| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250708091626.BYR6lG2J@linutronix.de>
Date: Tue, 8 Jul 2025 11:16:26 +0200
From: Sebastian Andrzej Siewior <bigeasy@...utronix.de>
To: Hillf Danton <hdanton@...a.com>
Cc: linux-kernel@...r.kernel.org, Davidlohr Bueso <dave@...olabs.net>,
Peter Zijlstra <peterz@...radead.org>,
Waiman Long <longman@...hat.com>
Subject: Re: [PATCH 2/3] futex: Use RCU-based per-CPU reference counting
instead of rcuref_t
On 2025-07-08 16:56:39 [+0800], Hillf Danton wrote:
> On Mon, 7 Jul 2025 16:36:22 +0200 Sebastian Andrzej Siewior wrote:
> > +static bool futex_ref_get(struct futex_private_hash *fph)
> > +{
> > + struct mm_struct *mm = fph->mm;
> > +
> > + guard(rcu)();
> > +
> Like regular refcount_t, it is buggy to touch fph if futex_atomic drops
> to 0. And more important guard(rcu) does not prevent it from dropping to 0.
What is your intention with this? There is an inc-if-not-zero to ensure
this does not happen. And it has to drop to zero in order to get
replaced.
> > + if (smp_load_acquire(&fph->state) == FR_PERCPU) {
> > + this_cpu_inc(*mm->futex_ref);
> > + return true;
> > + }
> > +
> > + return atomic_long_inc_not_zero(&mm->futex_atomic);
> > +}
> > +
> > +static bool futex_ref_put(struct futex_private_hash *fph)
> > +{
> > + struct mm_struct *mm = fph->mm;
> > +
> > + guard(rcu)();
> > +
> > + if (smp_load_acquire(&fph->state) == FR_PERCPU) {
> > + this_cpu_dec(*mm->futex_ref);
> > + return false;
> > + }
> > +
> > + return atomic_long_dec_and_test(&mm->futex_atomic);
> > +}
Sebastian
Powered by blists - more mailing lists