From: Al Viro <viro@zeniv.linux.org.uk>
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: "Matthew Wilcox" <willy@infradead.org>,
"Christoph Hellwig" <hch@lst.de>,
linux-fsdevel@vger.kernel.org,
"Octavian Purdila" <octavian.purdila@intel.com>,
"Pantelis Antoniou" <pantelis.antoniou@konsulko.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Kai Mäkisara" <Kai.Makisara@kolumbus.fi>,
linux-scsi@vger.kernel.org
Subject: Re: [RFC] Re: broken userland ABI in configfs binary attributes
Date: Tue, 27 Aug 2019 13:53:24 +0100 [thread overview]
Message-ID: <20190827125324.GR1131@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CAJfpegvvi0XLhtB3JxyVfzSG4T8A0k+CZ6=8EMUDsgWcwZkvyg@mail.gmail.com>
On Tue, Aug 27, 2019 at 02:21:50PM +0200, Miklos Szeredi wrote:
> On Tue, Aug 27, 2019 at 1:58 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
> >
> > On Tue, Aug 27, 2019 at 10:51:44AM +0200, Miklos Szeredi wrote:
> >
> > > How about something like this:
> > >
> > > #if BITS_PER_LONG == 32
> > > #define F_COUNT_SHORTTERM ((1UL << 24) + 1)
> > > #else
> > > #define F_COUNT_SHORTTERM ((1UL << 48) + 1)
> > > #endif
> > >
> > > static inline void get_file_shortterm(struct file *f)
> > > {
> > > atomic_long_add(F_COUNT_SHORTTERM, &f->f_count);
> > > }
> > >
> > > static inline void put_file_shortterm(struct file *f)
> > > {
> > > fput_many(f, F_COUNT_SHORTTERM);
> > > }
> > >
> > > static inline bool file_is_last_longterm(struct file *f)
> > > {
> > > return atomic_long_read(&f->f_count) % F_COUNT_SHORTTERM == 1;
> > > }
> >
> > So 256 threads boinking on the same fdinfo at the same time
> > and struct file can be freed right under them?
>
> Nope, 256 threads booking short term refs will result in f_count = 256
> (note the +1 in .F_COUNT_SHORTTERM). Which can result in false
> negative returned by file_is_last_longterm() but no false freeing.
Point (sorry, should've grabbed some coffee to wake up properly before replying)
> > Or a bit over
> > million of dup(), then forking 15 more children, for that matter...
>
> Can give false positive for file_is_last_longterm() but no false freeing.
>
> 255 short term refs + ~16M long term refs together can result in false
> freeing, true.
Yes. No matter how you slice it, the main problem with f_count
overflows (and the reason for atomic_long_t for f_count) is that
we *can* have a lot of references to struct file, held just by
descriptor tables. Those are almost pure arrays of pointers (well,
that and a couple of bitmaps), so "it would be impossible to fit
into RAM" is not that much of a limitation. 512M references to
the same struct file are theoretically doable; 256M *are* doable,
and the (32bit) hardware doesn't have to be all that beefy.
So you need to distinguish 2^28 possible states on the long-term
references alone. Which leaves you 4 bits for anything else,
no matter how you encode that. And that's obviously too little.
> > Seriously, it might be OK on 64bit (with something like "no more
> > than one reference held by a thread", otherwise you'll run
> > into overflows even there - 65536 of your shortterm references
> > aren't that much). On 32bit it's a non-starter - too easy to
> > overflow.
>
> No, 64bit would be impossible to overflow. But if we have to special
> case 32bit then it's not worth it...
Agreed and agreed.
next prev parent reply other threads:[~2019-08-27 12:53 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-26 2:48 broken userland ABI in configfs binary attributes Al Viro
2019-08-26 16:29 ` [RFC] " Al Viro
2019-08-26 18:20 ` Matthew Wilcox
2019-08-26 19:28 ` Al Viro
2019-08-27 8:51 ` Miklos Szeredi
2019-08-27 11:58 ` Al Viro
2019-08-27 12:21 ` Miklos Szeredi
2019-08-27 12:53 ` Al Viro [this message]
2019-08-31 8:32 ` Christoph Hellwig
2019-08-31 13:35 ` Al Viro
2019-08-31 14:44 ` Christoph Hellwig
2019-08-31 15:58 ` Al Viro
2019-08-26 18:34 ` "Kai Mäkisara (Kolumbus)"
2019-08-26 19:32 ` Al Viro
2019-08-27 15:01 ` Boaz Harrosh
2019-08-27 17:27 ` Al Viro
2019-08-27 17:59 ` Boaz Harrosh
2019-08-29 22:22 ` Al Viro
2019-08-29 23:32 ` Al Viro
2019-08-30 4:10 ` Dave Chinner
2019-08-30 4:44 ` Al Viro
2019-08-31 8:28 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190827125324.GR1131@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=Kai.Makisara@kolumbus.fi \
--cc=hch@lst.de \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=octavian.purdila@intel.com \
--cc=pantelis.antoniou@konsulko.com \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.