Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1166701AbdDXIdj (ORCPT ); Mon, 24 Apr 2017 04:33:39 -0400 Received: from bombadil.infradead.org ([65.50.211.133]:38272 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1166772AbdDXIdV (ORCPT ); Mon, 24 Apr 2017 04:33:21 -0400 Date: Mon, 24 Apr 2017 10:32:50 +0200 From: Peter Zijlstra To: Kees Cook Cc: linux-kernel@vger.kernel.org, Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , x86@kernel.org, Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , Jann Horn , davem@davemloft.net, linux-arch@vger.kernel.org, kernel-hardening@lists.openwall.com, PaX Team Subject: Re: [PATCH] x86/refcount: Implement fast refcount_t handling Message-ID: <20170424083250.h2wv2exbi4ytigac@hirez.programming.kicks-ass.net> References: <20170421220939.GA65363@beast> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170421220939.GA65363@beast> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 748 Lines: 16 On Fri, Apr 21, 2017 at 03:09:39PM -0700, Kees Cook wrote: > This patch ports the x86-specific atomic overflow handling from PaX's > PAX_REFCOUNT to the upstream refcount_t API. This is an updated version > from PaX that eliminates the saturation race condition by resetting the > atomic counter back to the INT_MAX saturation value on both overflow and > underflow. To win a race, a system would have to have INT_MAX threads > simultaneously overflow before the saturation handler runs. And is this impossible? Highly unlikely I'll grant you, but absolutely impossible? Also, you forgot nr_cpus in your bound. Afaict the worst case here is O(nr_tasks + 3*nr_cpus). Because PaX does it, is not a correctness argument. And this really wants one.