Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp584213ybi;
        Sat, 15 Jun 2019 07:19:22 -0700 (PDT)
X-Google-Smtp-Source: APXvYqznSiKHdriYSiHyntZk2x5joWBQsRs4y5gcFETwzN+mGOY3QLh2DMvNbQ+f20e88iUmMvzm
X-Received: by 2002:a63:2159:: with SMTP id s25mr38844833pgm.234.1560608361949;
        Sat, 15 Jun 2019 07:19:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560608361; cv=none;
        d=google.com; s=arc-20160816;
        b=Gr3KkKZvFLhZTJoikOMeZ/WgcxzuDJSGFCIwlzv9vPup+KzhdVp9EX35TDvd/waWZN
         E7qO6Lq4JZO2+3qTP9AF3d/rpCCQqk6IrlFOur9rjyHCkv4QVcUIpmTSe8UAnHJAq4vw
         zSYJuMArpgxZXta7Iund1BQzfvZUCdJGRFnHYov/bnTQ7sQaKIp3iUS73p7PSwcDF0hN
         nNk6OegH7MlDh+zzbkOBQ5+eqvLyPTAdaIPVb5Pnza5qEIYBEwp351HHS2unQJa7ptXZ
         A3ur8oSg7MbqItIgJSV2WxrXjy1Eev/nKQ81rqgiKYi9ZVIRIk9q9OYaV3faWGU2Lm2k
         39CQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=WZCWllnmsiBaICnZjSKeck7hGpgHXTO6pHNqapuT9AM=;
        b=Brwl+HrkBZAAAhajkybZXalM4NUtKx4814uO/AOuFiA/lkUyu31vLqE9EnwwjfmbP4
         M94QGtQosAUWjH1gWMkf6kt/yN0O5BcgU488b2KwMOkWfBCif6tbM4ocj0lrty3i3xqF
         5Uj31MVLtJEXTWseIlsP+yoPrDsXYY5vG8l9ciI1KD3vOGaXvhYH4EhLOsicxaEeqzQi
         vRQFKLzaJwBCmRYoygxQdy0UlCnoM2tuvYCf9gh2QpDUHJ657sZg1UzSH+W+AYSXYxoQ
         RDkq4ESBQ1DKLXQeGkTgs1s8kGhG6UP7w0Su0k1iBXAhvr/F3H7qfG5rF0EYb1rKXGiY
         9DAw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=Z9Rk60Le;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d37si5082444plb.351.2019.06.15.07.18.56;
        Sat, 15 Jun 2019 07:19:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=Z9Rk60Le;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726863AbfFOOSg (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Sat, 15 Jun 2019 10:18:36 -0400
Received: from mail-io1-f67.google.com ([209.85.166.67]:36076 "EHLO
        mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726400AbfFOOSg (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 15 Jun 2019 10:18:36 -0400
Received: by mail-io1-f67.google.com with SMTP id h6so12106051ioh.3
        for <linux-kernel@vger.kernel.org>; Sat, 15 Jun 2019 07:18:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=WZCWllnmsiBaICnZjSKeck7hGpgHXTO6pHNqapuT9AM=;
        b=Z9Rk60LeD/0ptcPj16hkpfST5k3ZThFqW3OXHdbZlJbMajc0/BhzHF+sQMfmAFeZPf
         g9RM8ZRaUqycBUQNF99rNjCoZSwH+6o3iRvi0RGwdkOg7rMWz5WCxfsdWyMgmM/EpS06
         dAubW+ndaqdG95ne2fbXiysxPXe/a0cF4y9aexF3g+ERtHCy1rR/TApR3VIitpi2rmzF
         Lri4OA9uev4HytKxrr7YzelhP4haIrdQbQrG8iL17AMzhQxcUskPNUFl6YyIDiq9ePwC
         gsZyxStXOcx0YWnIjrsmzA+A36r0ILOMH2lzG/aLqTTxAOHiBZoGgqDc0vgB47TpSJYu
         XzFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=WZCWllnmsiBaICnZjSKeck7hGpgHXTO6pHNqapuT9AM=;
        b=QmjkiECWxR7locOMLG9mUX0eGxijt5rF7y2X1El9zYxYneScyiY9JXlDhh1UxTGYuN
         c0DJRNX2BU3XP1VeLU+yZNqXlPYTnDuPodtvz4w0xEwcFhQLzus0bW41zXP6M3GyQN1q
         2lOz4P0J5YaLHuPS3tiFaImmofu0d++hpxhrkkOuhnIdeasn9lVTfbqA2QwYYhDut0yu
         QmALljE6waict3oBLvKAgtnqMTTjYv0pOFg+MqYLLHYn7tzNQJ+cttpXvvo70I4vvXMx
         0nCsybLUnPGmmVxlPG3MNS0usiY51fWUXC9Ct7Lgz3hyl+tjiocEIocmypSolWUlJS2s
         /1uw==
X-Gm-Message-State: APjAAAVvx8PUwcjmy29LoDeYKyh4SZoj75sNluTsBy810wx0kmJ9Te8f
