[PATCH 11/15] kernel: convert group_info.usage from atomic_t to refcount_t

[PATCH 00/15] v3 kernel core pieces refcount conversions · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 03/15] kernel: convert user_struct.__count from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 04/15] kernel: convert task_struct.usage from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 09/15] kernel: convert uprobe.ref from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 01/15] kernel: convert sighand_struct.count from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 02/15] kernel: convert signal_struct.sigcnt from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 05/15] kernel: convert task_struct.stack_refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 06/15] kernel: convert perf_event_context.refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 07/15] kernel: convert ring_buffer.refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 08/15] kernel: convert ring_buffer.aux_refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 10/15] kernel: convert nsproxy.count from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 11/15] kernel: convert group_info.usage from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 12/15] kernel: convert cred.usage from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 13/15] sched: convert numa_group.refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
[PATCH 14/15] kernel: convert futex_pi_state.refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17
Re: [PATCH 14/15] kernel: convert futex_pi_state.refcount from atomic_t to refcount_t · Thomas Gleixner <hidden> · 2017-07-17
RE: [PATCH 14/15] kernel: convert futex_pi_state.refcount from atomic_t to refcount_t · "Reshetova, Elena" <elena.reshetova@intel.com> · 2017-07-17
RE: [PATCH 14/15] kernel: convert futex_pi_state.refcount from atomic_t to refcount_t · Thomas Gleixner <hidden> · 2017-07-17
RE: [PATCH 14/15] kernel: convert futex_pi_state.refcount from atomic_t to refcount_t · "Reshetova, Elena" <elena.reshetova@intel.com> · 2017-07-18
[PATCH 15/15] kernel: convert kcov.refcount from atomic_t to refcount_t · Elena Reshetova <elena.reshetova@intel.com> · 2017-07-17

STALE3241d REVIEWED: 2 (0M)

From: Elena Reshetova <elena.reshetova@intel.com>
Date: 2017-07-17 10:46:32
Also in: linux-fsdevel, lkml
Subsystem: credentials, the rest · Maintainers: Paul Moore, Linus Torvalds

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Suggested-by: Kees Cook <redacted>
Reviewed-by: David Windsor <redacted>
Reviewed-by: Hans Liljestrand <redacted>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 include/linux/cred.h | 7 ++++---
 kernel/cred.c        | 2 +-
 kernel/groups.c      | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/include/linux/cred.h b/include/linux/cred.h
index 099058e..00948dd 100644
--- a/include/linux/cred.h
+++ b/include/linux/cred.h

@@ -17,6 +17,7 @@
 #include <linux/key.h>
 #include <linux/selinux.h>
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <linux/uidgid.h>
 #include <linux/sched.h>
 #include <linux/sched/user.h>

@@ -28,7 +29,7 @@ struct inode;
  * COW Supplementary groups list
  */
 struct group_info {
-	atomic_t	usage;
+	refcount_t	usage;
 	int		ngroups;
 	kgid_t		gid[0];
 } __randomize_layout;

@@ -44,7 +45,7 @@ struct group_info {
  */
 static inline struct group_info *get_group_info(struct group_info *gi)
 {
-	atomic_inc(&gi->usage);
+	refcount_inc(&gi->usage);
 	return gi;
 }

@@ -54,7 +55,7 @@ static inline struct group_info *get_group_info(struct group_info *gi)
  */
 #define put_group_info(group_info)			\
 do {							\
-	if (atomic_dec_and_test(&(group_info)->usage))	\
+	if (refcount_dec_and_test(&(group_info)->usage))	\
 		groups_free(group_info);		\
 } while (0)

diff --git a/kernel/cred.c b/kernel/cred.c
index ecf0365..8122d7c 100644
--- a/kernel/cred.c
+++ b/kernel/cred.c

@@ -36,7 +36,7 @@ do {									\
 static struct kmem_cache *cred_jar;
 
 /* init to 2 - one for init_task, one to ensure it is never freed */
-struct group_info init_groups = { .usage = ATOMIC_INIT(2) };
+struct group_info init_groups = { .usage = REFCOUNT_INIT(2) };
 
 /*
  * The initial credentials for the initial task

diff --git a/kernel/groups.c b/kernel/groups.c
index 434f666..5fc6e21 100644
--- a/kernel/groups.c
+++ b/kernel/groups.c

@@ -23,7 +23,7 @@ struct group_info *groups_alloc(int gidsetsize)
 	if (!gi)
 		return NULL;
 
-	atomic_set(&gi->usage, 1);
+	refcount_set(&gi->usage, 1);
 	gi->ngroups = gidsetsize;
 	return gi;
 }

-- 
2.7.4

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help