1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Percpu refcounts:
4 * (C) 2012 Google, Inc.
5 * Author: Kent Overstreet <koverstreet@google.com>
6 *
7 * This implements a refcount with similar semantics to atomic_t - atomic_inc(),
8 * atomic_dec_and_test() - but percpu.
9 *
10 * There's one important difference between percpu refs and normal atomic_t
11 * refcounts; you have to keep track of your initial refcount, and then when you
12 * start shutting down you call percpu_ref_kill() _before_ dropping the initial
13 * refcount.
14 *
15 * The refcount will have a range of 0 to ((1U << 31) - 1), i.e. one bit less
16 * than an atomic_t - this is because of the way shutdown works, see
17 * percpu_ref_kill()/PERCPU_COUNT_BIAS.
18 *
19 * Before you call percpu_ref_kill(), percpu_ref_put() does not check for the
20 * refcount hitting 0 - it can't, if it was in percpu mode. percpu_ref_kill()
21 * puts the ref back in single atomic_t mode, collecting the per cpu refs and
22 * issuing the appropriate barriers, and then marks the ref as shutting down so
23 * that percpu_ref_put() will check for the ref hitting 0. After it returns,
24 * it's safe to drop the initial ref.
25 *
26 * USAGE:
27 *
28 * See fs/aio.c for some example usage; it's used there for struct kioctx, which
29 * is created when userspaces calls io_setup(), and destroyed when userspace
30 * calls io_destroy() or the process exits.
31 *
32 * In the aio code, kill_ioctx() is called when we wish to destroy a kioctx; it
33 * removes the kioctx from the proccess's table of kioctxs and kills percpu_ref.
34 * After that, there can't be any new users of the kioctx (from lookup_ioctx())
35 * and it's then safe to drop the initial ref with percpu_ref_put().
36 *
37 * Note that the free path, free_ioctx(), needs to go through explicit call_rcu()
38 * to synchronize with RCU protected lookup_ioctx(). percpu_ref operations don't
39 * imply RCU grace periods of any kind and if a user wants to combine percpu_ref
40 * with RCU protection, it must be done explicitly.
41 *
42 * Code that does a two stage shutdown like this often needs some kind of
43 * explicit synchronization to ensure the initial refcount can only be dropped
44 * once - percpu_ref_kill() does this for you, it returns true once and false if
45 * someone else already called it. The aio code uses it this way, but it's not
46 * necessary if the code has some other mechanism to synchronize teardown.
47 * around.
48 */
49
50#ifndef _LINUX_PERCPU_REFCOUNT_H
51#define _LINUX_PERCPU_REFCOUNT_H
52
53#include <linux/atomic.h>
54#include <linux/kernel.h>
55#include <linux/percpu.h>
56#include <linux/rcupdate.h>
57#include <linux/gfp.h>
58
59struct percpu_ref;
60typedef void (percpu_ref_func_t)(struct percpu_ref *);
61
62/* flags set in the lower bits of percpu_ref->percpu_count_ptr */
63enum {
64 __PERCPU_REF_ATOMIC = 1LU << 0, /* operating in atomic mode */
65 __PERCPU_REF_DEAD = 1LU << 1, /* (being) killed */
66 __PERCPU_REF_ATOMIC_DEAD = __PERCPU_REF_ATOMIC | __PERCPU_REF_DEAD,
67
68 __PERCPU_REF_FLAG_BITS = 2,
69};
70
71/* @flags for percpu_ref_init() */
72enum {
73 /*
74 * Start w/ ref == 1 in atomic mode. Can be switched to percpu
75 * operation using percpu_ref_switch_to_percpu(). If initialized
76 * with this flag, the ref will stay in atomic mode until
77 * percpu_ref_switch_to_percpu() is invoked on it.
78 */
79 PERCPU_REF_INIT_ATOMIC = 1 << 0,
80
81 /*
82 * Start dead w/ ref == 0 in atomic mode. Must be revived with
83 * percpu_ref_reinit() before used. Implies INIT_ATOMIC.
84 */
85 PERCPU_REF_INIT_DEAD = 1 << 1,
86};
87
88struct percpu_ref {
89 atomic_long_t count;
90 /*
91 * The low bit of the pointer indicates whether the ref is in percpu
92 * mode; if set, then get/put will manipulate the atomic_t.
