/wcwv5b2aAm7nB8sNazGtZTXay9kFWcSzWeko2LSvuMnkCBP7 RRz5jcDV6WQIoiOPNo2NBnQgq9sUxLJtkvXiTAdKYEW5ggDDFi0uqZuKIzeZUKS8XJcq cg1AjAkVX8z9HuhemP62/fvQ7jh90pTR71LvnVLqwrPz7uoG6szJGP4s1k6SKqaZTdsZ i3xA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UuYE7HjO0Fh9+AnV801V3gbUvv80P5P1UZkcH7+Ak9o=; b=ctuUn+3yIkjckMDdbATwlbG5ipjrgpKH3Y8PrNJCnlEvR6I+M1lGZk3vG5rKLV4eKO aCGGYGXsTgxeEgOPNzp2YOS3XHXToosR53DsU5l5TbeEayBwHLtxB4iAW6do4Yf/pA5k pjO/bovX+E97e9WR5UIY+HsVuFO0fK93xKGUY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UuYE7HjO0Fh9+AnV801V3gbUvv80P5P1UZkcH7+Ak9o=; b=krInFYJYvIUZF0JpVtABLx0hherO9+jAiBbepanYw5nGEApuzefnFNBFfJW/I0q2OL BtDoIUftNvEGxqP0Co8av2w+RMQBqYjromJ2MkSlUY6bv6FEjWwCKVefNX8vRXga14Ri IT2tURd4FZb2t05osGU+PwvtxevzUnDhnmQp+OqyAT+MWwmhf5i4+RvSg49stqXDqDTL cohTMAcozDPAQy9SNyWYh1gb+cBCXWsBGDvIuqpmXfdsLxo5vIjc5xouA8N+8YRqB+gm R3+pAmqDPt5Q64M1dOoUV5XaVNiJ8uaHU0NDiWKr89yyDcZXvwNuU7sgbWLupB6C+TbU DUcQ== X-Gm-Message-State: AJaThX4BphKFdApJkj18TPdh6HaXg+9FgCzn1TuH2F0aBCvH8sKQ+got WZvchSx4csox+WhMyQqNZc8d3SRez8dnsORb3Ef0Yw2PiyU= X-Received: by 10.36.81.21 with SMTP id s21mr4506108ita.144.1510875094928; Thu, 16 Nov 2017 15:31:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.13.5 with HTTP; Thu, 16 Nov 2017 15:31:34 -0800 (PST) In-Reply-To: <1510732551-25547-2-git-send-email-elena.reshetova@intel.com> References: <1510732551-25547-1-git-send-email-elena.reshetova@intel.com> <1510732551-25547-2-git-send-email-elena.reshetova@intel.com> From: Kees Cook Date: Thu, 16 Nov 2017 15:31:34 -0800 X-Google-Sender-Auth: wpp7idtE2vFcCCwI96UnHmsQoNs Message-ID: Subject: Re: [PATCH] refcount_t: documentation for memory ordering differences To: Elena Reshetova Cc: Peter Zijlstra , LKML , Greg KH , Thomas Gleixner , Ingo Molnar , Hans Liljestrand , "Paul E. McKenney" , Alan Stern , Jonathan Corbet , linux-doc@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 14, 2017 at 11:55 PM, Elena Reshetova wrote: > Some functions from refcount_t API provide different > memory ordering guarantees that their atomic counterparts. > This adds a document outlining these differences. Thanks for writing this up! One bike-shedding thing I'll bring up before anyone else does is: please format this in ReST and link to it from somewhere (likely developer documentation) in the Documentation/ index.rst file somewhere. Perhaps in Documentation/core-api/index.rst ? Lots of notes here: https://www.kernel.org/doc/html/latest/doc-guide/sphinx.html#writing-documentation > Signed-off-by: Elena Reshetova > --- > Documentation/refcount-vs-atomic.txt | 124 +++++++++++++++++++++++++++++++++++ > 1 file changed, 124 insertions(+) > create mode 100644 Documentation/refcount-vs-atomic.txt > > diff --git a/Documentation/refcount-vs-atomic.txt b/Documentation/refcount-vs-atomic.txt > new file mode 100644 > index 0000000..e703039 > --- /dev/null > +++ b/Documentation/refcount-vs-atomic.txt > @@ -0,0 +1,124 @@ > +================================== > +refcount_t API compare to atomic_t "compared" > +================================== > + > +The goal of refcount_t API is to provide a minimal API for implementing > +object's reference counters. While a generic architecture-independent "an object's" > +implementation from lib/refcount.c uses atomic operations underneath, > +there are a number of differences between some of the refcount_*() and > +atomic_*() functions with regards to the memory ordering guarantees. > + > +This document outlines the differences and provides respective examples > +in order to help maintainers validate their code against the change in > +these memory ordering guarantees. > + > +memory-barriers.txt and atomic_t.txt provide more background to the > +memory ordering in general and for atomic operations specifically. > + > +Notation Should this section be called "Types of memory ordering"? > +======== > + > +An absence of memory ordering guarantees (i.e. fully unordered) > +in case of atomics & refcounters only provides atomicity and I can't parse this. "In an absense ... atomics & refcounts only provide ... "? > +program order (po) relation (on the same CPU). It guarantees that > +each atomic_*() and refcount_*() operation is atomic and instructions > +are executed in program order on