Received: by 10.223.164.221 with SMTP id h29csp4800390wrb;
        Fri, 20 Oct 2017 01:00:30 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+QeMGxdetbtA88vTecdFuXMOZEeJaYxDXQ0Zp15AP0WJdoe/LhNMlHSyru31GyQLGz/c/YR
X-Received: by 10.98.178.22 with SMTP id x22mr4178097pfe.123.1508486430544;
        Fri, 20 Oct 2017 01:00:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1508486430; cv=none;
        d=google.com; s=arc-20160816;
        b=keaa8WUJMs6RMzULHftZn8f1MP7d+27+wA9VSXodGNiDPOf+n8adYCHBZxsdD9JriL
         imt1q408rJqnDWULGhBSskkcm/Xm23jc8fAGp3flFB1F3WtSx4u7l+TbRZpMLyf4eTaf
         /b6Y9B8xRtjLnAsIEmVIwMnanMRYu0hE9LcyzqQUAMsBdp7yeClTHQHAwrTac9WhcXNW
         wMgSGXde35Tp6+KMd+qMWs3xX0ueIy3V3ze3W0r0bl0ZlB5vuIcKmR2COL0hMfsfWo/r
         D+CeZBaH5C6TYpgHJ5OYatUR+8vMHi+Y7Dkoet9JBG/MdRE7UU3Q45V4dHtJlt2GlgUY
         Srig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=AefIASO75kafN+WMUh794jKqFdngYWnaKEi87JPKkEs=;
        b=aDbIZOqYfTy+XnUGKlMRYn7J9ipGPk9oNoZi0yr08Jg+OHydaBBuV+/FivImadqpIo
         H6qk8QTyNfkXFIfb7tKR2J04lrNAG1aumG8c7Y619MHa/y+AJVAS/1s/C7S2iIgNOc4t
         u4jh+4UFkzNogdXhZCgUPXzhWnPlRtgW5VAv9l1CyoUSdgTfnwueT+/dkgfVMSGhPR25
         zkKmJonctTB8Per3KONQhwyNJ3CiYRFpiCdj59bMtEmohES/sPj3R+7W7ClCMe3HbfI6
         xXNRbwP+p4kQwm+4boBjyeAdN51wsi4MMxVZvuY7hhTSEBLNBM8oPej3jyFeGDci7atD
         NrLA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o135si403539pfg.240.2017.10.20.01.00.16;
        Fri, 20 Oct 2017 01:00:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752176AbdJTH6D (ORCPT <rfc822;learnos2017@gmail.com>
        + 99 others); Fri, 20 Oct 2017 03:58:03 -0400
Received: from mga04.intel.com ([192.55.52.120]:27943 "EHLO mga04.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751982AbdJTH6B (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 20 Oct 2017 03:58:01 -0400
Received: from fmsmga001.fm.intel.com ([10.253.24.23])
  by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Oct 2017 00:58:01 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.43,405,1503385200"; 
   d="scan'208";a="1207962418"
Received: from elena-thinkpad-x230.fi.intel.com ([10.237.72.87])
  by fmsmga001.fm.intel.com with ESMTP; 20 Oct 2017 00:57:59 -0700
From:   Elena Reshetova <elena.reshetova@intel.com>
To:     davem@davemloft.net
Cc:     linux-kernel@vger.kernel.org, sparclinux@vger.kernel.org,
        shannon.nelson@oracle.com, jag.raman@oracle.com,
        peterz@infradead.org, keescook@chromium.org,
        Elena Reshetova <elena.reshetova@intel.com>
Subject: [PATCH] sparc64: convert mdesc_handle.refcnt from atomic_t to refcount_t
Date:   Fri, 20 Oct 2017 10:57:57 +0300
Message-Id: <1508486277-24913-1-git-send-email-elena.reshetova@intel.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)

Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.

The variable mdesc_handle.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.

Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 arch/sparc/kernel/mdesc.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/arch/sparc/kernel/mdesc.c b/arch/sparc/kernel/mdesc.c
index fa466ce..821a724 100644
--- a/arch/sparc/kernel/mdesc.c
+++ b/arch/sparc/kernel/mdesc.c
@@ -12,6 +12,7 @@
 #include <linux/miscdevice.h>
 #include <linux/bootmem.h>
 #include <linux/export.h>
+#include <linux/refcount.h>
 
 #include <asm/cpudata.h>
 #include <asm/hypervisor.h>
@@ -70,7 +71,7 @@ struct mdesc_handle {
 	struct list_head	list;
 	struct mdesc_mem_ops	*mops;
 	void			*self_base;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	unsigned int		handle_size;
 	struct mdesc_hdr	mdesc;
 };
@@ -152,7 +153,7 @@ static void mdesc_handle_init(struct mdesc_handle *hp,
 	memset(hp, 0, handle_size);
 	INIT_LIST_HEAD(&hp->list);
 	hp->self_base = base;
-	atomic_set(&hp->refcnt, 1);
+	refcount_set(&hp->refcnt, 1);
 	hp->handle_size = handle_size;
 }
 
@@ -182,7 +183,7 @@ static void __init mdesc_memblock_free(struct mdesc_handle *hp)
 	unsigned int alloc_size;
 	unsigned long start;
 
-	BUG_ON(atomic_read(&hp->refcnt) != 0);
+	BUG_ON(refcount_read(&hp->refcnt) != 0);
 	BUG_ON(!list_empty(&hp->list));
 
 	alloc_size = PAGE_ALIGN(hp->handle_size);
@@ -220,7 +221,7 @@ static struct mdesc_handle *mdesc_kmalloc(unsigned int mdesc_size)
 
 static void mdesc_kfree(struct mdesc_handle *hp)
 {
-	BUG_ON(atomic_read(&hp->refcnt) != 0);
+	BUG_ON(refcount_read(&hp->refcnt) != 0);
 	BUG_ON(!list_empty(&hp->list));
 
 	kfree(hp->self_base);
@@ -259,7 +260,7 @@ struct mdesc_handle *mdesc_grab(void)
 	spin_lock_irqsave(&mdesc_lock, flags);
 	hp = cur_mdesc;
 	if (hp)
-		atomic_inc(&hp->refcnt);
+		refcount_inc(&hp->refcnt);
 	spin_unlock_irqrestore(&mdesc_lock, flags);
 
 	return hp;
@@ -271,7 +272,7 @@ void mdesc_release(struct mdesc_handle *hp)
 	unsigned long flags;
 
 	spin_lock_irqsave(&mdesc_lock, flags);
-	if (atomic_dec_and_test(&hp->refcnt)) {
+	if (refcount_dec_and_test(&hp->refcnt)) {
 		list_del_init(&hp->list);
 		hp->mops->free(hp);
 	}
@@ -513,7 +514,7 @@ void mdesc_update(void)
 	if (status != HV_EOK || real_len > len) {
 		printk(KERN_ERR "MD: mdesc reread fails with %lu\n",
 		       status);
-		atomic_dec(&hp->refcnt);
+		refcount_dec(&hp->refcnt);
 		mdesc_free(hp);
 		goto out;
 	}
@@ -526,7 +527,7 @@ void mdesc_update(void)
 	mdesc_notify_clients(orig_hp, hp);
 
 	spin_lock_irqsave(&mdesc_lock, flags);
-	if (atomic_dec_and_test(&orig_hp->refcnt))
+	if (refcount_dec_and_test(&orig_hp->refcnt))
 		mdesc_free(orig_hp);
 	else
 		list_add(&orig_hp->list, &mdesc_zombie_list);
-- 
2.7.4


From 1584129791457385699@xxx Wed Nov 15 11:04:55 +0000 2017
X-GM-THRID: 1584129791457385699
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread