[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 6 Jun 2018 13:59:19 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
Cc: linux-kernel@...r.kernel.org, tglx@...utronix.de,
Ingo Molnar <mingo@...hat.com>,
Anna-Maria Gleixner <anna-maria@...utronix.de>,
Richard Henderson <rth@...ddle.net>,
Ivan Kokshaysky <ink@...assic.park.msu.ru>,
Matt Turner <mattst88@...il.com>, linux-alpha@...r.kernel.org
Subject: Re: [PATCH 0.5/5] alpha: remove custom dec_and_lock() implementation
On Wed, Jun 06, 2018 at 01:18:50PM +0200, Sebastian Andrzej Siewior wrote:
> - atomic_add_unless() adds more memory barriers compared to the custom
> assembly
> I can't tell if the different memory barriers
> are an issue but having the same barriers is probably good.
refcount decrement needs to be a RELEASE operation, such that all the
load/stores to the object happen before we decrement the refcount.
Otherwise things like:
obj-foo = 5;
refcnt_dec(&obj->ref);
can be re-ordered, which then allows fun scenarios like:
CPU0 CPU1
refcnt_dec(&obj->ref);
if (dec_and_test(&obj->ref))
free(obj);
obj->foo = 5; // oops UaF
This means (for alpha) that there should be a memory barrier _before_
the decrement, however the dec_and_lock asm thing only has one _after_,
which, per the above, is too late.
The generic version using add_unless will result in memory barrier
before and after (because that is the rule for atomic ops with a return
value) which is strictly too many barriers for the refcount story, but
who knows what other ordering requirements code has.
Powered by blists - more mailing lists