Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp584213ybi; Sat, 15 Jun 2019 07:19:22 -0700 (PDT) X-Google-Smtp-Source: APXvYqznSiKHdriYSiHyntZk2x5joWBQsRs4y5gcFETwzN+mGOY3QLh2DMvNbQ+f20e88iUmMvzm X-Received: by 2002:a63:2159:: with SMTP id s25mr38844833pgm.234.1560608361949; Sat, 15 Jun 2019 07:19:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560608361; cv=none; d=google.com; s=arc-20160816; b=Gr3KkKZvFLhZTJoikOMeZ/WgcxzuDJSGFCIwlzv9vPup+KzhdVp9EX35TDvd/waWZN E7qO6Lq4JZO2+3qTP9AF3d/rpCCQqk6IrlFOur9rjyHCkv4QVcUIpmTSe8UAnHJAq4vw zSYJuMArpgxZXta7Iund1BQzfvZUCdJGRFnHYov/bnTQ7sQaKIp3iUS73p7PSwcDF0hN nNk6OegH7MlDh+zzbkOBQ5+eqvLyPTAdaIPVb5Pnza5qEIYBEwp351HHS2unQJa7ptXZ A3ur8oSg7MbqItIgJSV2WxrXjy1Eev/nKQ81rqgiKYi9ZVIRIk9q9OYaV3faWGU2Lm2k 39CQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=WZCWllnmsiBaICnZjSKeck7hGpgHXTO6pHNqapuT9AM=; b=Brwl+HrkBZAAAhajkybZXalM4NUtKx4814uO/AOuFiA/lkUyu31vLqE9EnwwjfmbP4 M94QGtQosAUWjH1gWMkf6kt/yN0O5BcgU488b2KwMOkWfBCif6tbM4ocj0lrty3i3xqF 5Uj31MVLtJEXTWseIlsP+yoPrDsXYY5vG8l9ciI1KD3vOGaXvhYH4EhLOsicxaEeqzQi vRQFKLzaJwBCmRYoygxQdy0UlCnoM2tuvYCf9gh2QpDUHJ657sZg1UzSH+W+AYSXYxoQ RDkq4ESBQ1DKLXQeGkTgs1s8kGhG6UP7w0Su0k1iBXAhvr/F3H7qfG5rF0EYb1rKXGiY 9DAw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z9Rk60Le; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d37si5082444plb.351.2019.06.15.07.18.56; Sat, 15 Jun 2019 07:19:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Z9Rk60Le; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726863AbfFOOSg (ORCPT + 99 others); Sat, 15 Jun 2019 10:18:36 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:36076 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726400AbfFOOSg (ORCPT ); Sat, 15 Jun 2019 10:18:36 -0400 Received: by mail-io1-f67.google.com with SMTP id h6so12106051ioh.3 for ; Sat, 15 Jun 2019 07:18:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WZCWllnmsiBaICnZjSKeck7hGpgHXTO6pHNqapuT9AM=; b=Z9Rk60LeD/0ptcPj16hkpfST5k3ZThFqW3OXHdbZlJbMajc0/BhzHF+sQMfmAFeZPf g9RM8ZRaUqycBUQNF99rNjCoZSwH+6o3iRvi0RGwdkOg7rMWz5WCxfsdWyMgmM/EpS06 dAubW+ndaqdG95ne2fbXiysxPXe/a0cF4y9aexF3g+ERtHCy1rR/TApR3VIitpi2rmzF Lri4OA9uev4HytKxrr7YzelhP4haIrdQbQrG8iL17AMzhQxcUskPNUFl6YyIDiq9ePwC gsZyxStXOcx0YWnIjrsmzA+A36r0ILOMH2lzG/aLqTTxAOHiBZoGgqDc0vgB47TpSJYu XzFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WZCWllnmsiBaICnZjSKeck7hGpgHXTO6pHNqapuT9AM=; b=QmjkiECWxR7locOMLG9mUX0eGxijt5rF7y2X1El9zYxYneScyiY9JXlDhh1UxTGYuN c0DJRNX2BU3XP1VeLU+yZNqXlPYTnDuPodtvz4w0xEwcFhQLzus0bW41zXP6M3GyQN1q 2lOz4P0J5YaLHuPS3tiFaImmofu0d++hpxhrkkOuhnIdeasn9lVTfbqA2QwYYhDut0yu QmALljE6waict3oBLvKAgtnqMTTjYv0pOFg+MqYLLHYn7tzNQJ+cttpXvvo70I4vvXMx 0nCsybLUnPGmmVxlPG3MNS0usiY51fWUXC9Ct7Lgz3hyl+tjiocEIocmypSolWUlJS2s /1uw== X-Gm-Message-State: APjAAAVvx8PUwcjmy29LoDeYKyh4SZoj75sNluTsBy810wx0kmJ9Te8f +AdJqClfazFUNSNWjVFSzY38ahQAEBZ17Srq3+KmHA== X-Received: by 2002:a5d:9456:: with SMTP id x22mr1769308ior.71.1560608315058; Sat, 15 Jun 2019 07:18:35 -0700 (PDT) MIME-Version: 1.0 References: <20190522160417.GF7876@fuggles.cambridge.arm.com> <20190612040933.GA18848@dc5-eodlnx05.marvell.com> <20190612093151.GA11554@brain-police> <20190614070914.GA21961@dc5-eodlnx05.marvell.com> <20190614095846.GC10506@fuggles.cambridge.arm.com> <20190614103850.GG10659@fuggles.cambridge.arm.com> <201906142026.1BC27EDB1E@keescook> <201906150654.FF4400F7C8@keescook> In-Reply-To: <201906150654.FF4400F7C8@keescook> From: Ard Biesheuvel Date: Sat, 15 Jun 2019 16:18:21 +0200 Message-ID: Subject: Re: [RFC] Disable lockref on arm64 To: Kees Cook Cc: Will Deacon , Jayachandran Chandrasekharan Nair , "catalin.marinas@arm.com" , Jan Glauber , Linus Torvalds , "linux-kernel@vger.kernel.org" , "linux-arm-kernel@lists.infradead.org" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 15 Jun 2019 at 15:59, Kees Cook wrote: > > On Sat, Jun 15, 2019 at 10:47:19AM +0200, Ard Biesheuvel wrote: > > remaining question Will had was whether it makes sense to do the > > condition checks before doing the actual store, to avoid having a time > > window where the refcount assumes its illegal value. Since arm64 does > > not have memory operands, the instruction count wouldn't change, but > > it will definitely result in a performance hit on out-of-order CPUs. > > What do the races end up looking like? Is it possible to have two > threads ordered in a way that a second thread could _un_saturate a > counter? > > CPU 1 CPU 2 > inc() > load INT_MAX-1 > about to overflow? > yes > dec() > load INT_MAX-1 > set to INT_MAX > set to INT_MAX-2 > > Or would you use the same INT_MIN/2 saturation point done on x86? > Yes, I am using the same saturation point as x86. In this example, I am not entirely sure I understand why it matters, though: the atomics guarantee that the write by CPU2 fails if CPU1 changed the value in the mean time, regardless of which value it wrote. I think the concern is more related to the likelihood of another CPU doing something nasty between the moment that the refcount overflows and the moment that the handler pins it at INT_MIN/2, e.g., > CPU 1 CPU 2 > inc() > load INT_MAX > about to overflow? > yes > > set to 0 > > set to INT_MIN/2 > As for performance, it should be easy to measure with the LKDTM test > to find out exactly the differences. > Yes, I intend to look into this on Monday.