Fix assertions in crypto reference helpers

The assertions are racy and the use of `membar_exit()` did nothing to
fix that.

The helpers use atomic functions, so we cleverly get values from the
atomics that we can use to ensure that the assertions operate on the
correct values.

We also use `membar_producer()` prior to decrementing reference counts
so that operations that happened prior to a decrement to 0 will be
guaranteed to happen before the decrement on architectures that reorder
atomics.

This also slightly improves performance by eliminating unnecessary
reads, although I doubt it would be measurable in any benchmark.

Reviewed-by: Mateusz Guzik <mjguzik@gmail.com>
Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
Closes #13880
This commit is contained in:
Richard Yao 2022-09-15 16:24:00 -04:00 committed by GitHub
parent dc2fe24ca2
commit e949d36040
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 24 deletions

View File

@ -126,28 +126,26 @@ typedef struct kcf_provider_desc {
crypto_provider_id_t pd_prov_id; crypto_provider_id_t pd_prov_id;
} kcf_provider_desc_t; } kcf_provider_desc_t;
/* atomic operations in linux implicitly form a memory barrier */
#define membar_exit()
/* /*
* If a component has a reference to a kcf_provider_desc_t, * If a component has a reference to a kcf_provider_desc_t,
* it REFHOLD()s. A new provider descriptor which is referenced only * it REFHOLD()s. A new provider descriptor which is referenced only
* by the providers table has a reference counter of one. * by the providers table has a reference counter of one.
*/ */
#define KCF_PROV_REFHOLD(desc) { \ #define KCF_PROV_REFHOLD(desc) { \
atomic_add_32(&(desc)->pd_refcnt, 1); \ int newval = atomic_add_32_nv(&(desc)->pd_refcnt, 1); \
ASSERT((desc)->pd_refcnt != 0); \ ASSERT(newval != 0); \
} }
#define KCF_PROV_IREFHOLD(desc) { \ #define KCF_PROV_IREFHOLD(desc) { \
atomic_add_32(&(desc)->pd_irefcnt, 1); \ int newval = atomic_add_32_nv(&(desc)->pd_irefcnt, 1); \
ASSERT((desc)->pd_irefcnt != 0); \ ASSERT(newval != 0); \
} }
#define KCF_PROV_IREFRELE(desc) { \ #define KCF_PROV_IREFRELE(desc) { \
ASSERT((desc)->pd_irefcnt != 0); \ membar_producer(); \
membar_exit(); \ int newval = atomic_add_32_nv(&(desc)->pd_irefcnt, -1); \
if (atomic_add_32_nv(&(desc)->pd_irefcnt, -1) == 0) { \ ASSERT(newval != -1); \
if (newval == 0) { \
cv_broadcast(&(desc)->pd_remove_cv); \ cv_broadcast(&(desc)->pd_remove_cv); \
} \ } \
} }
@ -155,9 +153,10 @@ typedef struct kcf_provider_desc {
#define KCF_PROV_REFHELD(desc) ((desc)->pd_refcnt >= 1) #define KCF_PROV_REFHELD(desc) ((desc)->pd_refcnt >= 1)
#define KCF_PROV_REFRELE(desc) { \ #define KCF_PROV_REFRELE(desc) { \
ASSERT((desc)->pd_refcnt != 0); \ membar_producer(); \
membar_exit(); \ int newval = atomic_add_32_nv(&(desc)->pd_refcnt, -1); \
if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0) { \ ASSERT(newval != -1); \
if (newval == 0) { \
kcf_provider_zero_refcnt((desc)); \ kcf_provider_zero_refcnt((desc)); \
} \ } \
} }
@ -194,8 +193,8 @@ typedef struct kcf_mech_entry {
* by the policy table has a reference count of one. * by the policy table has a reference count of one.
*/ */
#define KCF_POLICY_REFHOLD(desc) { \ #define KCF_POLICY_REFHOLD(desc) { \
atomic_add_32(&(desc)->pd_refcnt, 1); \ int newval = atomic_add_32_nv(&(desc)->pd_refcnt, 1); \
ASSERT((desc)->pd_refcnt != 0); \ ASSERT(newval != 0); \
} }
/* /*
@ -203,9 +202,10 @@ typedef struct kcf_mech_entry {
* reference is released, the descriptor is freed. * reference is released, the descriptor is freed.
*/ */
#define KCF_POLICY_REFRELE(desc) { \ #define KCF_POLICY_REFRELE(desc) { \
ASSERT((desc)->pd_refcnt != 0); \ membar_producer(); \
membar_exit(); \ int newval = atomic_add_32_nv(&(desc)->pd_refcnt, -1); \
if (atomic_add_32_nv(&(desc)->pd_refcnt, -1) == 0) \ ASSERT(newval != -1); \
if (newval == 0) \
kcf_policy_free_desc(desc); \ kcf_policy_free_desc(desc); \
} }

View File

@ -73,9 +73,10 @@ typedef struct kcf_context {
* context structure is freed along with the global context. * context structure is freed along with the global context.
*/ */
#define KCF_CONTEXT_REFRELE(ictx) { \ #define KCF_CONTEXT_REFRELE(ictx) { \
ASSERT((ictx)->kc_refcnt != 0); \ membar_producer(); \
membar_exit(); \ int newval = atomic_add_32_nv(&(ictx)->kc_refcnt, -1); \
if (atomic_add_32_nv(&(ictx)->kc_refcnt, -1) == 0) \ ASSERT(newval != -1); \
if (newval == 0) \
kcf_free_context(ictx); \ kcf_free_context(ictx); \
} }