On Wed, Feb 22, 2017 at 9:29 AM, David Howells <[email protected]> wrote: > Reshetova, Elena <[email protected]> wrote: > >> Thank you very much David for testing the patches! >> I guess for this one and other two patches it means that if we want to do >> the atomic_t --> refcount_t conversions, >> we need to do +1 on the whole counting scheme to avoid issues around >> reaching zero. >> Do you see this approach reasonable? I can give it a try, if it makes sense >> in your opinion. > > Or you could create a refcount_inc_may_resurrect() function that does allow > increment from 0. Make it take a lock-check like the rcu functions do.
We can't allow the increment from 0 since it violates the intended use-after-free protections. If "0" means "still valid" then this sounds like it needs a global +1, as Elena suggested in her reply. -Kees -- Kees Cook Pixel Security
