Ingo Molnar <mi...@kernel.org> writes: > * Andrew Morton <a...@linux-foundation.org> wrote: > >> On Wed, 19 Jul 2017 15:54:27 -0700 Davidlohr Bueso <d...@stgolabs.net> wrote: >> >> > On Wed, 19 Jul 2017, Andrew Morton wrote: >> > >> > >I do rather dislike these conversions from the point of view of >> > >performance overhead and general code bloat. But I seem to have lost >> > >that struggle and I don't think any of these are fastpath(?). >> > >> > Well, since we now have fd25d19 (locking/refcount: Create unchecked >> > atomic_t >> > implementation), performance is supposed to be ok. >> >> Sure, things are OK for people who disable the feature. > > So with the WIP fast-refcount series from Kees: > > [PATCH v6 0/2] x86: Implement fast refcount overflow protection > > I believe the robustness difference between optimized-refcount_t and > full-refcount_t will be marginal. > > I.e. we'll be able to have both higher API safety _and_ performance. > >> But for people who want to enable the feature we really should minimize the >> cost >> by avoiding blindly converting sites which simply don't need it: simple, >> safe, >> old, well-tested code. Why go and slow down such code? Need to apply some >> common sense here... > > It's old, well-tested code _for existing, sane parameters_, until someone > finds a > decade old bug in one of these with an insane parameters no-one stumbled upon > so > far, and builds an exploit on top of it. > > Only by touching all these places do we have a chance to improve things > measurably > in terms of reducing the probability of bugs.
The more I hear people pushing the upsides of refcount_t without considering the downsides the more I dislike it. - refcount_t is really the wrong thing because it uses saturation semantics. So by definition it includes a bug. - refcount_t will only really prevent something if there is an extra increment. That is not the kind of bug people are likely to make. - refcount_t won't help if you have an extra decrement. The bad use-after-free will still happen. - refcount_t won't help if there is a memory stomp. As with an extra decrement the bad use-after-free will still happen. So all I see is a huge amount of code churn to implement a buggy (by definition) refcounting API, that risks adding new bugs and only truly helps with bugs that are unlikely in the first place. I really don't think this is an obvious slam dunk. Eric
