Why is lock elision forbidden in suid?

Why is lock elision forbidden in suid?

[Tulio Magno Quites Machado Filho]

In a message to libc-alpha from 2013 [1] [2], there has been an agreement
that lock elision should be disabled for suid programs.  However, these
messages don't make it clear why it's necessary.

Are there any other reasons beside the risk of adding new code to critical
programs?

[1] https://sourceware.org/ml/libc-alpha/2013-06/msg00561.html
[2] https://sourceware.org/ml/libc-alpha/2013-06/msg00578.html

-- 
Tulio Magno

Re: Why is lock elision forbidden in suid?

[Carlos O'Donell]

On 10/19/2017 01:11 PM, Tulio Magno Quites Machado Filho wrote:
> In a message to libc-alpha from 2013 [1] [2], there has been an agreement
> that lock elision should be disabled for suid programs.  However, these
> messages don't make it clear why it's necessary.
> 
> Are there any other reasons beside the risk of adding new code to critical
> programs?

The reason is because some of the previously undefined behaviour which used
to work now becomes hard crashes e.g. unlocking an already unlocked mutex.

When we turned elision on we had all sorts of users reporting bad crashing
programs that did unconditional mutex unlocks. The idea here was that we
would not want to inflict these kinds of "still within the standards"
changes on suid binaries.

In addition to this the lock elision code is less mature, less well tested,
possibly more prone to getting stuck retrying a transaction to no end
(do we have forward progress guarantees from the hardware)?

These issues make it hard to argue that suid binaries should be influenced
by elision.

-- 
Cheers,
Carlos.