Re: [RFC 1/8] mm: add overflow and underflow checks for page->_refcount

From: Matthew Wilcox
Date: Tue Oct 26 2021 - 15:50:35 EST


On Tue, Oct 26, 2021 at 05:38:15PM +0000, Pasha Tatashin wrote:
> static inline void page_ref_add(struct page *page, int nr)
> {
> - atomic_add(nr, &page->_refcount);
> + int ret;
> +
> + VM_BUG_ON(nr <= 0);
> + ret = atomic_add_return(nr, &page->_refcount);
> + VM_BUG_ON_PAGE(ret <= 0, page);

This isn't right. _refcount is allowed to overflow into the negatives.
See page_ref_zero_or_close_to_overflow() and the conversations that led
to it being added.