93 */
94 unsigned long percpu_count_ptr;
95 percpu_ref_func_t *release;
96 percpu_ref_func_t *confirm_switch;
97 bool force_atomic:1;
98 struct rcu_head rcu;
99};
100
101int __must_check percpu_ref_init(struct percpu_ref *ref,
102 percpu_ref_func_t *release, unsigned int flags,
103 gfp_t gfp);
104void percpu_ref_exit(struct percpu_ref *ref);
105void percpu_ref_switch_to_atomic(struct percpu_ref *ref,
106 percpu_ref_func_t *confirm_switch);
107void percpu_ref_switch_to_atomic_sync(struct percpu_ref *ref);
108void percpu_ref_switch_to_percpu(struct percpu_ref *ref);
109void percpu_ref_kill_and_confirm(struct percpu_ref *ref,
110 percpu_ref_func_t *confirm_kill);
111void percpu_ref_resurrect(struct percpu_ref *ref);
112void percpu_ref_reinit(struct percpu_ref *ref);
113
114/**
115 * percpu_ref_kill - drop the initial ref
116 * @ref: percpu_ref to kill
117 *
118 * Must be used to drop the initial ref on a percpu refcount; must be called
119 * precisely once before shutdown.
120 *
121 * Switches @ref into atomic mode before gathering up the percpu counters
122 * and dropping the initial ref.
123 *
124 * There are no implied RCU grace periods between kill and release.
125 */
126static inline void percpu_ref_kill(struct percpu_ref *ref)
127{
128 percpu_ref_kill_and_confirm(ref, NULL);
129}
130
131/*
132 * Internal helper. Don't use outside percpu-refcount proper. The
133 * function doesn't return the pointer and let the caller test it for NULL
134 * because doing so forces the compiler to generate two conditional
135 * branches as it can't assume that @ref->percpu_count is not NULL.
136 */
137static inline bool __ref_is_percpu(struct percpu_ref *ref,
138 unsigned long __percpu **percpu_countp)
139{
140 unsigned long percpu_ptr;
141
142 /*
143 * The value of @ref->percpu_count_ptr is tested for
144 * !__PERCPU_REF_ATOMIC, which may be set asynchronously, and then
145 * used as a pointer. If the compiler generates a separate fetch
146 * when using it as a pointer, __PERCPU_REF_ATOMIC may be set in
147 * between contaminating the pointer value, meaning that
148 * READ_ONCE() is required when fetching it.
149 *
150 * The smp_read_barrier_depends() implied by READ_ONCE() pairs
151 * with smp_store_release() in __percpu_ref_switch_to_percpu().
152 */
153 percpu_ptr = READ_ONCE(ref->percpu_count_ptr);
154
155 /*
156 * Theoretically, the following could test just ATOMIC; however,
157 * then we'd have to mask off DEAD separately as DEAD may be
158 * visible without ATOMIC if we race with percpu_ref_kill(). DEAD
159 * implies ATOMIC anyway. Test them together.
160 */
161 if (unlikely(percpu_ptr & __PERCPU_REF_ATOMIC_DEAD))
162 return false;
163
164 *percpu_countp = (unsigned long __percpu *)percpu_ptr;
165 return true;
166}
167
168/**
169 * percpu_ref_get_many - increment a percpu refcount
170 * @ref: percpu_ref to get
171 * @nr: number of references to get
172 *
173 * Analogous to atomic_long_add().
174 *
175 * This function is safe to call as long as @ref is between init and exit.
176 */
177static inline void percpu_ref_get_many(struct percpu_ref *ref, unsigned long nr)
178{
179 unsigned long __percpu *percpu_count;
180
181 rcu_read_lock_sched();
182
183 if (__ref_is_percpu(ref, &percpu_count))
184 this_cpu_add(*percpu_count, nr);
185 else
186 atomic_long_add(nr, &ref->count);
187
188 rcu_read_unlock_sched();
189}
190
191/**
192 * percpu_ref_get - increment a percpu refcount
193 * @ref: percpu_ref to get
194 *
195 * Analagous to atomic_long_inc().
196 *
197 * This function is safe to call as long as @ref is between init and exit.
198 */
199static inline void percpu_ref_get(struct percpu_ref *ref)
200{
201 percpu_ref_get_many(ref, 1);
202}
203
204/**
205 * percpu_ref_tryget - try to increment a percpu refcount
206 * @ref: percpu_ref to try-get
207 *
208 * Increment a percpu refcount unless its count already reached zero.
