userfaultfd: convert userfaultfd_ctx::refcount to refcount_t

Reference counters should use refcount_t rather than atomic_t, since the refcount_t implementation can prevent overflows, reducing the exploitability of reference leak bugs. userfaultfd_ctx::refcount is a reference counter with the usual semantics, so convert it to refcount_t. Note: I replaced the BUG() on incrementing a 0 refcount with just refcount_inc(), since part of the semantics of refcount_t is that that incrementing a 0 refcount is not allowed; with CONFIG_REFCOUNT_FULL, refcount_inc() already checks for it and warns. Link: http://lkml.kernel.org/r/20181115003916.63381-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@google.com> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Reviewed-by: Mike Rapoport <rppt@linux.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Eric Biggers <ebiggers@google.com> 2018-12-28 03:34:43 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-12-28 15:11:47 -0500
commit: ca880420665dbc8beec3693bee9f5eccb89de4a6 (patch)
tree: 7255c489175110780706a7eaf04fe8f0f34611b5
parent: 66f71da9dd38af17dc17209cdde7987d4679a699 (diff)
1 files changed, 5 insertions, 6 deletions
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 59dc28047030..e211b99d33c4 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -53,7 +53,7 @@ struct userfaultfd_ctx {
        /* a refile sequence protected by fault_pending_wqh lock */
        struct seqcount refile_seq;
        /* pseudo fd refcounting */
-        atomic_t refcount;
+        refcount_t refcount;
        /* userfaultfd syscall flags */
        unsigned int flags;
        /* features requested from the userspace */
@@ -140,8 +140,7 @@ out:
 */
 static void userfaultfd_ctx_get(struct userfaultfd_ctx *ctx)
 {
-        if (!atomic_inc_not_zero(&ctx->refcount))
+        refcount_inc(&ctx->refcount);
-                BUG();
 }
 /**
@@ -154,7 +153,7 @@ static void userfaultfd_ctx_get(struct userfaultfd_ctx *ctx)
 */
 static void userfaultfd_ctx_put(struct userfaultfd_ctx *ctx)
 {
-        if (atomic_dec_and_test(&ctx->refcount)) {
+        if (refcount_dec_and_test(&ctx->refcount)) {
                VM_BUG_ON(spin_is_locked(&ctx->fault_pending_wqh.lock));
                VM_BUG_ON(waitqueue_active(&ctx->fault_pending_wqh));
                VM_BUG_ON(spin_is_locked(&ctx->fault_wqh.lock));
@@ -686,7 +685,7 @@ int dup_userfaultfd(struct vm_area_struct *vma, struct list_head *fcs)
                        return -ENOMEM;
                }
-                atomic_set(&ctx->refcount, 1);
+                refcount_set(&ctx->refcount, 1);
                ctx->flags = octx->flags;
                ctx->state = UFFD_STATE_RUNNING;
                ctx->features = octx->features;
@@ -1927,7 +1926,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
        if (!ctx)
                return -ENOMEM;
-        atomic_set(&ctx->refcount, 1);
+        refcount_set(&ctx->refcount, 1);
        ctx->flags = flags;
        ctx->features = 0;
        ctx->state = UFFD_STATE_WAIT_API;
author	Eric Biggers <ebiggers@google.com>	2018-12-28 03:34:43 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-12-28 15:11:47 -0500
commit	ca880420665dbc8beec3693bee9f5eccb89de4a6 (patch)
tree	7255c489175110780706a7eaf04fe8f0f34611b5
parent	66f71da9dd38af17dc17209cdde7987d4679a699 (diff)