1// SPDX-License-Identifier: GPL-2.0 2/* 3 * Variant of atomic_t specialized for reference counts. 4 * 5 * The interface matches the atomic_t interface (to aid in porting) but only 6 * provides the few functions one should use for reference counting. 7 * 8 * It differs in that the counter saturates at UINT_MAX and will not move once 9 * there. This avoids wrapping the counter and causing 'spurious' 10 * use-after-free issues. 11 * 12 * Memory ordering rules are slightly relaxed wrt regular atomic_t functions 13 * and provide only what is strictly required for refcounts. 14 * 15 * The increments are fully relaxed; these will not provide ordering. The 16 * rationale is that whatever is used to obtain the object we're increasing the 17 * reference count on will provide the ordering. For locked data structures, 18 * its the lock acquire, for RCU/lockless data structures its the dependent 19 * load. 20 * 21 * Do note that inc_not_zero() provides a control dependency which will order 22 * future stores against the inc, this ensures we'll never modify the object 23 * if we did not in fact acquire a reference. 24 * 25 * The decrements will provide release order, such that all the prior loads and 26 * stores will be issued before, it also provides a control dependency, which 27 * will order us against the subsequent free(). 28 * 29 * The control dependency is against the load of the cmpxchg (ll/sc) that 30 * succeeded. This means the stores aren't fully ordered, but this is fine 31 * because the 1->0 transition indicates no concurrency. 32 * 33 * Note that the allocator is responsible for ordering things between free() 34 * and alloc(). 35 * 36 * The decrements dec_and_test() and sub_and_test() also provide acquire 37 * ordering on success. 38 * 39 */ 40 41#include <linux/mutex.h> 42#include <linux/refcount.h> 43#include <linux/spinlock.h> 44#include <linux/bug.h> 45 46/** 47 * refcount_add_not_zero_checked - add a value to a refcount unless it is 0 48 * @i: the value to add to the refcount 49 * @r: the refcount 50 * 51 * Will saturate at UINT_MAX and WARN. 52 * 53 * Provides no memory ordering, it is assumed the caller has guaranteed the 54 * object memory to be stable (RCU, etc.). It does provide a control dependency 55 * and thereby orders future stores. See the comment on top. 56 * 57 * Use of this function is not recommended for the normal reference counting 58 * use case in which references are taken and released one at a time. In these 59 * cases, refcount_inc(), or one of its variants, should instead be used to 60 * increment a reference count. 61 * 62 * Return: false if the passed refcount is 0, true otherwise 63 */ 64bool refcount_add_not_zero_checked(unsigned int i, refcount_t *r) 65{ 66 unsigned int new, val = atomic_read(&r->refs); 67 68 do { 69 if (!val) 70 return false; 71 72 if (unlikely(val == UINT_MAX)) 73 return true; 74 75 new = val + i; 76 if (new < val) 77 new = UINT_MAX; 78 79 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); 80 81 WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); 82 83 return true; 84} 85EXPORT_SYMBOL(refcount_add_not_zero_checked); 86 87/** 88 * refcount_add_checked - add a value to a refcount 89 * @i: the value to add to the refcount 90 * @r: the refcount 91 * 92 * Similar to atomic_add(), but will saturate at UINT_MAX and WARN. 93 * 94 * Provides no memory ordering, it is assumed the caller has guaranteed the 95 * object memory to be stable (RCU, etc.). It does provide a control dependency 96 * and thereby orders future stores. See the comment on top. 97 * 98 * Use of this function is not recommended for the normal reference counting 99 * use case in which references are taken and released one at a time. In these 100 * cases, refcount_inc(), or one of its variants, should instead be used to 101 * increment a reference count. 102 */ 103void refcount_add_checked(unsigned int i, refcount_t *r) 104{ 105 WARN_ONCE(!refcount_add_not_zero_checked(i, r), "refcount_t: addition on 0; use-after-free.