From: Kees Cook <keescook@chromium.org>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Will Deacon <will@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Ingo Molnar <mingo@kernel.org>,
Elena Reshetova <elena.reshetova@intel.com>,
Hanjun Guo <guohanjun@huawei.com>,
Jan Glauber <jglauber@marvell.com>
Subject: Re: [PATCH v2 0/6] Rework REFCOUNT_FULL using atomic_fetch_* operations
Date: Sat, 31 Aug 2019 12:02:43 -0700 [thread overview]
Message-ID: <201908311200.926B5C0F@keescook> (raw)
In-Reply-To: <CAKv+Gu_Q=o_6xDW_7YTd3J6psqs-o+qBxW4r9MXCBwjmsGpTbQ@mail.gmail.com>
On Sat, Aug 31, 2019 at 08:48:56PM +0300, Ard Biesheuvel wrote:
> It's been ~2 years since I looked at this code in detail, but IIRC, it
> looked like the inc-from-zero check was missing from the x86
> implementation because it requires a load/compare/increment/store
> sequence instead of a single increment instruction taking a memory
> operand. Was there more rationale at the time for omitting this
> particular case, and if so, was it based on a benchmark? Can we run it
> against this implementation as well?
It was based on providing a protection against the pre-exploitation case
(overflow: "something bad is about to happen, let's stop it") rather
than the post-exploitation case (inc from zero, "something bad already
happened, eek") with absolutely the fewest possible extra cycles, as
various subsystem maintainers had zero tolerance for any measurable
changes in refcounting performance.
I much prefer the full coverage, even if it's a tiny bit slower. And
based on the worse-case timings (where literally nothing else is
happening) it seems like these changes should be WELL under the noise.
--
Kees Cook
next prev parent reply other threads:[~2019-08-31 19:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-27 16:31 [PATCH v2 0/6] Rework REFCOUNT_FULL using atomic_fetch_* operations Will Deacon
2019-08-27 16:31 ` [PATCH v2 1/6] lib/refcount: Define constants for saturation and max refcount values Will Deacon
2019-08-27 16:32 ` [PATCH v2 2/6] lib/refcount: Ensure integer operands are treated as signed Will Deacon
2019-08-27 16:32 ` [PATCH v2 3/6] lib/refcount: Remove unused refcount_*_checked() variants Will Deacon
2019-08-27 16:32 ` [PATCH v2 4/6] lib/refcount: Move bulk of REFCOUNT_FULL implementation into header Will Deacon
2019-08-27 16:32 ` [PATCH v2 5/6] lib/refcount: Improve performance of generic REFCOUNT_FULL code Will Deacon
2019-08-27 16:32 ` [PATCH v2 6/6] lib/refcount: Consolidate REFCOUNT_{MAX,SATURATED} definitions Will Deacon
2019-08-27 17:51 ` [PATCH v2 0/6] Rework REFCOUNT_FULL using atomic_fetch_* operations Kees Cook
2019-08-28 7:30 ` Peter Zijlstra
2019-08-28 14:14 ` Will Deacon
2019-08-28 21:03 ` Kees Cook
2019-08-31 17:48 ` Ard Biesheuvel
2019-08-31 19:02 ` Kees Cook [this message]
2019-08-31 20:54 ` Ard Biesheuvel
2019-09-06 13:43 ` Will Deacon
2019-09-07 1:57 ` Hanjun Guo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201908311200.926B5C0F@keescook \
--to=keescook@chromium.org \
--cc=ard.biesheuvel@linaro.org \
--cc=elena.reshetova@intel.com \
--cc=guohanjun@huawei.com \
--cc=jglauber@marvell.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox