From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Kees Cook <keescook@chromium.org>
Cc: "catalin.marinas@arm.com" <catalin.marinas@arm.com>,
Jan Glauber <jglauber@marvell.com>,
Will Deacon <will.deacon@arm.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Jayachandran Chandrasekharan Nair <jnair@marvell.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>
Subject: Re: [RFC] Disable lockref on arm64
Date: Sat, 15 Jun 2019 16:18:21 +0200 [thread overview]
Message-ID: <CAKv+Gu9-rZ16Nb9t3=knzW0BHu0eNxQoPwWS4c8UMMm=2iqiuw@mail.gmail.com> (raw)
In-Reply-To: <201906150654.FF4400F7C8@keescook>
On Sat, 15 Jun 2019 at 15:59, Kees Cook <keescook@chromium.org> wrote:
>
> On Sat, Jun 15, 2019 at 10:47:19AM +0200, Ard Biesheuvel wrote:
> > remaining question Will had was whether it makes sense to do the
> > condition checks before doing the actual store, to avoid having a time
> > window where the refcount assumes its illegal value. Since arm64 does
> > not have memory operands, the instruction count wouldn't change, but
> > it will definitely result in a performance hit on out-of-order CPUs.
>
> What do the races end up looking like? Is it possible to have two
> threads ordered in a way that a second thread could _un_saturate a
> counter?
>
> CPU 1 CPU 2
> inc()
> load INT_MAX-1
> about to overflow?
> yes
> dec()
> load INT_MAX-1
> set to INT_MAX
> set to INT_MAX-2
>
> Or would you use the same INT_MIN/2 saturation point done on x86?
>
Yes, I am using the same saturation point as x86. In this example, I
am not entirely sure I understand why it matters, though: the atomics
guarantee that the write by CPU2 fails if CPU1 changed the value in
the mean time, regardless of which value it wrote.
I think the concern is more related to the likelihood of another CPU
doing something nasty between the moment that the refcount overflows
and the moment that the handler pins it at INT_MIN/2, e.g.,
> CPU 1 CPU 2
> inc()
> load INT_MAX
> about to overflow?
> yes
>
> set to 0
> <insert exploit here>
> set to INT_MIN/2
> As for performance, it should be easy to measure with the LKDTM test
> to find out exactly the differences.
>
Yes, I intend to look into this on Monday.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-06-15 14:18 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 14:52 [RFC] Disable lockref on arm64 Jan Glauber
2019-05-01 16:01 ` Will Deacon
2019-05-02 8:38 ` Jan Glauber
2019-05-01 16:41 ` Linus Torvalds
2019-05-02 8:27 ` Jan Glauber
2019-05-02 16:12 ` Linus Torvalds
2019-05-02 23:19 ` Jayachandran Chandrasekharan Nair
2019-05-03 19:40 ` Linus Torvalds
2019-05-06 6:13 ` [EXT] " Jayachandran Chandrasekharan Nair
2019-05-06 17:13 ` Linus Torvalds
2019-05-06 18:10 ` Will Deacon
2019-05-18 4:24 ` Jayachandran Chandrasekharan Nair
2019-05-18 10:00 ` Ard Biesheuvel
2019-05-22 16:04 ` Will Deacon
2019-06-12 4:10 ` Jayachandran Chandrasekharan Nair
2019-06-12 9:31 ` Will Deacon
2019-06-14 7:09 ` Jayachandran Chandrasekharan Nair
2019-06-14 9:58 ` Will Deacon
2019-06-14 10:24 ` Ard Biesheuvel
2019-06-14 10:38 ` Will Deacon
2019-06-15 4:21 ` Kees Cook
2019-06-15 8:47 ` Ard Biesheuvel
2019-06-15 13:59 ` Kees Cook
2019-06-15 14:18 ` Ard Biesheuvel [this message]
2019-06-16 21:31 ` Kees Cook
2019-06-17 11:33 ` Ard Biesheuvel
2019-06-17 17:26 ` Will Deacon
2019-06-17 20:07 ` Jayachandran Chandrasekharan Nair
2019-06-18 5:41 ` Kees Cook
2019-06-13 9:53 ` Hanjun Guo
2019-06-05 13:48 ` [PATCH] lockref: Limit number of cmpxchg loop retries Jan Glauber
2019-06-05 20:16 ` Linus Torvalds
2019-06-06 8:03 ` Jan Glauber
2019-06-06 9:41 ` Will Deacon
2019-06-06 10:28 ` Jan Glauber
2019-06-07 7:27 ` Jan Glauber
2019-06-07 20:14 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAKv+Gu9-rZ16Nb9t3=knzW0BHu0eNxQoPwWS4c8UMMm=2iqiuw@mail.gmail.com' \
--to=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=jglauber@marvell.com \
--cc=jnair@marvell.com \
--cc=keescook@chromium.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).