209 * Returns %true on success; %false on failure.
210 *
211 * This function is safe to call as long as @ref is between init and exit.
212 */
213static inline bool percpu_ref_tryget(struct percpu_ref *ref)
214{
215 unsigned long __percpu *percpu_count;
216 bool ret;
217
218 rcu_read_lock_sched();
219
220 if (__ref_is_percpu(ref, &percpu_count)) {
221 this_cpu_inc(*percpu_count);
222 ret = true;
223 } else {
224 ret = atomic_long_inc_not_zero(&ref->count);
225 }
226
227 rcu_read_unlock_sched();
228
229 return ret;
230}
231
232/**
233 * percpu_ref_tryget_live - try to increment a live percpu refcount
234 * @ref: percpu_ref to try-get
235 *
236 * Increment a percpu refcount unless it has already been killed. Returns
237 * %true on success; %false on failure.
238 *
239 * Completion of percpu_ref_kill() in itself doesn't guarantee that this
240 * function will fail. For such guarantee, percpu_ref_kill_and_confirm()
241 * should be used. After the confirm_kill callback is invoked, it's
242 * guaranteed that no new reference will be given out by
243 * percpu_ref_tryget_live().
244 *
245 * This function is safe to call as long as @ref is between init and exit.
246 */
247static inline bool percpu_ref_tryget_live(struct percpu_ref *ref)
248{
249 unsigned long __percpu *percpu_count;
250 bool ret = false;
251
252 rcu_read_lock_sched();
253
254 if (__ref_is_percpu(ref, &percpu_count)) {
255 this_cpu_inc(*percpu_count);
256 ret = true;
257 } else if (!(ref->percpu_count_ptr & __PERCPU_REF_DEAD)) {
258 ret = atomic_long_inc_not_zero(&ref->count);
259 }
260
261 rcu_read_unlock_sched();
262
263 return ret;
264}
265
266/**
267 * percpu_ref_put_many - decrement a percpu refcount
268 * @ref: percpu_ref to put
269 * @nr: number of references to put
270 *
271 * Decrement the refcount, and if 0, call the release function (which was passed
272 * to percpu_ref_init())
273 *
274 * This function is safe to call as long as @ref is between init and exit.
275 */
276static inline void percpu_ref_put_many(struct percpu_ref *ref, unsigned long nr)
277{
278 unsigned long __percpu *percpu_count;
279
280 rcu_read_lock_sched();
281
282 if (__ref_is_percpu(ref, &percpu_count))
283 this_cpu_sub(*percpu_count, nr);
284 else if (unlikely(atomic_long_sub_and_test(nr, &ref->count)))
285 ref->release(ref);
286
287 rcu_read_unlock_sched();
288}
289
290/**
291 * percpu_ref_put - decrement a percpu refcount
292 * @ref: percpu_ref to put
293 *
294 * Decrement the refcount, and if 0, call the release function (which was passed
295 * to percpu_ref_init())
296 *
297 * This function is safe to call as long as @ref is between init and exit.
298 */
299static inline void percpu_ref_put(struct percpu_ref *ref)
300{
301 percpu_ref_put_many(ref, 1);
302}
303
304/**
305 * percpu_ref_is_dying - test whether a percpu refcount is dying or dead
306 * @ref: percpu_ref to test
307 *
308 * Returns %true if @ref is dying or dead.
309 *
310 * This function is safe to call as long as @ref is between init and exit
311 * and the caller is responsible for synchronizing against state changes.
312 */
313static inline bool percpu_ref_is_dying(struct percpu_ref *ref)
314{
315 return ref->percpu_count_ptr & __PERCPU_REF_DEAD;
316}
317
318/**
319 * percpu_ref_is_zero - test whether a percpu refcount reached zero
320 * @ref: percpu_ref to test
321 *
322 * Returns %true if @ref reached zero.
323 *
324 * This function is safe to call as long as @ref is between init and exit.
325 */
326static inline bool percpu_ref_is_zero(struct percpu_ref *ref)
327{
328 unsigned long __percpu *percpu_count;
329
330 if (__ref_is_percpu(ref, &percpu_count))
331 return false;
332 return !atomic_long_read(&ref->count);
333}
334
335#endif
336