From: Mateusz Guzik <mguzik@redhat.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lionel Debroux <lionel_debroux@yahoo.fr>,
linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] drm: make variable named "refcount" atomic, like most refcounts in the kernel.
Date: Sun, 27 Apr 2014 01:42:05 +0200 [thread overview]
Message-ID: <20140426234204.GD17562@mguzik.redhat.com> (raw)
In-Reply-To: <20140426230056.GH18016@ZenIV.linux.org.uk>
On Sun, Apr 27, 2014 at 12:00:56AM +0100, Al Viro wrote:
> (..)Non-atomic variant would be
> if (++*p < 0) {
> --*p;
> whine
> send SIGKILL to ourselves
> }
> which is nowhere near a sane mitigation in this case. Much saner one would
> be (*IF* the overflow is, indeed, possible and if simple s/int/long/ wouldn't
> be a better fix) something along the lines of
> mutex_lock(&item->mutex);
> if (unlikely(item->refcount == INT_MAX)) {
> ret = -EINVAL;
> <maybe whine and/or raise SIGKILL>
> goto out_err;
> }
> <what we do there right now>
>
> Mind you, I would be quite surprised if it turned out to be even
> theoretically possible to get that overflow here (judging by the look
> of callers, you'll run out of device numbers long before), but that's
> a separate story.
>
> The point is, your "useful feature" is anything but, when applied without
> careful analysis of the situation; it's *not* a universal improvement.
I would argue even functions doing mere ptr->count++ and so on would be
useful.
For instance people who are fuzzing kernels looking for refcount
leaks/overupts could place low thresholds in these functions (along with
atomic ops) to increase chances that problems will manifest themselves.
(and this would help more people who report such problems)
The kernel locking itself up afterwards is not a problem for them.
That is provided there is enough hand-coded refcount code, if this would
be the only consumer (which will most likely never leak anyway) then this
is defnitely not worth it.
--
Mateusz Guzik
prev parent reply other threads:[~2014-04-26 23:42 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-26 16:06 [PATCH] drm: make variable named "refcount" atomic, like most refcounts in the kernel Lionel Debroux
2014-04-26 16:35 ` Al Viro
2014-04-26 17:03 ` Mateusz Guzik
2014-04-26 20:09 ` Lionel Debroux
2014-04-26 23:00 ` Al Viro
2014-04-26 23:42 ` Mateusz Guzik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140426234204.GD17562@mguzik.redhat.com \
--to=mguzik@redhat.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lionel_debroux@yahoo.fr \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox