Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1174308AbdDXUQq (ORCPT ); Mon, 24 Apr 2017 16:16:46 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:35448 "EHLO mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1174277AbdDXUQ0 (ORCPT ); Mon, 24 Apr 2017 16:16:26 -0400 MIME-Version: 1.0 In-Reply-To: <20170424083250.h2wv2exbi4ytigac@hirez.programming.kicks-ass.net> References: <20170421220939.GA65363@beast> <20170424083250.h2wv2exbi4ytigac@hirez.programming.kicks-ass.net> From: Kees Cook Date: Mon, 24 Apr 2017 13:16:24 -0700 X-Google-Sender-Auth: ZBy5qbn1VJ5C8UAPeEj_dWSXm7Q Message-ID: Subject: Re: [PATCH] x86/refcount: Implement fast refcount_t handling To: Peter Zijlstra Cc: LKML , Eric Biggers , Christoph Hellwig , "axboe@kernel.dk" , James Bottomley , Elena Reshetova , Hans Liljestrand , David Windsor , "x86@kernel.org" , Ingo Molnar , Arnd Bergmann , Greg Kroah-Hartman , Jann Horn , "David S. Miller" , linux-arch , "kernel-hardening@lists.openwall.com" , PaX Team Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1161 Lines: 30 On Mon, Apr 24, 2017 at 1:32 AM, Peter Zijlstra wrote: > On Fri, Apr 21, 2017 at 03:09:39PM -0700, Kees Cook wrote: >> This patch ports the x86-specific atomic overflow handling from PaX's >> PAX_REFCOUNT to the upstream refcount_t API. This is an updated version >> from PaX that eliminates the saturation race condition by resetting the >> atomic counter back to the INT_MAX saturation value on both overflow and >> underflow. To win a race, a system would have to have INT_MAX threads >> simultaneously overflow before the saturation handler runs. > > And is this impossible? Highly unlikely I'll grant you, but absolutely > impossible? I'll adjust the language. "Highly unlikely" is still better than "trivially doable with a single thread". :) > Also, you forgot nr_cpus in your bound. Afaict the worst case here is > O(nr_tasks + 3*nr_cpus). > > Because PaX does it, is not a correctness argument. And this really > wants one. Sure, I didn't mean to imply anything other than a demonstration of what PaX is doing (and that it's better than not having it). If we can improve it, that's great. -Kees -- Kees Cook Pixel Security