a single CPU. > +Implemented using READ_ONCE()/WRITE_ONCE() and > +compare-and-swap primitives. For here an later, maybe "This is implemented ..." > + > +A strong (full) memory ordering guarantees that all prior loads and > +stores (all po-earlier instructions) on the same CPU are completed > +before any po-later instruction is executed on the same CPU. > +It also guarantees that all po-earlier stores on the same CPU > +and all propagated stores from other CPUs must propagate to all > +other CPUs before any po-later instruction is executed on the original > +CPU (A-cumulative property). Implemented using smp_mb(). > + > +A RELEASE memory ordering guarantees that all prior loads and > +stores (all po-earlier instructions) on the same CPU are completed > +before the operation. It also guarantees that all po-earlier > +stores on the same CPU and all propagated stores from other CPUs > +must propagate to all other CPUs before the release operation > +(A-cumulative property). Implemented using smp_store_release(). > + > +A control dependency (on success) for refcounters guarantees that > +if a reference for an object was successfully obtained (reference > +counter increment or addition happened, function returned true), > +then further stores are ordered against this operation. > +Control dependency on stores are not implemented using any explicit > +barriers, but rely on CPU not to speculate on stores. This is only > +a single CPU relation and provides no guarantees for other CPUs. > + > + > +Comparison of functions > +========================== > + > +case 1) - non-RMW ops Should this be spelled out "Read/Modify/Write"? > +--------------------- > + > +Function changes: > + atomic_set() --> refcount_set() > + atomic_read() --> refcount_read() > + > +Memory ordering guarantee changes: > + fully unordered --> fully unordered Maybe say: "none (both fully unordered)" > +case 2) - increment-based ops that return no value > +-------------------------------------------------- > + > +Function changes: > + atomic_inc() --> refcount_inc() > + atomic_add() --> refcount_add() > + > +Memory ordering guarantee changes: > + fully unordered --> fully unordered Same. > +case 3) - decrement-based RMW ops that return no value > +------------------------------------------------------ > +Function changes: > + atomic_dec() --> refcount_dec() > + > +Memory ordering guarantee changes: > + fully unordered --> RELEASE ordering Should the sections where there is a change include an example of how this might matter to a developer? > + > + > +case 4) - increment-based RMW ops that return a value > +----------------------------------------------------- > + > +Function changes: > + atomic_inc_not_zero() --> refcount_inc_not_zero() > + no atomic counterpart --> refcount_add_not_zero() > + > +Memory ordering guarantees changes: > + fully ordered --> control dependency on success for stores > + > +*Note*: we really assume here that necessary ordering is provided as a result > +of obtaining pointer to the object! Same. > + > + > +case 5) - decrement-based RMW ops that return a value > +----------------------------------------------------- > + > +Function changes: > + atomic_dec_and_test() --> refcount_dec_and_test() > + atomic_sub_and_test() --> refcount_sub_and_test() > + no atomic counterpart --> refcount_dec_if_one() > + atomic_add_unless(&var, -1, 1) --> refcount_dec_not_one(&var) > + > +Memory ordering guarantees changes: > + fully ordered --> RELEASE ordering + control dependency > + > +Note: atomic_add_unless() only provides full order on success. Same. > + > + > +case 6) - lock-based RMW > +------------------------ > + > +Function changes: > + > + atomic_dec_and_lock() --> refcount_dec_and_lock() > + atomic_dec_and_mutex_lock() --> refcount_dec_and_mutex_lock() > + > +Memory ordering guarantees changes: > + fully ordered --> RELEASE ordering + control dependency + > + hold spin_lock() on success Same. This looks like a good start to helping people answer questions about refcount_t memory ordering. Thanks! -Kees -- Kees Cook Pixel Security From 1584118008493682834@xxx Wed Nov 15 07:57:38 +0000 2017 X-GM-THRID: 1584118008493682834 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread