From patchwork Thu Nov 15 00:36:41 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers@kernel.org>
X-Patchwork-Id: 10683389
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5CCD8139B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 15 Nov 2018 00:39:19 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 47D112BB3B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 15 Nov 2018 00:39:19 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 3B1F62BB3F; Thu, 15 Nov 2018 00:39:19 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham
	version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C55DB2BB3B
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Thu, 15 Nov 2018 00:39:18 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id A2A2A6B000A; Wed, 14 Nov 2018 19:39:17 -0500 (EST)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 9D73D6B000C; Wed, 14 Nov 2018 19:39:17 -0500 (EST)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 802A06B000D; Wed, 14 Nov 2018 19:39:17 -0500 (EST)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com
 [209.85.214.199])
	by kanga.kvack.org (Postfix) with ESMTP id 3FC876B000A
	for <linux-mm@kvack.org>; Wed, 14 Nov 2018 19:39:17 -0500 (EST)
Received: by mail-pl1-f199.google.com with SMTP id k14-v6so13248848pls.21
        for <linux-mm@kvack.org>; Wed, 14 Nov 2018 16:39:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:from:to:cc:subject:date
         :message-id:mime-version:content-transfer-encoding;
        bh=3GudkUieL/IZCQaeJvFP0ZDhbXpbCWopmfP5oVi2K3g=;
        b=QO3F4YB7dFPugMNx9FQ3VnHFS23VGC0i66rFVq0ISRy9pK/XQjx+cDCsuJ7Av9hUFN
         2QiUQUwUg9yvcZltEaLvQ9jsToKw6x0YPXAXWISKj+U8r2vqm0sbR8maryUkeMloDz36
         nvzveSu2Xs9HV0ryMMAlGiBmF+p69l/k19bIxST/x3P2GxeARyT0LiDpoYJNY7fTtqw0
         4vuBgqBNX6s1iDvB0nJ4zAykvHZn6wmaJaDl+f6LpoIB7o/YlwXesh3IQoijuEAVyfw/
         lrjXOPxw66s+pzxQBIgZb19AxDFrebzrxluMk9wsLPMpLxe1E+JqpfVA4poIySMT56wv
         aG5Q==
X-Gm-Message-State: AGRZ1gI0fYiAOKs0prMj5us79ziF2b7ZbHffas1t6HazP1p3CQTAjczd
	c0bBAfDBPdIz9HX3F1/C5MVfxSl00dbJ0ZYl9A+JUeNqnvV4LRuXZPqouVlciOoPaykS/LXb6Jk
	PiBL4Eu5o4i+FVxRi92w7em9g797v53yfFd3wk8OKjj6wdt3bicQZMxoSn77BoT8UQg==
X-Received: by 2002:a63:e156:: with SMTP id h22mr3818760pgk.255.1542242356782;
        Wed, 14 Nov 2018 16:39:16 -0800 (PST)
X-Google-Smtp-Source: 
 AJdET5dqR5it1Tgo6m8qVX9gEIMUKMNUEPTR/ePTJc3ySGJjFUQN1pju15ciFiDNt3kdGydotiHw
X-Received: by 2002:a63:e156:: with SMTP id h22mr3818735pgk.255.1542242355994;
        Wed, 14 Nov 2018 16:39:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542242355; cv=none;
        d=google.com; s=arc-20160816;
        b=HBKGNS6lSq2YaN28xacbBzwum9Y4lshAkFlNMBuzpkGi760F92EafTe5e6yOYllWyQ
         mzT6plPjCjpwZtqGBI8EgIKPa/7rlalC0V2FLVoXIdq1wBJFuax3dB58CeqDzgij1EN2
         Ufahit+izPlz607Y8ICEwBUZYeVQe5vapWjMQNJC3xqIrr8JkXYBy5NUdy6aX4CgLMBs
         sSMbF8i/ELhE2Ahx382RgxBlrEOuk7IswiKny0593qrCug7wyN25mlj0EfO1Wiaf/ZIy
         E5/tkTZdytjRjSPxDHM3FQMBeN0DmU8NwgZDBNUArmEv+xlMtPXPIiWTmRwBv6ZgWkEm
         x7Og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:dkim-signature;
        bh=3GudkUieL/IZCQaeJvFP0ZDhbXpbCWopmfP5oVi2K3g=;
        b=j6PzBd/8pq+MVHqzlLO7tSv+AYNkEtC3ATJPIMV1ReV5hM5KU80P3KokDxuTvVVP1C
         XTxKtyzmcYu19GjCuw8L0R5drQ5CEK4EDH70T21N6kKm2TdJgh1V6bgLZEubn63XJuY8
         WwladcG2KKQSSGyEe/u/fA84raSZFhqBKQLYQ/6PR1eQTChiDvXtGBOq1frFJE0ywkCJ
         uz4wNhC2v1yq7LDGL5c62UirK9ajnY0xdaGqSIGFVzBdJLOICpwyBgfCObUY+z1Jkjtk
         dWpohM7PsP/3lWNrvWCxKjXQ0HU8+vpk7zGWVhwja6i5xrzqolUYpzd3ZAjWmiUgMYMa
         t5gA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=sAnSL5qR;
       spf=pass (google.com: domain of ebiggers@kernel.org designates
 198.145.29.99 as permitted sender) smtp.mailfrom=ebiggers@kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99])
        by mx.google.com with ESMTPS id
 r26-v6si25654608pgb.372.2018.11.14.16.39.15
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 14 Nov 2018 16:39:15 -0800 (PST)
Received-SPF: pass (google.com: domain of ebiggers@kernel.org designates
 198.145.29.99 as permitted sender) client-ip=198.145.29.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=sAnSL5qR;
       spf=pass (google.com: domain of ebiggers@kernel.org designates
 198.145.29.99 as permitted sender) smtp.mailfrom=ebiggers@kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from ebiggers.mtv.corp.google.com (unknown [104.132.1.85])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPSA id 7ACAF2080D;
	Thu, 15 Nov 2018 00:39:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1542242355;
	bh=0MKDlrXw5jQ3zo77QBVDQY8pkmh9w2KwKHWT542yzr4=;
	h=From:To:Cc:Subject:Date:From;
	b=sAnSL5qRJEo8fuVo+PcZItbQIknGEwZ/DtSmYfVr209BgILblpG0Z1F0St/JyGpfg
	 52OqKS5J2xc+X236XFuIer9mqkXMD3G+YkxQoXKunZXyKCjB44KjOwH8FNH6wGXAVB
	 9zqtqoNX4cBWj4KO4As0nQcDsR/6tBvqUJuKX0u8=
From: Eric Biggers <ebiggers@kernel.org>
To: linux-mm@kvack.org,
	Andrew Morton <akpm@linux-foundation.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
	linux-kernel@vger.kernel.org
Subject: [PATCH] userfaultfd: convert userfaultfd_ctx::refcount to refcount_t
Date: Wed, 14 Nov 2018 16:36:41 -0800
Message-Id: <20181115003641.62828-1-ebiggers@kernel.org>
X-Mailer: git-send-email 2.19.1.930.g4563a0d9d0-goog
MIME-Version: 1.0
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Eric Biggers <ebiggers@google.com>

