1/* 2 * Variant of atomic_t specialized for reference counts. 3 * 4 * The interface matches the atomic_t interface (to aid in porting) but only 5 * provides the few functions one should use for reference counting. 6 * 7 * It differs in that the counter saturates at UINT_MAX and will not move once 8 * there. This avoids wrapping the counter and causing 'spurious' 9 * use-after-free issues. 10 * 11 * Memory ordering rules are slightly relaxed wrt regular atomic_t functions 12 * and provide only what is strictly required for refcounts. 13 * 14 * The increments are fully relaxed; these will not provide ordering. The 15 * rationale is that whatever is used to obtain the object we're increasing the 16 * reference count on will provide the ordering. For locked data structures, 17 * its the lock acquire, for RCU/lockless data structures its the dependent 18 * load. 19 * 20 * Do note that inc_not_zero() provides a control dependency which will order 21 * future stores against the inc, this ensures we'll never modify the object 22 * if we did not in fact acquire a reference. 23 * 24 * The decrements will provide release order, such that all the prior loads and 25 * stores will be issued before, it also provides a control dependency, which 26 * will order us against the subsequent free(). 27 * 28 * The control dependency is against the load of the cmpxchg (ll/sc) that 29 * succeeded. This means the stores aren't fully ordered, but this is fine 30 * because the 1->0 transition indicates no concurrency. 31 * 32 * Note that the allocator is responsible for ordering things between free() 33 * and alloc(). 34 * 35 */ 36 37#include <linux/refcount.h> 38#include <linux/bug.h> 39 40/** 41 * refcount_add_not_zero - add a value to a refcount unless it is 0 42 * @i: the value to add to the refcount 43 * @r: the refcount 44 * 45 * Will saturate at UINT_MAX and WARN. 46 * 47 * Provides no memory ordering, it is assumed the caller has guaranteed the 48 * object memory to be stable (RCU, etc.). It does provide a control dependency 49 * and thereby orders future stores. See the comment on top. 50 * 51 * Use of this function is not recommended for the normal reference counting 52 * use case in which references are taken and released one at a time. In these 53 * cases, refcount_inc(), or one of its variants, should instead be used to 54 * increment a reference count. 55 * 56 * Return: false if the passed refcount is 0, true otherwise 57 */ 58bool refcount_add_not_zero(unsigned int i, refcount_t *r) 59{ 60 unsigned int new, val = atomic_read(&r->refs); 61 62 do { 63 if (!val) 64 return false; 65 66 if (unlikely(val == UINT_MAX)) 67 return true; 68 69 new = val + i; 70 if (new < val) 71 new = UINT_MAX; 72 73 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); 74 75 WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); 76 77 return true; 78} 79EXPORT_SYMBOL(refcount_add_not_zero); 80 81/** 82 * refcount_add - add a value to a refcount 83 * @i: the value to add to the refcount 84 * @r: the refcount 85 * 86 * Similar to atomic_add(), but will saturate at UINT_MAX and WARN. 87 * 88 * Provides no memory ordering, it is assumed the caller has guaranteed the 89 * object memory to be stable (RCU, etc.). It does provide a control dependency 90 * and thereby orders future stores. See the comment on top. 91 * 92 * Use of this function is not recommended for the normal reference counting 93 * use case in which references are taken and released one at a time. In these 94 * cases, refcount_inc(), or one of its variants, should instead be used to 95 * increment a reference count. 96 */ 97void refcount_add(unsigned int i, refcount_t *r) 98{ 99 WARN_ONCE(!refcount_add_not_zero(i, r), "refcount_t: addition on 0; use-after-free.\n"); 100} 101EXPORT_SYMBOL(refcount_add); 102 103/** 104 * refcount_inc_not_zero - increment a refcount unless it is 0 105 * @r: the refcount to increment 106 * 107 * Similar to atomic_inc_not_zero(), but will saturate at UINT_MAX and WARN. 108 * 109 * Provides no memory ordering, it is assumed the caller has guaranteed the 110 * object memory to be stable (RCU, etc.). It does provide a control dependency 111 * and thereby orders future stores. See the comment on top. 112 * 113 * Return: true if the increment was successful, false otherwise 114 */ 115bool refcount_inc_not_zero(refcount_t *r) 116{ 117 unsigned int new, val = atomic_read(&r->refs); 118 119 do { 120 new = val + 1; 121 122 if (!val) 123 return false; 124 125 if (unlikely(!new)) 126 return true; 127 128 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); 129 130 WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); 131 132 return true; 133} 134EXPORT_SYMBOL(refcount_inc_not_zero); 135 136/** 137 * refcount_inc - increment a refcount 138 * @r: the refcount to increment 139 * 140 * Similar to atomic_inc(), but will saturate at UINT_MAX and WARN. 141 * 142 * Provides no memory ordering, it is assumed the caller already has a 143 * reference on the object. 144 * 145 * Will WARN if the refcount is 0, as this represents a possible use-after-free 146 * condition. 147 */ 148void refcount_inc(refcount_t *r) 149{ 150 WARN_ONCE(!refcount_inc_not_zero(r), "refcount_t: increment on 0; use-after-free.\n"); 151} 152EXPORT_SYMBOL(refcount_inc); 153 154/** 155 * refcount_sub_and_test - subtract from a refcount and test if it is 0 156 * @i: amount to subtract from the refcount 157 * @r: the refcount 158 * 159 * Similar to atomic_dec_and_test(), but it will WARN, return false and 160 * ultimately leak on underflow and will fail to decrement when saturated 161 * at UINT_MAX. 162 * 163 * Provides release memory ordering, such that prior loads and stores are done 164 * before, and provides a control dependency such that free() must come after. 