        +AdJqClfazFUNSNWjVFSzY38ahQAEBZ17Srq3+KmHA==
X-Received: by 2002:a5d:9456:: with SMTP id x22mr1769308ior.71.1560608315058;
 Sat, 15 Jun 2019 07:18:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAKv+Gu9U9z3iAuz4V1c5zTHuz1As8FSNGY-TJon4OLErB8ts8Q@mail.gmail.com>
 <20190522160417.GF7876@fuggles.cambridge.arm.com> <20190612040933.GA18848@dc5-eodlnx05.marvell.com>
 <20190612093151.GA11554@brain-police> <20190614070914.GA21961@dc5-eodlnx05.marvell.com>
 <20190614095846.GC10506@fuggles.cambridge.arm.com> <CAKv+Gu_Kdq=UPijjA84FpmO=ZsdEO9EyyF7GeOQ+WmfqtO_hMg@mail.gmail.com>
 <20190614103850.GG10659@fuggles.cambridge.arm.com> <201906142026.1BC27EDB1E@keescook>
 <CAKv+Gu_XuhgUCYOeykrbaxJz-wL1HFrc_O+HeZHqaGkMHd2J9Q@mail.gmail.com> <201906150654.FF4400F7C8@keescook>
In-Reply-To: <201906150654.FF4400F7C8@keescook>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Sat, 15 Jun 2019 16:18:21 +0200
Message-ID: <CAKv+Gu9-rZ16Nb9t3=knzW0BHu0eNxQoPwWS4c8UMMm=2iqiuw@mail.gmail.com>
Subject: Re: [RFC] Disable lockref on arm64
To:     Kees Cook <keescook@chromium.org>
Cc:     Will Deacon <will.deacon@arm.com>,
        Jayachandran Chandrasekharan Nair <jnair@marvell.com>,
        "catalin.marinas@arm.com" <catalin.marinas@arm.com>,
        Jan Glauber <jglauber@marvell.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "linux-arm-kernel@lists.infradead.org" 
        <linux-arm-kernel@lists.infradead.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, 15 Jun 2019 at 15:59, Kees Cook <keescook@chromium.org> wrote:
>
> On Sat, Jun 15, 2019 at 10:47:19AM +0200, Ard Biesheuvel wrote:
> > remaining question Will had was whether it makes sense to do the
> > condition checks before doing the actual store, to avoid having a time
> > window where the refcount assumes its illegal value. Since arm64 does
> > not have memory operands, the instruction count wouldn't change, but
> > it will definitely result in a performance hit on out-of-order CPUs.
>
> What do the races end up looking like? Is it possible to have two
> threads ordered in a way that a second thread could _un_saturate a
> counter?
>
> CPU 1                   CPU 2
> inc()
>   load INT_MAX-1
>   about to overflow?
>   yes
>                         dec()
>                           load INT_MAX-1
>   set to INT_MAX
>                           set to INT_MAX-2
>
> Or would you use the same INT_MIN/2 saturation point done on x86?
>

Yes, I am using the same saturation point as x86. In this example, I
am not entirely sure I understand why it matters, though: the atomics
guarantee that the write by CPU2 fails if CPU1 changed the value in
the mean time, regardless of which value it wrote.

I think the concern is more related to the likelihood of another CPU
doing something nasty between the moment that the refcount overflows
and the moment that the handler pins it at INT_MIN/2, e.g.,

> CPU 1                   CPU 2
> inc()
>   load INT_MAX
>   about to overflow?
>   yes
>
>   set to 0
>                          <insert exploit here>
>   set to INT_MIN/2


> As for performance, it should be easy to measure with the LKDTM test
> to find out exactly the differences.
>

Yes, I intend to look into this on Monday.