From patchwork Wed Nov 29 11:22:20 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Reshetova, Elena" X-Patchwork-Id: 10081949 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id E10116020B for ; Wed, 29 Nov 2017 11:27:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id D5AF0295E5 for ; Wed, 29 Nov 2017 11:27:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CAACF2960A; Wed, 29 Nov 2017 11:27:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 27AD3295E5 for ; Wed, 29 Nov 2017 11:27:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752932AbdK2L0a (ORCPT ); Wed, 29 Nov 2017 06:26:30 -0500 Received: from mga04.intel.com ([192.55.52.120]:14980 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751496AbdK2L03 (ORCPT ); Wed, 29 Nov 2017 06:26:29 -0500 Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Nov 2017 03:26:28 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.44,472,1505804400"; d="scan'208";a="1249853751" Received: from elena-thinkpad-x230.fi.intel.com ([10.237.72.87]) by fmsmga002.fm.intel.com with ESMTP; 29 Nov 2017 03:26:26 -0800 From: Elena Reshetova To: viro@zeniv.linux.org.uk Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, tytso@mit.edu, peterz@infradead.org, keescook@chromium.org, Elena Reshetova Subject: [PATCH] mbcache: convert mb_cache_entry.e_refcnt from atomic_t to refcount_t Date: Wed, 29 Nov 2017 13:22:20 +0200 Message-Id: <1511954540-16504-1-git-send-email-elena.reshetova@intel.com> X-Mailer: git-send-email 2.7.4 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP atomic_t variables are currently used to implement reference counters with the following properties: - counter is initialized to 1 using atomic_set() - a resource is freed upon counter reaching zero - once counter reaches zero, its further increments aren't allowed - counter schema uses basic atomic operations (set, inc, inc_not_zero, dec_and_test, etc.) Such atomic variables should be converted to a newly provided refcount_t type and API that prevents accidental counter overflows and underflows. This is important since overflows and underflows can lead to use-after-free situation and be exploitable. The variable mb_cache_entry.e_refcnt is used as pure reference counter. Convert it to refcount_t and fix up the operations. **Important note for maintainers: Some functions from refcount_t API defined in lib/refcount.c have different memory ordering guarantees than their atomic counterparts. The full comparison can be seen in https://lkml.org/lkml/2017/11/15/57 and it is hopefully soon in state to be merged to the documentation tree. Normally the differences should not matter since refcount_t provides enough guarantees to satisfy the refcounting use cases, but in some rare cases it might matter. Please double check that you don't have some undocumented memory guarantees for this variable usage. For the mb_cache_entry.e_refcnt it might make a difference in following places: - mb_cache_destroy(), mb_cache_shrink() and mb_cache_entry_delete(): decrement in refcount_dec() provides RELEASE ordering vs. fully unordered atomic counterpart. Since the change is for better, it should not matter for these cases. - mb_cache_entry_put(): decrement in refcount_dec_and_test() only provides RELEASE ordering and control dependency on success vs. fully ordered atomic counterpart Suggested-by: Kees Cook Reviewed-by: David Windsor Reviewed-by: Hans Liljestrand Signed-off-by: Elena Reshetova Reviewed-by: Jan Kara --- fs/mbcache.c | 16 ++++++++-------- include/linux/mbcache.h | 6 +++--- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/fs/mbcache.c b/fs/mbcache.c index d818fd2..8bdb52b 100644 --- a/fs/mbcache.c +++ b/fs/mbcache.c @@ -90,7 +90,7 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key, INIT_LIST_HEAD(&entry->e_list); /* One ref for hash, one ref returned */ - atomic_set(&entry->e_refcnt, 1); + refcount_set(&entry->e_refcnt, 1); entry->e_key = key; entry->e_value = value; entry->e_reusable = reusable; @@ -109,7 +109,7 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key, spin_lock(&cache->c_list_lock); list_add_tail(&entry->e_list, &cache->c_list); /* Grab ref for LRU list */ - atomic_inc(&entry->e_refcnt); + refcount_inc(&entry->e_refcnt); cache->c_entry_count++; spin_unlock(&cache->c_list_lock); @@ -141,7 +141,7 @@ static struct mb_cache_entry *__entry_find(struct mb_cache *cache, entry = hlist_bl_entry(node, struct mb_cache_entry, e_hash_list); if (entry->e_key == key && entry->e_reusable) { - atomic_inc(&entry->e_refcnt); + refcount_inc(&entry->e_refcnt); goto out; } node = node->next; @@ -204,7 +204,7 @@ struct mb_cache_entry *mb_cache_entry_get(struct mb_cache *cache, u32 key, hlist_bl_lock(head); hlist_bl_for_each_entry(entry, node, head, e_hash_list) { if (entry->e_key == key && entry->e_value == value) { - atomic_inc(&entry->e_refcnt); + refcount_inc(&entry->e_refcnt); goto out; } } @@ -239,7 +239,7 @@ void mb_cache_entry_delete(struct mb_cache *cache, u32 key, u64 value) if (!list_empty(&entry->e_list)) { list_del_init(&entry->e_list); cache->c_entry_count--; - atomic_dec(&entry->e_refcnt); + refcount_dec(&entry->e_refcnt); } spin_unlock(&cache->c_list_lock); mb_cache_entry_put(cache, entry); @@ -300,7 +300,7 @@ static unsigned long mb_cache_shrink(struct mb_cache *cache, hlist_bl_lock(head); if (!hlist_bl_unhashed(&entry->e_hash_list)) { hlist_bl_del_init(&entry->e_hash_list); - atomic_dec(&entry->e_refcnt); + refcount_dec(&entry->e_refcnt); } hlist_bl_unlock(head); if (mb_cache_entry_put(cache, entry)) @@ -397,11 +397,11 @@ void mb_cache_destroy(struct mb_cache *cache) list_for_each_entry_safe(entry, next, &cache->c_list, e_list) { if (!hlist_bl_unhashed(&entry->e_hash_list)) { hlist_bl_del_init(&entry->e_hash_list); - atomic_dec(&entry->e_refcnt); + refcount_dec(&entry->e_refcnt); } else WARN_ON(1); list_del(&entry->e_list); - WARN_ON(atomic_read(&entry->e_refcnt) != 1); + WARN_ON(refcount_read(&entry->e_refcnt) != 1); mb_cache_entry_put(cache, entry); } kfree(cache->c_hash); diff --git a/include/linux/mbcache.h b/include/linux/mbcache.h index 20f1e3f..0bf2af6 100644 --- a/include/linux/mbcache.h +++ b/include/linux/mbcache.h @@ -5,7 +5,7 @@ #include #include #include -#include +#include #include struct mb_cache; @@ -15,7 +15,7 @@ struct mb_cache_entry { struct list_head e_list; /* Hash table list - protected by hash chain bitlock */ struct hlist_bl_node e_hash_list; - atomic_t e_refcnt; + refcount_t e_refcnt; /* Key in hash - stable during lifetime of the entry */ u32 e_key; u32 e_referenced:1; @@ -33,7 +33,7 @@ void __mb_cache_entry_free(struct mb_cache_entry *entry); static inline int mb_cache_entry_put(struct mb_cache *cache, struct mb_cache_entry *entry) { - if (!atomic_dec_and_test(&entry->e_refcnt)) + if (!refcount_dec_and_test(&entry->e_refcnt)) return 0; __mb_cache_entry_free(entry); return 1;