On Mon, Dec 6, 2021 at 3:28 PM Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>
> I'm not arguing for refcount_t -- I'm arguing for an API that isn't a
> regression of features that have been protecting the kernel from bugs.
Maybe somebody could actually just fix refcount_t instead. Somebody
who cares about that currently horrendously bad interface.
Fix it to not do the fundamentally broken saturation that actively
destroys state: fix it to have a safe "try to increment", instead of
an unsafe "increment and do bad things".
Fix it to not unnecessarily use expensive compare-and-exchange loops,
when you can safely just race a bit, safe in the knowledge that you're
not going to race 2**31 times.
IOW, I think that "try_get_page()" function is basically the *much*
superior version of what is currently a broken "refcount_inc()".
And yes, it does warn about that overflow case that you claim only
refcount_t does. And does so without the broken semantics that
refcount h as.
Linus