165 * See the comment on top. 166 * 167 * Use of this function is not recommended for the normal reference counting 168 * use case in which references are taken and released one at a time. In these 169 * cases, refcount_dec(), or one of its variants, should instead be used to 170 * decrement a reference count. 171 * 172 * Return: true if the resulting refcount is 0, false otherwise 173 */ 174bool refcount_sub_and_test(unsigned int i, refcount_t *r) 175{ 176 unsigned int new, val = atomic_read(&r->refs); 177 178 do { 179 if (unlikely(val == UINT_MAX)) 180 return false; 181 182 new = val - i; 183 if (new > val) { 184 WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); 185 return false; 186 } 187 188 } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); 189 190 return !new; 191} 192EXPORT_SYMBOL(refcount_sub_and_test); 193 194/** 195 * refcount_dec_and_test - decrement a refcount and test if it is 0 196 * @r: the refcount 197 * 198 * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to 199 * decrement when saturated at UINT_MAX. 200 * 201 * Provides release memory ordering, such that prior loads and stores are done 202 * before, and provides a control dependency such that free() must come after. 203 * See the comment on top. 204 * 205 * Return: true if the resulting refcount is 0, false otherwise 206 */ 207bool refcount_dec_and_test(refcount_t *r) 208{ 209 return refcount_sub_and_test(1, r); 210} 211EXPORT_SYMBOL(refcount_dec_and_test); 212 213/** 214 * refcount_dec - decrement a refcount 215 * @r: the refcount 216 * 217 * Similar to atomic_dec(), it will WARN on underflow and fail to decrement 218 * when saturated at UINT_MAX. 219 * 220 * Provides release memory ordering, such that prior loads and stores are done 221 * before. 222 */ 223void refcount_dec(refcount_t *r) 224{ 225 WARN_ONCE(refcount_dec_and_test(r), "refcount_t: decrement hit 0; leaking memory.\n"); 226} 227EXPORT_SYMBOL(refcount_dec); 228 229/** 230 * refcount_dec_if_one - decrement a refcount if it is 1 231 * @r: the refcount 232 * 233 * No atomic_t counterpart, it attempts a 1 -> 0 transition and returns the 234 * success thereof. 235 * 236 * Like all decrement operations, it provides release memory order and provides 237 * a control dependency. 238 * 239 * It can be used like a try-delete operator; this explicit case is provided 240 * and not cmpxchg in generic, because that would allow implementing unsafe 241 * operations. 242 * 243 * Return: true if the resulting refcount is 0, false otherwise 244 */ 245bool refcount_dec_if_one(refcount_t *r) 246{ 247 int val = 1; 248 249 return atomic_try_cmpxchg_release(&r->refs, &val, 0); 250} 251EXPORT_SYMBOL(refcount_dec_if_one); 252 253/** 254 * refcount_dec_not_one - decrement a refcount if it is not 1 255 * @r: the refcount 256 * 257 * No atomic_t counterpart, it decrements unless the value is 1, in which case 258 * it will return false. 259 * 260 * Was often done like: atomic_add_unless(&var, -1, 1) 261 * 262 * Return: true if the decrement operation was successful, false otherwise 263 */ 264bool refcount_dec_not_one(refcount_t *r) 265{ 266 unsigned int new, val = atomic_read(&r->refs); 267 268 do { 269 if (unlikely(val == UINT_MAX)) 270 return true; 271 272 if (val == 1) 273 return false; 274 275 new = val - 1; 276 if (new > val) { 277 WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); 278 return true; 279 } 280 281 } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); 282 283 return true; 284} 285EXPORT_SYMBOL(refcount_dec_not_one); 286 287/** 288 * refcount_dec_and_mutex_lock - return holding mutex if able to decrement 289 * refcount to 0 290 * @r: the refcount 291 * @lock: the mutex to be locked 292 * 293 * Similar to atomic_dec_and_mutex_lock(), it will WARN on underflow and fail 294 * to decrement when saturated at UINT_MAX. 295 * 296 * Provides release memory ordering, such that prior loads and stores are done 297 * before, and provides a control dependency such that free() must come after. 298 * See the comment on top. 299 * 300 * Return: true and hold mutex if able to decrement refcount to 0, false 301 * otherwise 302 */ 303bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock) 304{ 305 if (refcount_dec_not_one(r)) 306 return false; 307 308 mutex_lock(lock); 309 if (!refcount_dec_and_test(r)) { 310 mutex_unlock(lock); 311 return false; 312 } 313 314 return true; 315} 316EXPORT_SYMBOL(refcount_dec_and_mutex_lock); 317 318/** 319 * refcount_dec_and_lock - return holding spinlock if able to decrement 320 * refcount to 0 321 * @r: the refcount 322 * @lock: the spinlock to be locked 323 * 324 * Similar to atomic_dec_and_lock(), it will WARN on underflow and fail to 325 * decrement when saturated at UINT_MAX. 326 * 327 * Provides release memory ordering, such that prior loads and stores are done 328 * before, and provides a control dependency such that free() must come after. 329 * See the comment on top. 330 * 331 * Return: true and hold spinlock if able to decrement refcount to 0, false 332 * otherwise 333 */ 334bool refcount_dec_and_lock(refcount_t *r, spinlock_t *lock) 335{ 336 if (refcount_dec_not_one(r)) 337 return false; 338 339 spin_lock(lock); 340 if (!refcount_dec_and_test(r)) { 341 spin_unlock(lock); 342 return false; 343 } 344 345 return true; 346} 347EXPORT_SYMBOL(refcount_dec_and_lock); 348 349