\n"); 106} 107EXPORT_SYMBOL(refcount_add_checked); 108 109/** 110 * refcount_inc_not_zero_checked - increment a refcount unless it is 0 111 * @r: the refcount to increment 112 * 113 * Similar to atomic_inc_not_zero(), but will saturate at UINT_MAX and WARN. 114 * 115 * Provides no memory ordering, it is assumed the caller has guaranteed the 116 * object memory to be stable (RCU, etc.). It does provide a control dependency 117 * and thereby orders future stores. See the comment on top. 118 * 119 * Return: true if the increment was successful, false otherwise 120 */ 121bool refcount_inc_not_zero_checked(refcount_t *r) 122{ 123 unsigned int new, val = atomic_read(&r->refs); 124 125 do { 126 new = val + 1; 127 128 if (!val) 129 return false; 130 131 if (unlikely(!new)) 132 return true; 133 134 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &val, new)); 135 136 WARN_ONCE(new == UINT_MAX, "refcount_t: saturated; leaking memory.\n"); 137 138 return true; 139} 140EXPORT_SYMBOL(refcount_inc_not_zero_checked); 141 142/** 143 * refcount_inc_checked - increment a refcount 144 * @r: the refcount to increment 145 * 146 * Similar to atomic_inc(), but will saturate at UINT_MAX and WARN. 147 * 148 * Provides no memory ordering, it is assumed the caller already has a 149 * reference on the object. 150 * 151 * Will WARN if the refcount is 0, as this represents a possible use-after-free 152 * condition. 153 */ 154void refcount_inc_checked(refcount_t *r) 155{ 156 WARN_ONCE(!refcount_inc_not_zero_checked(r), "refcount_t: increment on 0; use-after-free.\n"); 157} 158EXPORT_SYMBOL(refcount_inc_checked); 159 160/** 161 * refcount_sub_and_test_checked - subtract from a refcount and test if it is 0 162 * @i: amount to subtract from the refcount 163 * @r: the refcount 164 * 165 * Similar to atomic_dec_and_test(), but it will WARN, return false and 166 * ultimately leak on underflow and will fail to decrement when saturated 167 * at UINT_MAX. 168 * 169 * Provides release memory ordering, such that prior loads and stores are done 170 * before, and provides an acquire ordering on success such that free() 171 * must come after. 172 * 173 * Use of this function is not recommended for the normal reference counting 174 * use case in which references are taken and released one at a time. In these 175 * cases, refcount_dec(), or one of its variants, should instead be used to 176 * decrement a reference count. 177 * 178 * Return: true if the resulting refcount is 0, false otherwise 179 */ 180bool refcount_sub_and_test_checked(unsigned int i, refcount_t *r) 181{ 182 unsigned int new, val = atomic_read(&r->refs); 183 184 do { 185 if (unlikely(val == UINT_MAX)) 186 return false; 187 188 new = val - i; 189 if (new > val) { 190 WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); 191 return false; 192 } 193 194 } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); 195 196 if (!new) { 197 smp_acquire__after_ctrl_dep(); 198 return true; 199 } 200 return false; 201 202} 203EXPORT_SYMBOL(refcount_sub_and_test_checked); 204 205/** 206 * refcount_dec_and_test_checked - decrement a refcount and test if it is 0 207 * @r: the refcount 208 * 209 * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to 210 * decrement when saturated at UINT_MAX. 211 * 212 * Provides release memory ordering, such that prior loads and stores are done 213 * before, and provides an acquire ordering on success such that free() 214 * must come after. 215 * 216 * Return: true if the resulting refcount is 0, false otherwise 217 */ 218bool refcount_dec_and_test_checked(refcount_t *r) 219{ 220 return refcount_sub_and_test_checked(1, r); 221} 222EXPORT_SYMBOL(refcount_dec_and_test_checked); 223 224/** 225 * refcount_dec_checked - decrement a refcount 226 * @r: the refcount 227 * 228 * Similar to atomic_dec(), it will WARN on underflow and fail to decrement 229 * when saturated at UINT_MAX. 230 * 231 * Provides release memory ordering, such that prior loads and stores are done 232 * before. 233 */ 234void refcount_dec_checked(refcount_t *r) 235{ 236 WARN_ONCE(refcount_dec_and_test_checked(r), "refcount_t: decrement hit 0; leaking memory.\n"); 237} 238EXPORT_SYMBOL(refcount_dec_checked); 239 240/** 241 * refcount_dec_if_one - decrement a refcount if it is 1 242 * @r: the refcount 243 * 244 * No atomic_t counterpart, it attempts a 1 -> 0 transition and returns the 245 * success thereof. 