Re: [RFC 0/8] Hardening page _refcount
From: Pasha Tatashin
Date: Tue Oct 26 2021 - 14:31:07 EST
On Tue, Oct 26, 2021 at 2:24 PM Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote:
>
> On Tue, Oct 26, 2021 at 05:38:14PM +0000, Pasha Tatashin wrote:
> > It is hard to root cause _refcount problems, because they usually
> > manifest after the damage has occurred. Yet, they can lead to
> > catastrophic failures such memory corruptions.
> >
> > Improve debugability by adding more checks that ensure that
> > page->_refcount never turns negative (i.e. double free does not
> > happen, or free after freeze etc).
> >
> > - Check for overflow and underflow right from the functions that
> > modify _refcount
> > - Remove set_page_count(), so we do not unconditionally overwrite
> > _refcount with an unrestrained value
> > - Trace return values in all functions that modify _refcount
>
> I think this is overkill. Won't we get exactly the same protection
> by simply testing that page->_refcount == 0 in set_page_count()?
> Anything which triggers that BUG_ON would already be buggy because
> it can race with speculative gets.
We can't because set_page_count(v) is used for
1. changing _refcount form a current value to unconstrained v
2. initialize _refcount from undefined state to v.
In this work we forbid the first case, and reduce the second case to
initialize only to 1.
Pasha