Reference counters should use refcount_t rather than atomic_t, since the
refcount_t implementation can prevent overflows, reducing the
exploitability of reference leak bugs.  userfaultfd_ctx::refcount is a
reference counter with the usual semantics, so convert it to refcount_t.

Note: I replaced the BUG() on incrementing a 0 refcount with just
refcount_inc(), since already part of the semantics of refcount_t is
that that incrementing a 0 refcount is not allowed; with
CONFIG_REFCOUNT_FULL, refcount_inc() checks for it and warns.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/userfaultfd.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 356d2b8568c14..8375faac2790d 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -53,7 +53,7 @@ struct userfaultfd_ctx {
 	/* a refile sequence protected by fault_pending_wqh lock */
 	struct seqcount refile_seq;
 	/* pseudo fd refcounting */
-	atomic_t refcount;
+	refcount_t refcount;
 	/* userfaultfd syscall flags */
 	unsigned int flags;
 	/* features requested from the userspace */
@@ -140,8 +140,7 @@ static int userfaultfd_wake_function(wait_queue_entry_t *wq, unsigned mode,
  */
 static void userfaultfd_ctx_get(struct userfaultfd_ctx *ctx)
 {
-	if (!atomic_inc_not_zero(&ctx->refcount))
-		BUG();
+	refcount_inc(&ctx->refcount);
 }
 
 /**
@@ -154,7 +153,7 @@ static void userfaultfd_ctx_get(struct userfaultfd_ctx *ctx)
  */
 static void userfaultfd_ctx_put(struct userfaultfd_ctx *ctx)
 {
-	if (atomic_dec_and_test(&ctx->refcount)) {
+	if (refcount_dec_and_test(&ctx->refcount)) {
 		VM_BUG_ON(spin_is_locked(&ctx->fault_pending_wqh.lock));
 		VM_BUG_ON(waitqueue_active(&ctx->fault_pending_wqh));
 		VM_BUG_ON(spin_is_locked(&ctx->fault_wqh.lock));
@@ -686,7 +685,7 @@ int dup_userfaultfd(struct vm_area_struct *vma, struct list_head *fcs)
 			return -ENOMEM;
 		}
 
-		atomic_set(&ctx->refcount, 1);
+		refcount_set(&ctx->refcount, 1);
 		ctx->flags = octx->flags;
 		ctx->state = UFFD_STATE_RUNNING;
 		ctx->features = octx->features;
@@ -1911,7 +1910,7 @@ SYSCALL_DEFINE1(userfaultfd, int, flags)
 	if (!ctx)
 		return -ENOMEM;
 
-	atomic_set(&ctx->refcount, 1);
+	refcount_set(&ctx->refcount, 1);
 	ctx->flags = flags;
 	ctx->features = 0;
 	ctx->state = UFFD_STATE_WAIT_API;