blob: 5ec00a4a64d11cadcef29e953d1b388cc41dfcc7 [file] [log] [blame]
// SPDX-License-Identifier: GPL-2.0-only
/*
* rcuref - A scalable reference count implementation for RCU managed objects
*
* rcuref is provided to replace open coded reference count implementations
* based on atomic_t. It protects explicitely RCU managed objects which can
* be visible even after the last reference has been dropped and the object
* is heading towards destruction.
*
* A common usage pattern is:
*
* get()
* rcu_read_lock();
* p = get_ptr();
* if (p && !atomic_inc_not_zero(&p->refcnt))
* p = NULL;
* rcu_read_unlock();
* return p;
*
* put()
* if (!atomic_dec_return(&->refcnt)) {
* remove_ptr(p);
* kfree_rcu((p, rcu);
* }
*
* atomic_inc_not_zero() is implemented with a try_cmpxchg() loop which has
* O(N^2) behaviour under contention with N concurrent operations.
*
* rcuref uses atomic_add_negative_relaxed() for the fast path, which scales
* better under contention.
*
* Why not refcount?
* =================
*
* In principle it should be possible to make refcount use the rcuref
* scheme, but the destruction race described below cannot be prevented
* unless the protected object is RCU managed.
*
* Theory of operation
* ===================
*
* rcuref uses an unsigned integer reference counter. As long as the
* counter value is greater than or equal to RCUREF_ONEREF and not larger
* than RCUREF_MAXREF the reference is alive:
*
* ONEREF MAXREF SATURATED RELEASED DEAD NOREF
* 0 0x7FFFFFFF 0x8000000 0xA0000000 0xBFFFFFFF 0xC0000000 0xE0000000 0xFFFFFFFF
* <---valid --------> <-------saturation zone-------> <-----dead zone----->
*
* The get() and put() operations do unconditional increments and
* decrements. The result is checked after the operation. This optimizes
* for the fast path.
*
* If the reference count is saturated or dead, then the increments and
* decrements are not harmful as the reference count still stays in the
* respective zones and is always set back to STATURATED resp. DEAD. The
* zones have room for 2^28 racing operations in each direction, which
* makes it practically impossible to escape the zones.
*
* Once the last reference is dropped the reference count becomes
* RCUREF_NOREF which forces rcuref_put() into the slowpath operation. The
* slowpath then tries to set the reference count from RCUREF_NOREF to
* RCUREF_DEAD via a cmpxchg(). This opens a small window where a
* concurrent rcuref_get() can acquire the reference count and bring it
* back to RCUREF_ONEREF or even drop the reference again and mark it DEAD.
*
* If the cmpxchg() succeeds then a concurrent rcuref_get() will result in
* DEAD + 1, which is inside the dead zone. If that happens the reference
* count is put back to DEAD.
*
* The actual race is possible due to the unconditional increment and
* decrements in rcuref_get() and rcuref_put():
*
* T1 T2
* get() put()
* if (atomic_add_negative(-1, &ref->refcnt))
* succeeds-> atomic_cmpxchg(&ref->refcnt, NOREF, DEAD);
*
* atomic_add_negative(1, &ref->refcnt); <- Elevates refcount to DEAD + 1
*
* As the result of T1's add is negative, the get() goes into the slow path
* and observes refcnt being in the dead zone which makes the operation fail.
*
* Possible critical states:
*
* Context Counter References Operation
* T1 0 1 init()
* T2 1 2 get()
* T1 0 1 put()
* T2 -1 0 put() tries to mark dead
* T1 0 1 get()
* T2 0 1 put() mark dead fails
* T1 -1 0 put() tries to mark dead
* T1 DEAD 0 put() mark dead succeeds
* T2 DEAD+1 0 get() fails and puts it back to DEAD
*
* Of course there are more complex scenarios, but the above illustrates
* the working principle. The rest is left to the imagination of the
* reader.
*
* Deconstruction race
* ===================
*
* The release operation must be protected by prohibiting a grace period in
* order to prevent a possible use after free:
*
* T1 T2
* put() get()
* // ref->refcnt = ONEREF
* if (!atomic_add_negative(-1, &ref->refcnt))
* return false; <- Not taken
*
* // ref->refcnt == NOREF
* --> preemption
* // Elevates ref->refcnt to ONEREF
* if (!atomic_add_negative(1, &ref->refcnt))
* return true; <- taken
*
* if (put(&p->ref)) { <-- Succeeds
* remove_pointer(p);
* kfree_rcu(p, rcu);
* }
*
* RCU grace period ends, object is freed
*
* atomic_cmpxchg(&ref->refcnt, NOREF, DEAD); <- UAF
*
* This is prevented by disabling preemption around the put() operation as
* that's in most kernel configurations cheaper than a rcu_read_lock() /
* rcu_read_unlock() pair and in many cases even a NOOP. In any case it
* prevents the grace period which keeps the object alive until all put()
* operations complete.
