Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752761AbdGIWH4 (ORCPT ); Sun, 9 Jul 2017 18:07:56 -0400 Received: from out01.mta.xmission.com ([166.70.13.231]:48792 "EHLO out01.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752596AbdGIWHz (ORCPT ); Sun, 9 Jul 2017 18:07:55 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Elena Reshetova Cc: linux-kernel@vger.kernel.org, peterz@infradead.org, gregkh@linuxfoundation.org, akpm@linux-foundation.org, mingo@redhat.com, adobriyan@gmail.com, serge@hallyn.com, arozansk@redhat.com, dave@stgolabs.net, keescook@chromium.org, Hans Liljestrand , David Windsor References: <1499417992-3238-1-git-send-email-elena.reshetova@intel.com> <1499417992-3238-2-git-send-email-elena.reshetova@intel.com> Date: Sun, 09 Jul 2017 16:59:55 -0500 In-Reply-To: <1499417992-3238-2-git-send-email-elena.reshetova@intel.com> (Elena Reshetova's message of "Fri, 7 Jul 2017 11:59:50 +0300") Message-ID: <87bmottgo4.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1dUKMi-00022F-R2;;;mid=<87bmottgo4.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=67.3.213.87;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18hMQQ3VxUDiUYjH4N6Z/p4e4HkwYL3pC8= X-SA-Exim-Connect-IP: 67.3.213.87 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 1.5 XMNoVowels Alpha-numberic number with no vowels * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.4999] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa06 1397; Body=1 Fuz1=1 Fuz2=1] * 0.0 T_TooManySym_02 5+ unique symbols in subject * 0.0 T_TooManySym_01 4+ unique symbols in subject X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: **;Elena Reshetova X-Spam-Relay-Country: X-Spam-Timing: total 5546 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.8 (0.1%), b_tie_ro: 1.94 (0.0%), parse: 1.08 (0.0%), extract_message_metadata: 18 (0.3%), get_uri_detail_list: 2.7 (0.0%), tests_pri_-1000: 6 (0.1%), tests_pri_-950: 1.14 (0.0%), tests_pri_-900: 0.96 (0.0%), tests_pri_-400: 23 (0.4%), check_bayes: 22 (0.4%), b_tokenize: 8 (0.1%), b_tok_get_all: 7 (0.1%), b_comp_prob: 1.82 (0.0%), b_tok_touch_all: 2.7 (0.0%), b_finish: 0.64 (0.0%), tests_pri_0: 351 (6.3%), check_dkim_signature: 0.68 (0.0%), check_dkim_adsp: 3.5 (0.1%), tests_pri_500: 5139 (92.7%), poll_dns_idle: 5133 (92.5%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH 1/3] ipc: convert ipc_namespace.count from atomic_t to refcount_t X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2716 Lines: 88 Elena Reshetova writes: > refcount_t type and corresponding API should be > used instead of atomic_t when the variable is used as > a reference counter. This allows to avoid accidental > refcounter overflows that might lead to use-after-free > situations. In this patch you can see all of the uses of the count. What accidental refcount overflows are possible? Eric > Signed-off-by: Elena Reshetova > Signed-off-by: Hans Liljestrand > Signed-off-by: Kees Cook > Signed-off-by: David Windsor > --- > include/linux/ipc_namespace.h | 5 +++-- > ipc/msgutil.c | 2 +- > ipc/namespace.c | 4 ++-- > 3 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h > index 65327ee..e81445c 100644 > --- a/include/linux/ipc_namespace.h > +++ b/include/linux/ipc_namespace.h > @@ -7,6 +7,7 @@ > #include > #include > #include > +#include > > struct user_namespace; > > @@ -19,7 +20,7 @@ struct ipc_ids { > }; > > struct ipc_namespace { > - atomic_t count; > + refcount_t count; > struct ipc_ids ids[3]; > > int sem_ctls[4]; > @@ -118,7 +119,7 @@ extern struct ipc_namespace *copy_ipcs(unsigned long flags, > static inline struct ipc_namespace *get_ipc_ns(struct ipc_namespace *ns) > { > if (ns) > - atomic_inc(&ns->count); > + refcount_inc(&ns->count); > return ns; > } > > diff --git a/ipc/msgutil.c b/ipc/msgutil.c > index bf74eaa..8459802 100644 > --- a/ipc/msgutil.c > +++ b/ipc/msgutil.c > @@ -29,7 +29,7 @@ DEFINE_SPINLOCK(mq_lock); > * and not CONFIG_IPC_NS. > */ > struct ipc_namespace init_ipc_ns = { > - .count = ATOMIC_INIT(1), > + .count = REFCOUNT_INIT(1), > .user_ns = &init_user_ns, > .ns.inum = PROC_IPC_INIT_INO, > #ifdef CONFIG_IPC_NS > diff --git a/ipc/namespace.c b/ipc/namespace.c > index b4d80f9..7af6e6b 100644 > --- a/ipc/namespace.c > +++ b/ipc/namespace.c > @@ -50,7 +50,7 @@ static struct ipc_namespace *create_ipc_ns(struct user_namespace *user_ns, > goto fail_free; > ns->ns.ops = &ipcns_operations; > > - atomic_set(&ns->count, 1); > + refcount_set(&ns->count, 1); > ns->user_ns = get_user_ns(user_ns); > ns->ucounts = ucounts; > > @@ -144,7 +144,7 @@ static void free_ipc_ns(struct ipc_namespace *ns) > */ > void put_ipc_ns(struct ipc_namespace *ns) > { > - if (atomic_dec_and_lock(&ns->count, &mq_lock)) { > + if (refcount_dec_and_lock(&ns->count, &mq_lock)) { > mq_clear_sbinfo(ns); > spin_unlock(&mq_lock); > mq_put_mnt(ns);