All of lore.kernel.org
 help / color / mirror / Atom feed
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Kees Cook <keescook@chromium.org>,
	Greg KH <gregkh@linuxfoundation.org>,
	Will Deacon <will.deacon@arm.com>,
	"Reshetova, Elena" <elena.reshetova@intel.com>,
	Arnd Bergmann <arnd@arndb.de>,
	Thomas Gleixner <tglx@linutronix.de>,
	Ingo Molnar <mingo@kernel.org>, "H. Peter Anvin" <hpa@zytor.com>,
	David Windsor <dave@progbits.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>
Subject: Re: [RFC][PATCH 2/7] kref: Add kref_read()
Date: Thu, 17 Nov 2016 08:19:40 -0800	[thread overview]
Message-ID: <20161117161937.GA46515@ast-mbp.thefacebook.com> (raw)
In-Reply-To: <20161117085342.GB3142@twins.programming.kicks-ass.net>

On Thu, Nov 17, 2016 at 09:53:42AM +0100, Peter Zijlstra wrote:
> On Wed, Nov 16, 2016 at 12:08:52PM -0800, Alexei Starovoitov wrote:
> 
> > I prefer to avoid 'fixing' things that are not broken.
> > Note, prog->aux->refcnt already has explicit checks for overflow.
> > locked_vm is used for resource accounting and not refcnt,
> > so I don't see issues there either.
> 
> The idea is to use something along the lines of:
> 
>   http://lkml.kernel.org/r/20161115104608.GH3142@twins.programming.kicks-ass.net
> 
> for all refcounts in the kernel.

I understand the idea. I'm advocating to fix refcnts
explicitly the way we did in bpf land instead of leaking memory,
making processes unkillable and so on.
If refcnt can be bounds checked, it should be done that way, since
it's a clean error path without odd side effects.
Therefore I'm against unconditionally applying refcount to all atomics.

> Also note that your:
> 
> struct bpf_prog *bpf_prog_add(struct bpf_prog *prog, int i)
> {
>         if (atomic_add_return(i, &prog->aux->refcnt) > BPF_MAX_REFCNT) {
>                 atomic_sub(i, &prog->aux->refcnt);
>                 return ERR_PTR(-EBUSY);
>         }
>         return prog;
> }
> 
> is actually broken in the face of an actual overflow. Suppose @i is big
> enough to wrap refcnt into negative space.

'i' is not controlled by user. It's a number of nic hw queues
and BPF_MAX_REFCNT is 32k, so above is always safe.

> Also, the current sentiment is to strongly discourage add/sub operations
> for refcounts.

I agree with this reasoning as well, but it's not hard and fast rule.
If we know we can do 'add' safely, we should.

  reply	other threads:[~2016-11-17 17:27 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-16 20:08 [RFC][PATCH 2/7] kref: Add kref_read() Alexei Starovoitov
2016-11-17  8:53 ` Peter Zijlstra
2016-11-17 16:19   ` Alexei Starovoitov [this message]
2016-11-17 16:34     ` Thomas Gleixner
2016-11-18 17:33     ` Reshetova, Elena
2016-11-19  3:47       ` Alexei Starovoitov
2016-11-21  8:18         ` Reshetova, Elena
2016-11-21 12:47       ` David Windsor
2016-11-21 15:39         ` Reshetova, Elena
2016-11-21 15:49           ` Peter Zijlstra
2016-11-21 16:00             ` Peter Zijlstra
2016-11-21 19:27               ` Reshetova, Elena
2016-11-21 20:12                 ` David Windsor
2016-11-22 10:37                   ` Peter Zijlstra
  -- strict thread matches above, loose matches on Subject: below --
2016-11-14 17:39 [RFC][PATCH 0/7] kref improvements Peter Zijlstra
2016-11-14 17:39 ` [RFC][PATCH 2/7] kref: Add kref_read() Peter Zijlstra
2016-11-14 18:16   ` Christoph Hellwig
2016-11-15  7:28     ` Greg KH
2016-11-15  7:47       ` Peter Zijlstra
2016-11-15  7:33   ` Greg KH
2016-11-15  8:03     ` Peter Zijlstra
2016-11-15 20:53       ` Kees Cook
2016-11-16  8:21         ` Greg KH
2016-11-16 10:10           ` Peter Zijlstra
2016-11-16 10:18             ` Greg KH
2016-11-16 10:11           ` Daniel Borkmann
2016-11-16 10:19             ` Greg KH
2016-11-16 10:09         ` Peter Zijlstra
2016-11-16 18:58           ` Kees Cook
2016-11-17  8:34             ` Peter Zijlstra
2016-11-17 12:30               ` David Windsor
2016-11-17 12:43                 ` Peter Zijlstra
2016-11-17 13:01                   ` Reshetova, Elena
2016-11-17 13:22                     ` Peter Zijlstra
2016-11-17 15:42                       ` Reshetova, Elena
2016-11-17 18:02                       ` Reshetova, Elena
2016-11-17 19:10                         ` Peter Zijlstra
2016-11-17 19:29                         ` Peter Zijlstra
2016-11-17 19:34               ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20161117161937.GA46515@ast-mbp.thefacebook.com \
    --to=alexei.starovoitov@gmail.com \
    --cc=arnd@arndb.de \
    --cc=daniel@iogearbox.net \
    --cc=dave@progbits.org \
    --cc=elena.reshetova@intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=hpa@zytor.com \
    --cc=keescook@chromium.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@kernel.org \
    --cc=peterz@infradead.org \
    --cc=tglx@linutronix.de \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.