All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 00/23] various networking refcount conversions, part 2
@ 2017-03-17 12:10 ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova

This series, for the rest of network subsystem components, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.

The patches are fully independent and can be cherry-picked separately.
Since we convert all kernel subsystems in the same fashion, resulting
in about 300 patches, we have to group them for sending at least in some
fashion to be manageable. Please excuse the long cc list.

If there are no objections to the patches, please merge them via respective trees.

Elena Reshetova (23):
  net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  net, sunrpc: convert gss_cl_ctx.count from atomic_t to refcount_t
  net, sunrpc: convert gss_upcall_msg.count from atomic_t to refcount_t
  net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
  net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
  net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
  net, rds: convert rds_ib_device.refcount from atomic_t to refcount_t
  net, rds: convert rds_incoming.i_refcount from atomic_t to refcount_t
  net, rds: convert rds_mr.r_refcount from atomic_t to refcount_t
  net, rds: convert rds_message.m_refcount from atomic_t to refcount_t
  net, x25: convert x25_route.refcnt from atomic_t to refcount_t
  net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
  net, xfrm: convert xfrm_state.refcnt from atomic_t to refcount_t
  net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
  net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t
  net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
  net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
  net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t

 fs/ceph/mds_client.c            |  2 +-
 include/linux/ceph/libceph.h    |  3 ++-
 include/linux/ceph/osd_client.h |  3 ++-
 include/linux/ceph/pagelist.h   |  6 +++---
 include/linux/sunrpc/auth.h     |  8 ++++----
 include/linux/sunrpc/auth_gss.h |  3 ++-
 include/net/ax25.h              | 20 ++++++++++----------
 include/net/sctp/auth.h         |  5 +++--
 include/net/sctp/structs.h      |  8 ++++----
 include/net/x25.h               | 13 +++++++------
 include/net/xfrm.h              | 21 +++++++++++----------
 net/ax25/af_ax25.c              |  2 +-
 net/ax25/ax25_route.c           |  2 +-
 net/ax25/ax25_uid.c             |  2 +-
 net/ceph/osd_client.c           | 16 ++++++++--------
 net/ceph/pagelist.c             |  2 +-
 net/ceph/snapshot.c             |  6 +++---
 net/key/af_key.c                |  2 +-
 net/rds/ib.c                    | 12 ++++++------
 net/rds/ib.h                    |  2 +-
 net/rds/ib_rdma.c               |  4 ++--
 net/rds/message.c               | 12 ++++++------
 net/rds/rdma.c                  | 10 +++++-----
 net/rds/rds.h                   |  9 +++++----
 net/rds/recv.c                  | 12 ++++++------
 net/sctp/associola.c            |  6 +++---
 net/sctp/auth.c                 |  4 ++--
 net/sctp/chunk.c                |  6 +++---
 net/sctp/endpointola.c          |  6 +++---
 net/sctp/sm_make_chunk.c        |  6 +++---
 net/sctp/transport.c            |  8 ++++----
 net/sunrpc/auth.c               | 12 ++++++------
 net/sunrpc/auth_gss/auth_gss.c  | 28 ++++++++++++++--------------
 net/x25/x25_link.c              |  2 +-
 net/x25/x25_route.c             |  2 +-
 net/xfrm/xfrm_input.c           |  4 ++--
 net/xfrm/xfrm_policy.c          |  4 ++--
 net/xfrm/xfrm_state.c           |  4 ++--
 38 files changed, 142 insertions(+), 135 deletions(-)

-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 80+ messages in thread

* [PATCH 00/23] various networking refcount conversions, part 2
@ 2017-03-17 12:10 ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova

This series, for the rest of network subsystem components, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.

The patches are fully independent and can be cherry-picked separately.
Since we convert all kernel subsystems in the same fashion, resulting
in about 300 patches, we have to group them for sending at least in some
fashion to be manageable. Please excuse the long cc list.

If there are no objections to the patches, please merge them via respective trees.

Elena Reshetova (23):
  net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  net, sunrpc: convert gss_cl_ctx.count from atomic_t to refcount_t
  net, sunrpc: convert gss_upcall_msg.count from atomic_t to refcount_t
  net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
  net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
  net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
  net, rds: convert rds_ib_device.refcount from atomic_t to refcount_t
  net, rds: convert rds_incoming.i_refcount from atomic_t to refcount_t
  net, rds: convert rds_mr.r_refcount from atomic_t to refcount_t
  net, rds: convert rds_message.m_refcount from atomic_t to refcount_t
  net, x25: convert x25_route.refcnt from atomic_t to refcount_t
  net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
  net, xfrm: convert xfrm_state.refcnt from atomic_t to refcount_t
  net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
  net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t
  net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
  net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
  net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t

