From: Thomas Gleixner <tglx@linutronix.de>
To: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Cc: arjan.van.de.ven@intel.com, arjan@linux.intel.com,
boqun.feng@gmail.com, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, linux-kernel@vger.kernel.org,
mark.rutland@arm.com, maz@kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, peterz@infradead.org,
torvalds@linuxfoundation.org, wangyang.guo@intel.com,
will@kernel.org, x86@kernel.org
Subject: Re: [patch V2 3/4] atomics: Provide rcuref - scalable reference counting
Date: Mon, 20 Mar 2023 17:05:56 +0100 [thread overview]
Message-ID: <87o7on9zmj.ffs@tglx> (raw)
In-Reply-To: <20230309083523.66592-1-qiuxu.zhuo@intel.com>
Qiuxu!
On Thu, Mar 09 2023 at 16:35, Qiuxu Zhuo wrote:
>> rcuref treats the underlying atomic_t as an unsigned integer and partitions
>> this space into zones:
>>
>> 0x00000000 - 0x7FFFFFFF valid zone (1 .. INT_MAX references)
>
> From the point of rcuref_read()'s view:
> 0x00000000 encodes 1, ..., then 0x7FFFFFFF should encode INT_MAX + 1
> references.
orrect.
>> + * The actual race is possible due to the unconditional increment and
>> + * decrements in rcuref_get() and rcuref_put():
>> + *
>> + * T1 T2
>> + * get() put()
>> + * if (atomic_add_negative(1, &ref->refcnt))
>
> For T2 put() here:
> "if (atomic_add_negative(1, &ref->refcnt))" ->
> "if (atomic_add_negative(-1, &ref->refcnt))"
Yup.
>> + * succeeds-> atomic_cmpxchg(&ref->refcnt, -1, DEAD);
>
> Is it more readable if 's/-1/NODEF/g' ?
True
>> + * T1 T2
>> + * put() get()
>> + * // ref->refcnt = ONEREF
>> + * if (atomic_add_negative(-1, &ref->cnt))
>
> For T1 put() here:
> "if (atomic_add_negative(-1, &ref->cnt))" ->
> "if (!atomic_add_negative(-1, &ref->cnt))"
Indeed.
>> + * return false; <- Not taken
>> + *
>> + * // ref->refcnt == NOREF
>> + * --> preemption
>> + * // Elevates ref->c to ONEREF
>
> s/ref->c/ref->refcnt/g
Yes.
>> + * if (!atomic_add_negative(1, &ref->refcnt))
>> + * return true; <- taken
>> + *
>> + * if (put(&p->ref)) { <-- Succeeds
>> + * remove_pointer(p);
>> + * kfree_rcu(p, rcu);
>> + * }
>> + *
>> + * RCU grace period ends, object is freed
>> + *
>> + * atomic_cmpxchg(&ref->refcnt, NONE, DEAD); <- UAF
>
> s/NONE/NOREF/g
Right. Thanks for spotting these details!
Thomas
next prev parent reply other threads:[~2023-03-20 16:16 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-07 12:57 [patch V2 0/4] net, refcount: Address dst_entry reference count scalability issues Thomas Gleixner
2023-03-07 12:57 ` [patch V2 1/4] net: dst: Prevent false sharing vs. dst_entry::__refcnt Thomas Gleixner
2023-03-15 20:36 ` Jakub Kicinski
2023-03-15 20:47 ` Eric Dumazet
2023-03-15 22:26 ` David Ahern
2023-03-07 12:57 ` [patch V2 2/4] atomics: Provide atomic_add_and_negative() variants Thomas Gleixner
2023-03-22 13:20 ` Mark Rutland
2023-03-07 12:57 ` [patch V2 3/4] atomics: Provide rcuref - scalable reference counting Thomas Gleixner
2023-03-09 8:35 ` Qiuxu Zhuo
2023-03-20 16:05 ` Thomas Gleixner [this message]
2023-03-07 12:57 ` [patch V2 4/4] net: dst: Switch to rcuref_t " Thomas Gleixner
2023-03-07 17:55 ` Linus Torvalds
2023-03-07 23:00 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7on9zmj.ffs@tglx \
--to=tglx@linutronix.de \
--cc=arjan.van.de.ven@intel.com \
--cc=arjan@linux.intel.com \
--cc=boqun.feng@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=maz@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=peterz@infradead.org \
--cc=qiuxu.zhuo@intel.com \
--cc=torvalds@linuxfoundation.org \
--cc=wangyang.guo@intel.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.