On Thu, Nov 17, 2016 at 12:34 AM, Peter Zijlstra <pet...@infradead.org> wrote: > On Wed, Nov 16, 2016 at 10:58:38AM -0800, Kees Cook wrote: >> What I mean to say is that while the refcnt here should clearly be >> converted to kref or refcount_t, it looks like locked_vm should become >> a new stats_t. However, it seems weird for locked_vm to ever wrap >> either... > > No, its not a statistic. Also, I'm far from convinced stats_t is an > actually useful thing to have.
It's useful because its introduction creates a type that can't be trivially used for refcounting (i.e. hard to make the mistake of using stats_t for refcounting), and replacing atomic_t statistic counters with stats_t reduces the effort required to do the initial (and on-going) audit for misuse of atomic_t as a refcounter. > refcount_t brought special semantics that clearly are different from > regular atomic_t, stats_t would not, so why would it need to exist. Your original suggestion about stats_t showed how its accessor API would be a very small subset of the regular atomic_t set. I think that reduction in accidental misuse has value. > Not to mention that you seem over eager to apply it, which doesn't > inspire confidence. I'd like to get to the point where auditing for mistakes in this area is tractable. :) If atomic_t is only used for non-stats and non-refcount, it's much much easier to examine and reason about. -Kees -- Kees Cook Nexus Security
