From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F065C433EF for ; Wed, 8 Dec 2021 21:06:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 870576B0071; Wed, 8 Dec 2021 16:06:06 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 81FED6B0073; Wed, 8 Dec 2021 16:06:06 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7351F6B0074; Wed, 8 Dec 2021 16:06:06 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0079.hostedemail.com [216.40.44.79]) by kanga.kvack.org (Postfix) with ESMTP id 62D026B0071 for ; Wed, 8 Dec 2021 16:06:06 -0500 (EST) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 19BA78248076 for ; Wed, 8 Dec 2021 21:05:56 +0000 (UTC) X-FDA: 78895859112.27.353DF39 Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf21.hostedemail.com (Postfix) with ESMTP id EC77ED0369C8 for ; Wed, 8 Dec 2021 21:05:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=wfGVR1ugfio80qHoYgFooKwxEA1hyJqmhObGUGLGdRE=; b=UHZb5D0rSPlga3rU/aoFkgxwfm im90IK2Z4as9B2kR5tsM0/ra1inVpb/52HzgHG6V0SkTxcTKx0ZTNEhW8XqHc2y89ukIEoDSBwCUF hcz+NXC/+v8r31pITytHSwuiWArFaK9m0TZGR9ODnJihHq2csZDs67WX0xpR1nVX0MolGODYryzOa YL2lGIPuQBwCRgupLLzGTzRUXIhmQ601+QR1AoO1v7ahUGhOAlMsthaH3/C0hHEBA6F4kzj2SY0W2 1lTZtYPtsesv7rRnh8abfRwys38i6FHDuA/p/N0QiSVQEjuuL1xCU7bDPblvteXyt8S9RiNk91ZFz MVt0GH1w==; Received: from willy by casper.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mv48I-008m0q-Kr; Wed, 08 Dec 2021 21:05:46 +0000 Date: Wed, 8 Dec 2021 21:05:46 +0000 From: Matthew Wilcox To: Pasha Tatashin Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-m68k@lists.linux-m68k.org, anshuman.khandual@arm.com, akpm@linux-foundation.org, william.kucharski@oracle.com, mike.kravetz@oracle.com, vbabka@suse.cz, geert@linux-m68k.org, schmitzmic@gmail.com, rostedt@goodmis.org, mingo@redhat.com, hannes@cmpxchg.org, guro@fb.com, songmuchun@bytedance.com, weixugc@google.com, gthelen@google.com, rientjes@google.com, pjt@google.com Subject: Re: [PATCH 00/10] Hardening page _refcount Message-ID: References: <20211208203544.2297121-1-pasha.tatashin@soleen.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211208203544.2297121-1-pasha.tatashin@soleen.com> X-Rspamd-Server: rspam10 X-Rspamd-Queue-Id: EC77ED0369C8 X-Stat-Signature: 1gcg4pd5hxbrtfje1rbogsmqm8pua5kh Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=UHZb5D0r; dmarc=none; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org X-HE-Tag: 1638997554-15270 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Dec 08, 2021 at 08:35:34PM +0000, Pasha Tatashin wrote: > It is hard to root cause _refcount problems, because they usually > manifest after the damage has occurred. Yet, they can lead to > catastrophic failures such memory corruptions. There were a number > of refcount related issues discovered recently [1], [2], [3]. > > Improve debugability by adding more checks that ensure that > page->_refcount never turns negative (i.e. double free does not > happen, or free after freeze etc). > > - Check for overflow and underflow right from the functions that > modify _refcount > - Remove set_page_count(), so we do not unconditionally overwrite > _refcount with an unrestrained value > - Trace return values in all functions that modify _refcount You're doing a lot more atomic instructions with these patches. Have you done any performance measurements with these patches applied and debug disabled? I'm really not convinced it's worth closing one-instruction-wide races of this kind when they are "shouldn't ever happen" situations. If the debugging will catch the problem in 99.99% of cases and miss 0.01% without using atomic instructions, that seems like a better set of tradeoffs than catching 100% of problems by using the atomic instructions.