On Mon, Dec 6, 2021 at 3:28 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote: > > I'm not arguing for refcount_t -- I'm arguing for an API that isn't a > regression of features that have been protecting the kernel from bugs. Maybe somebody could actually just fix refcount_t instead. Somebody who cares about that currently horrendously bad interface. Fix it to not do the fundamentally broken saturation that actively destroys state: fix it to have a safe "try to increment", instead of an unsafe "increment and do bad things". Fix it to not unnecessarily use expensive compare-and-exchange loops, when you can safely just race a bit, safe in the knowledge that you're not going to race 2**31 times. IOW, I think that "try_get_page()" function is basically the *much* superior version of what is currently a broken "refcount_inc()". And yes, it does warn about that overflow case that you claim only refcount_t does. And does so without the broken semantics that refcount h as. Linus