*
* Saturation protection
* =====================
*
* The reference count has a saturation limit RCUREF_MAXREF (INT_MAX).
* Once this is exceedded the reference count becomes stale by setting it
* to RCUREF_SATURATED, which will cause a memory leak, but it prevents
* wrap arounds which obviously cause worse problems than a memory
* leak. When saturation is reached a warning is emitted.
*
* Race conditions
* ===============
*
* All reference count increment/decrement operations are unconditional and
* only verified after the fact. This optimizes for the good case and takes
* the occasional race vs. a dead or already saturated refcount into
* account. The saturation and dead zones are large enough to accomodate
* for that.
*
* Memory ordering
* ===============
*
* Memory ordering rules are slightly relaxed wrt regular atomic_t functions
* and provide only what is strictly required for refcounts.
*
* The increments are fully relaxed; these will not provide ordering. The
* rationale is that whatever is used to obtain the object to increase the
* reference count on will provide the ordering. For locked data
* structures, its the lock acquire, for RCU/lockless data structures its
* the dependent load.
*
* rcuref_get() provides a control dependency ordering future stores which
* ensures that the object is not modified when acquiring a reference
* fails.
*
* rcuref_put() provides release order, i.e. all prior loads and stores
* will be issued before. It also provides a control dependency ordering
* against the subsequent destruction of the object.
*
* If rcuref_put() successfully dropped the last reference and marked the
* object DEAD it also provides acquire ordering.
*/
#include <linux/export.h>
#include <linux/rcuref.h>
/**
* rcuref_get_slowpath - Slowpath of rcuref_get()
* @ref: Pointer to the reference count
*
* Invoked when the reference count is outside of the valid zone.
*
* Return:
* False if the reference count was already marked dead
*
* True if the reference count is saturated, which prevents the
* object from being deconstructed ever.
*/
bool rcuref_get_slowpath(rcuref_t *ref)
{
unsigned int cnt = atomic_read(&ref->refcnt);
/*
* If the reference count was already marked dead, undo the
* increment so it stays in the middle of the dead zone and return
* fail.
*/
if (cnt >= RCUREF_RELEASED) {
atomic_set(&ref->refcnt, RCUREF_DEAD);
return false;
}
/*
* If it was saturated, warn and mark it so. In case the increment
* was already on a saturated value restore the saturation
* marker. This keeps it in the middle of the saturation zone and
* prevents the reference count from overflowing. This leaks the
* object memory, but prevents the obvious reference count overflow
* damage.
*/
if (WARN_ONCE(cnt > RCUREF_MAXREF, "rcuref saturated - leaking memory"))
atomic_set(&ref->refcnt, RCUREF_SATURATED);
return true;
}
EXPORT_SYMBOL_GPL(rcuref_get_slowpath);
/**
* rcuref_put_slowpath - Slowpath of __rcuref_put()
* @ref: Pointer to the reference count
*
* Invoked when the reference count is outside of the valid zone.
*
* Return:
* True if this was the last reference with no future references
* possible. This signals the caller that it can safely schedule the
* object, which is protected by the reference counter, for
* deconstruction.
*
* False if there are still active references or the put() raced
* with a concurrent get()/put() pair. Caller is not allowed to
* deconstruct the protected object.
*/
bool rcuref_put_slowpath(rcuref_t *ref)
{
unsigned int cnt = atomic_read(&ref->refcnt);
/* Did this drop the last reference? */
if (likely(cnt == RCUREF_NOREF)) {
/*
* Carefully try to set the reference count to RCUREF_DEAD.
*
* This can fail if a concurrent get() operation has
* elevated it again or the corresponding put() even marked
* it dead already. Both are valid situations and do not
* require a retry. If this fails the caller is not
* allowed to deconstruct the object.
*/
if (atomic_cmpxchg_release(&ref->refcnt, RCUREF_NOREF, RCUREF_DEAD) != RCUREF_NOREF)
return false;
/*
* The caller can safely schedule the object for
* deconstruction. Provide acquire ordering.
*/
smp_acquire__after_ctrl_dep();
return true;
}
/*
* If the reference count was already in the dead zone, then this
* put() operation is imbalanced. Warn, put the reference count back to
* DEAD and tell the caller to not deconstruct the object.
*/
if (WARN_ONCE(cnt >= RCUREF_RELEASED, "rcuref - imbalanced put()")) {
atomic_set(&ref->refcnt, RCUREF_DEAD);
return false;
}
/*
* This is a put() operation on a saturated refcount. Restore the
* mean saturation value and tell the caller to not deconstruct the
* object.
*/
if (cnt > RCUREF_MAXREF)
atomic_set(&ref->refcnt, RCUREF_SATURATED);
return false;
}
EXPORT_SYMBOL_GPL(rcuref_put_slowpath);