From 782d004253cbe3d456d1843f4fa710a811948dae Mon Sep 17 00:00:00 2001
From: hselasky <hselasky@FreeBSD.org>
Date: Mon, 22 Oct 2018 16:21:50 +0000
Subject: [PATCH] Make sure returned value is checked and assert a valid
 refcount. While at it fix a print: Unsigned types cannot be negative.

Reviewed by:		kib, mjg
Differential revision:	https://reviews.freebsd.org/D17616
MFC after:		1 week
Sponsored by:		Mellanox Technologies
---
 sys/sys/refcount.h | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/sys/sys/refcount.h b/sys/sys/refcount.h
index e7b52db0ceef..a0e32c805a4f 100644
--- a/sys/sys/refcount.h
+++ b/sys/sys/refcount.h
@@ -62,7 +62,7 @@ refcount_release(volatile u_int *count)
 
 	atomic_thread_fence_rel();
 	old = atomic_fetchadd_int(count, -1);
-	KASSERT(old > 0, ("negative refcount %p", count));
+	KASSERT(old > 0, ("refcount %p is zero", count));
 	if (old > 1)
 		return (0);
 
@@ -77,15 +77,19 @@ refcount_release(volatile u_int *count)
 }
 
 /*
+ * This functions returns non-zero if the refcount was
+ * incremented. Else zero is returned.
+ *
  * A temporary hack until refcount_* APIs are sorted out.
  */
-static __inline int
+static __inline __result_use_check int
 refcount_acquire_if_not_zero(volatile u_int *count)
 {
 	u_int old;
 
 	old = *count;
 	for (;;) {
+		KASSERT(old < UINT_MAX, ("refcount %p overflowed", count));
 		if (old == 0)
 			return (0);
 		if (atomic_fcmpset_int(count, &old, old + 1))
@@ -93,13 +97,14 @@ refcount_acquire_if_not_zero(volatile u_int *count)
 	}
 }
 
-static __inline int
+static __inline __result_use_check int
 refcount_release_if_not_last(volatile u_int *count)
 {
 	u_int old;
 
 	old = *count;
 	for (;;) {
+		KASSERT(old > 0, ("refcount %p is zero", count));
 		if (old == 1)
 			return (0);
 		if (atomic_fcmpset_int(count, &old, old - 1))