 fs/ceph/mds_client.c            |  2 +-
 include/linux/ceph/libceph.h    |  3 ++-
 include/linux/ceph/osd_client.h |  3 ++-
 include/linux/ceph/pagelist.h   |  6 +++---
 include/linux/sunrpc/auth.h     |  8 ++++----
 include/linux/sunrpc/auth_gss.h |  3 ++-
 include/net/ax25.h              | 20 ++++++++++----------
 include/net/sctp/auth.h         |  5 +++--
 include/net/sctp/structs.h      |  8 ++++----
 include/net/x25.h               | 13 +++++++------
 include/net/xfrm.h              | 21 +++++++++++----------
 net/ax25/af_ax25.c              |  2 +-
 net/ax25/ax25_route.c           |  2 +-
 net/ax25/ax25_uid.c             |  2 +-
 net/ceph/osd_client.c           | 16 ++++++++--------
 net/ceph/pagelist.c             |  2 +-
 net/ceph/snapshot.c             |  6 +++---
 net/key/af_key.c                |  2 +-
 net/rds/ib.c                    | 12 ++++++------
 net/rds/ib.h                    |  2 +-
 net/rds/ib_rdma.c               |  4 ++--
 net/rds/message.c               | 12 ++++++------
 net/rds/rdma.c                  | 10 +++++-----
 net/rds/rds.h                   |  9 +++++----
 net/rds/recv.c                  | 12 ++++++------
 net/sctp/associola.c            |  6 +++---
 net/sctp/auth.c                 |  4 ++--
 net/sctp/chunk.c                |  6 +++---
 net/sctp/endpointola.c          |  6 +++---
 net/sctp/sm_make_chunk.c        |  6 +++---
 net/sctp/transport.c            |  8 ++++----
 net/sunrpc/auth.c               | 12 ++++++------
 net/sunrpc/auth_gss/auth_gss.c  | 28 ++++++++++++++--------------
 net/x25/x25_link.c              |  2 +-
 net/x25/x25_route.c             |  2 +-
 net/xfrm/xfrm_input.c           |  4 ++--
 net/xfrm/xfrm_policy.c          |  4 ++--
 net/xfrm/xfrm_state.c           |  4 ++--
 38 files changed, 142 insertions(+), 135 deletions(-)

-- 
2.7.4

^ permalink raw reply	[flat|nested] 80+ messages in thread

* [PATCH 00/23] various networking refcount conversions, part 2
@ 2017-03-17 12:10 ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova

This series, for the rest of network subsystem components, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.

The patches are fully independent and can be cherry-picked separately.
Since we convert all kernel subsystems in the same fashion, resulting
in about 300 patches, we have to group them for sending at least in some
fashion to be manageable. Please excuse the long cc list.

If there are no objections to the patches, please merge them via respective trees.

Elena Reshetova (23):
  net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  net, sunrpc: convert gss_cl_ctx.count from atomic_t to refcount_t
  net, sunrpc: convert gss_upcall_msg.count from atomic_t to refcount_t
  net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
  net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
  net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
  net, rds: convert rds_ib_device.refcount from atomic_t to refcount_t
  net, rds: convert rds_incoming.i_refcount from atomic_t to refcount_t
  net, rds: convert rds_mr.r_refcount from atomic_t to refcount_t
  net, rds: convert rds_message.m_refcount from atomic_t to refcount_t
  net, x25: convert x25_route.refcnt from atomic_t to refcount_t
  net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
  net, xfrm: convert xfrm_state.refcnt from atomic_t to refcount_t
  net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
  net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
  net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t
  net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
  net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
  net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t

 fs/ceph/mds_client.c            |  2 +-
 include/linux/ceph/libceph.h    |  3 ++-
 include/linux/ceph/osd_client.h |  3 ++-
 include/linux/ceph/pagelist.h   |  6 +++---
 include/linux/sunrpc/auth.h     |  8 ++++----
 include/linux/sunrpc/auth_gss.h |  3 ++-
 include/net/ax25.h              | 20 ++++++++++----------
 include/net/sctp/auth.h         |  5 +++--
 include/net/sctp/structs.h      |  8 ++++----
 include/net/x25.h               | 13 +++++++------
 include/net/xfrm.h              | 21 +++++++++++----------
 net/ax25/af_ax25.c              |  2 +-
 net/ax25/ax25_route.c           |  2 +-
 net/ax25/ax25_uid.c             |  2 +-
 net/ceph/osd_client.c           | 16 ++++++++--------
 net/ceph/pagelist.c             |  2 +-
 net/ceph/snapshot.c             |  6 +++---
 net/key/af_key.c                |  2 +-
 net/rds/ib.c                    | 12 ++++++------
 net/rds/ib.h                    |  2 +-
 net/rds/ib_rdma.c               |  4 ++--
 net/rds/message.c               | 12 ++++++------
 net/rds/rdma.c                  | 10 +++++-----
 net/rds/rds.h                   |  9 +++++----
 net/rds/recv.c                  | 12 ++++++------
 net/sctp/associola.c            |  6 +++---
 net/sctp/auth.c                 |  4 ++--
 net/sctp/chunk.c                |  6 +++---
 net/sctp/endpointola.c          |  6 +++---
 net/sctp/sm_make_chunk.c        |  6 +++---
 net/sctp/transport.c            |  8 ++++----
 net/sunrpc/auth.c               | 12 ++++++------
 net/sunrpc/auth_gss/auth_gss.c  | 28 ++++++++++++++--------------
 net/x25/x25_link.c              |  2 +-
 net/x25/x25_route.c             |  2 +-
 net/xfrm/xfrm_input.c           |  4 ++--
 net/xfrm/xfrm_policy.c          |  4 ++--
 net/xfrm/xfrm_state.c           |  4 ++--
 38 files changed, 142 insertions(+), 135 deletions(-)