246 * 247 * Like all decrement operations, it provides release memory order and provides 248 * a control dependency. 249 * 250 * It can be used like a try-delete operator; this explicit case is provided 251 * and not cmpxchg in generic, because that would allow implementing unsafe 252 * operations. 253 * 254 * Return: true if the resulting refcount is 0, false otherwise 255 */ 256bool refcount_dec_if_one(refcount_t *r) 257{ 258 int val = 1; 259 260 return atomic_try_cmpxchg_release(&r->refs, &val, 0); 261} 262EXPORT_SYMBOL(refcount_dec_if_one); 263 264/** 265 * refcount_dec_not_one - decrement a refcount if it is not 1 266 * @r: the refcount 267 * 268 * No atomic_t counterpart, it decrements unless the value is 1, in which case 269 * it will return false. 270 * 271 * Was often done like: atomic_add_unless(&var, -1, 1) 272 * 273 * Return: true if the decrement operation was successful, false otherwise 274 */ 275bool refcount_dec_not_one(refcount_t *r) 276{ 277 unsigned int new, val = atomic_read(&r->refs); 278 279 do { 280 if (unlikely(val == UINT_MAX)) 281 return true; 282 283 if (val == 1) 284 return false; 285 286 new = val - 1; 287 if (new > val) { 288 WARN_ONCE(new > val, "refcount_t: underflow; use-after-free.\n"); 289 return true; 290 } 291 292 } while (!atomic_try_cmpxchg_release(&r->refs, &val, new)); 293 294 return true; 295} 296EXPORT_SYMBOL(refcount_dec_not_one); 297 298/** 299 * refcount_dec_and_mutex_lock - return holding mutex if able to decrement 300 * refcount to 0 301 * @r: the refcount 302 * @lock: the mutex to be locked 303 * 304 * Similar to atomic_dec_and_mutex_lock(), it will WARN on underflow and fail 305 * to decrement when saturated at UINT_MAX. 306 * 307 * Provides release memory ordering, such that prior loads and stores are done 308 * before, and provides a control dependency such that free() must come after. 309 * See the comment on top. 310 * 311 * Return: true and hold mutex if able to decrement refcount to 0, false 312 * otherwise 313 */ 314bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock) 315{ 316 if (refcount_dec_not_one(r)) 317 return false; 318 319 mutex_lock(lock); 320 if (!refcount_dec_and_test(r)) { 321 mutex_unlock(lock); 322 return false; 323 } 324 325 return true; 326} 327EXPORT_SYMBOL(refcount_dec_and_mutex_lock); 328 329/** 330 * refcount_dec_and_lock - return holding spinlock if able to decrement 331 * refcount to 0 332 * @r: the refcount 333 * @lock: the spinlock to be locked 334 * 335 * Similar to atomic_dec_and_lock(), it will WARN on underflow and fail to 336 * decrement when saturated at UINT_MAX. 337 * 338 * Provides release memory ordering, such that prior loads and stores are done 339 * before, and provides a control dependency such that free() must come after. 340 * See the comment on top. 341 * 342 * Return: true and hold spinlock if able to decrement refcount to 0, false 343 * otherwise 344 */ 345bool refcount_dec_and_lock(refcount_t *r, spinlock_t *lock) 346{ 347 if (refcount_dec_not_one(r)) 348 return false; 349 350 spin_lock(lock); 351 if (!refcount_dec_and_test(r)) { 352 spin_unlock(lock); 353 return false; 354 } 355 356 return true; 357} 358EXPORT_SYMBOL(refcount_dec_and_lock); 359 360/** 361 * refcount_dec_and_lock_irqsave - return holding spinlock with disabled 362 * interrupts if able to decrement refcount to 0 363 * @r: the refcount 364 * @lock: the spinlock to be locked 365 * @flags: saved IRQ-flags if the is acquired 366 * 367 * Same as refcount_dec_and_lock() above except that the spinlock is acquired 368 * with disabled interupts. 369 * 370 * Return: true and hold spinlock if able to decrement refcount to 0, false 371 * otherwise 372 */ 373bool refcount_dec_and_lock_irqsave(refcount_t *r, spinlock_t *lock, 374 unsigned long *flags) 375{ 376 if (refcount_dec_not_one(r)) 377 return false; 378 379 spin_lock_irqsave(lock, *flags); 380 if (!refcount_dec_and_test(r)) { 381 spin_unlock_irqrestore(lock, *flags); 382 return false; 383 } 384 385 return true; 386} 387EXPORT_SYMBOL(refcount_dec_and_lock_irqsave); 388