Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2307875ybl; Sat, 31 Aug 2019 12:04:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqwg8peG58LPIdW/KE4L7jlF8AZgbb6orUdOOrhe+v9iGg8LUFMSXLhZbdOhWYKcAOlSWlLJ X-Received: by 2002:a17:902:1027:: with SMTP id b36mr21484224pla.203.1567278280318; Sat, 31 Aug 2019 12:04:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567278280; cv=none; d=google.com; s=arc-20160816; b=C81yJloXb7vcN+Ejj7M0r17j2Y4/dGJvl6bnOyS9UL8Qe75z0SlzaV7p6kP+N4usVa j2XiQXZOqpTlyaYTULmIS/CMCJbs//T1Xugxu/GYzSDmykycUpTLVmQ8qy54htzwco28 U+3cIpJBAjmltY/V0eMWjVgAXUEDpmIXBKAWCLN5JfcARsKNIw98h5lJg8KQJ/AMrPaN 7n91UEWBYX/KDYS728S68J4v8bPCgUw7gZsk2lemQ8fhD6qFNHJWtXhde/TDnraE2Opf O+5LEtOTI8XPwsEj5OGhvDBrDziAL3YAP+4gsTvFQscKthl+ewzgvHcjQrJlbA/+5bri D4GA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=ZfFm6r3JOqEydofTNyuh4bAPJtkbL/0OkBXvCDSO3i0=; b=yEHJipjgRJbNEfttHqWve4V0SdI6w7xVpMIpbUmpuxBRaUKVCLsqj+FIumJD93xkTH NvM7r9g5VWfbrzaYmJGbB8MvTHsrBIuQhkzITRVwbVhSOcHNOwdzLDdG/owKlODIxlCc FkgaUN50yAD9NVmj8H90JBH+MArNlTFv/90PsXwwhrgZeKO8AOrT3pGdyIYFb3GfHU2q PINeslb3ehhjBGsgD+stbKvetAIpkUxejiCwS/TGbHavPHgvYUQBOnDMuZR6fUJfjn6i anw0VA80gn+wTPbGCE38qlwwYt+7Is4mcATm0xnkNjWpcIquVmZz/Zp3atSLQY+/gmJW 4XQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dlgvG8eY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k91si7875908pld.335.2019.08.31.12.04.09; Sat, 31 Aug 2019 12:04:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=dlgvG8eY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728532AbfHaTCq (ORCPT + 99 others); Sat, 31 Aug 2019 15:02:46 -0400 Received: from mail-pl1-f196.google.com ([209.85.214.196]:47103 "EHLO mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728504AbfHaTCq (ORCPT ); Sat, 31 Aug 2019 15:02:46 -0400 Received: by mail-pl1-f196.google.com with SMTP id o3so4789039plb.13 for ; Sat, 31 Aug 2019 12:02:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=ZfFm6r3JOqEydofTNyuh4bAPJtkbL/0OkBXvCDSO3i0=; b=dlgvG8eYRMaMeM92iutmfwBcjfRYro/1023f7K2yZK8fcKRkSCxKCaHdRZ16zEzF4G +KlLBV6odsSkUE6iKg4fSNPoqYhWboYSJB2Dl32u40X0wFcQBp67hauNSNcqrMRAVCW+ j3E0VlIHJm1fFgBg80Ky9mAFfCmCQ88m1+cWI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=ZfFm6r3JOqEydofTNyuh4bAPJtkbL/0OkBXvCDSO3i0=; b=jGS/WUJbmX48cTcLjosddvZ6qfQr+VoHIXLXYgRSRxQetSQoYa11M2cA17ElCgtXo9 7pRsOv28qvDBBxbx8cNAszpEKxuaeGlDZalKYckIGisCYC2tqzf6+Kca/0iL8ne5MCvb kE6ruwTRkoNDjLZEb42UEQq5TxkgGQsgaPHpcosRLSyajw0/QPzunu+WvBs0zFGhxOKv 32PPxK5lB6idicYWolftY8iVYYm/R2IPwyoccizAiTdCefL/XnMmZjZqx0S/OOM+1+4d 71kQ4peI4aPCIOYexwOYfG8R7HLszNQagU08O1f+wbFPj9IZZlzwDkGasWOaYnMUMCwd esLg== X-Gm-Message-State: APjAAAU3VwZxVCToE5YQeMBFdoXPeVUFaathvaoqwirgPxC2YUyK7eGw bNzV+/W3P/34l0ByLngm73EzPg== X-Received: by 2002:a17:902:e83:: with SMTP id 3mr20781319plx.319.1567278165861; Sat, 31 Aug 2019 12:02:45 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id l6sm12626662pje.28.2019.08.31.12.02.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 31 Aug 2019 12:02:44 -0700 (PDT) Date: Sat, 31 Aug 2019 12:02:43 -0700 From: Kees Cook To: Ard Biesheuvel Cc: Will Deacon , Peter Zijlstra , Linux Kernel Mailing List , Ingo Molnar , Elena Reshetova , Hanjun Guo , Jan Glauber Subject: Re: [PATCH v2 0/6] Rework REFCOUNT_FULL using atomic_fetch_* operations Message-ID: <201908311200.926B5C0F@keescook> References: <20190827163204.29903-1-will@kernel.org> <20190828073052.GL2332@hirez.programming.kicks-ass.net> <20190828141439.sqnpm5ff4tgyn66r@willie-the-truck> <201908281353.0EFD0776@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 31, 2019 at 08:48:56PM +0300, Ard Biesheuvel wrote: > It's been ~2 years since I looked at this code in detail, but IIRC, it > looked like the inc-from-zero check was missing from the x86 > implementation because it requires a load/compare/increment/store > sequence instead of a single increment instruction taking a memory > operand. Was there more rationale at the time for omitting this > particular case, and if so, was it based on a benchmark? Can we run it > against this implementation as well? It was based on providing a protection against the pre-exploitation case (overflow: "something bad is about to happen, let's stop it") rather than the post-exploitation case (inc from zero, "something bad already happened, eek") with absolutely the fewest possible extra cycles, as various subsystem maintainers had zero tolerance for any measurable changes in refcounting performance. I much prefer the full coverage, even if it's a tiny bit slower. And based on the worse-case timings (where literally nothing else is happening) it seems like these changes should be WELL under the noise. -- Kees Cook