```
commit 998a1c313a986dc7c7457d0b5369381f65fa1330
Author: Mateusz Guzik <mjg@FreeBSD.org>
Date: Wed Mar 22 20:42:04 2023 +0000
This sorts out worries about mitigating bugs which overflow the countercred: convert the refcount from int to long
without pessimizng anything, most notably it avoids whackOn 64-bit platforms this sorts out worries about mitigating per-threadbugs which
operation in favor of refcount(9) API.overflow the counter without pessimizng anything, most notably it avoids
whacking per-thread operation in favor of refcount(9) API.
The struct already had two instances of 4 byte padding with 256 bytes in
size, cr_flags gets moved around to avoid growing it.
32-bit platforms could also get the extended counter, but I did not do
it as one day(tm) the mutex protecting centralized operation should be
replaced with atomics and 64-bit ops on 32-bit platforms remain quite
penalizing.
While worries of counter overflow are addressed, the following is not:
- counter *underflows*
- buffer overruns from adjacent allocations
- UAF due to stale cred pointer
As such, while lipstick was placed, the pig should not be participating
in any beauty pageants.
Reviewed by:
Differential Revision:
commit ceb8f401fcc5d956b9b92cff6aa6946a932f48bf
Author: Mateusz Guzik <mjg@FreeBSD.org>
Date: Wed Mar 22 21:44:55 2023 +0000
cred: make ref signed
There are asserts on the count being > 0, but they are less useful than
they can be because the type itself is unsigned. The kernel is compiled
with -frapv, making wraparound perfectly defined.
```