On Tue, Oct 26, 2021 at 2:24 PM Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: > > On Tue, Oct 26, 2021 at 05:38:14PM +0000, Pasha Tatashin wrote: > > It is hard to root cause _refcount problems, because they usually > > manifest after the damage has occurred. Yet, they can lead to > > catastrophic failures such memory corruptions. > > > > Improve debugability by adding more checks that ensure that > > page->_refcount never turns negative (i.e. double free does not > > happen, or free after freeze etc). > > > > - Check for overflow and underflow right from the functions that > > modify _refcount > > - Remove set_page_count(), so we do not unconditionally overwrite > > _refcount with an unrestrained value > > - Trace return values in all functions that modify _refcount > > I think this is overkill. Won't we get exactly the same protection > by simply testing that page->_refcount == 0 in set_page_count()? > Anything which triggers that BUG_ON would already be buggy because > it can race with speculative gets. We can't because set_page_count(v) is used for 1. changing _refcount form a current value to unconstrained v 2. initialize _refcount from undefined state to v. In this work we forbid the first case, and reduce the second case to initialize only to 1. Pasha
