On Fri, Aug 02, 2019 at 11:09:54AM +0100, Will Deacon wrote: > Although the revised implementation passes all of the lkdtm REFCOUNT > tests, there is a race condition introduced by the deferred saturation > whereby if INT_MIN + 2 tasks take a reference on a refcount at > REFCOUNT_MAX and are each preempted between detecting overflow and > writing the saturated value without being rescheduled, then another task > may end up erroneously freeing the object when it drops the refcount and > sees zero. It doesn't feel like a particularly realistic case to me, but > I thought I should mention it in case somebody else knows better.
So my OCD has always found that hole objectionable. Also I suppose the cmpxchg ones are simpler to understand. Maybe make this fancy stuff depend on !FULL ?