-- 
2.7.4


^ permalink raw reply	[flat|nested] 80+ messages in thread

* [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/sunrpc/auth.h |  8 ++++----
 net/sunrpc/auth.c           | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/include/linux/sunrpc/auth.h b/include/linux/sunrpc/auth.h
index b1bc62b..bd36e0b 100644
--- a/include/linux/sunrpc/auth.h
+++ b/include/linux/sunrpc/auth.h
@@ -15,7 +15,7 @@
 #include <linux/sunrpc/msg_prot.h>
 #include <linux/sunrpc/xdr.h>
 
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <linux/rcupdate.h>
 #include <linux/uidgid.h>
 #include <linux/utsname.h>
@@ -68,7 +68,7 @@ struct rpc_cred {
 #endif
 	unsigned long		cr_expire;	/* when to gc */
 	unsigned long		cr_flags;	/* various flags */
-	atomic_t		cr_count;	/* ref count */
+	refcount_t		cr_count;	/* ref count */
 
 	kuid_t			cr_uid;
 
@@ -209,7 +209,7 @@ static inline
 struct rpc_cred *	get_rpccred(struct rpc_cred *cred)
 {
 	if (cred != NULL)
-		atomic_inc(&cred->cr_count);
+		refcount_inc(&cred->cr_count);
 	return cred;
 }
 
@@ -226,7 +226,7 @@ struct rpc_cred *	get_rpccred(struct rpc_cred *cred)
 static inline struct rpc_cred *
 get_rpccred_rcu(struct rpc_cred *cred)
 {
-	if (atomic_inc_not_zero(&cred->cr_count))
+	if (refcount_inc_not_zero(&cred->cr_count))
 		return cred;
 	return NULL;
 }
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index 2bff63a..b6439b9 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -310,7 +310,7 @@ rpcauth_unhash_cred(struct rpc_cred *cred)
 
 	cache_lock = &cred->cr_auth->au_credcache->lock;
 	spin_lock(cache_lock);
-	ret = atomic_read(&cred->cr_count) == 0;
+	ret = refcount_read(&cred->cr_count) == 0;
 	if (ret)
 		rpcauth_unhash_cred_locked(cred);
 	spin_unlock(cache_lock);
@@ -470,12 +470,12 @@ rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
 		list_del_init(&cred->cr_lru);
 		number_cred_unused--;
 		freed++;
-		if (atomic_read(&cred->cr_count) != 0)
+		if (refcount_read(&cred->cr_count) != 0)
 			continue;
 
 		cache_lock = &cred->cr_auth->au_credcache->lock;
 		spin_lock(cache_lock);
-		if (atomic_read(&cred->cr_count) == 0) {
+		if (refcount_read(&cred->cr_count) == 0) {
 			get_rpccred(cred);
 			list_add_tail(&cred->cr_lru, free);
 			rpcauth_unhash_cred_locked(cred);
@@ -642,7 +642,7 @@ rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred,
 {
 	INIT_HLIST_NODE(&cred->cr_hash);
 	INIT_LIST_HEAD(&cred->cr_lru);
-	atomic_set(&cred->cr_count, 1);
+	refcount_set(&cred->cr_count, 1);
 	cred->cr_auth = auth;
 	cred->cr_ops = ops;
 	cred->cr_expire = jiffies;
@@ -715,12 +715,12 @@ put_rpccred(struct rpc_cred *cred)
 		return;
 	/* Fast path for unhashed credentials */
 	if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) == 0) {
-		if (atomic_dec_and_test(&cred->cr_count))
+		if (refcount_dec_and_test(&cred->cr_count))
 			cred->cr_ops->crdestroy(cred);
 		return;
 	}
 
-	if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
+	if (!refcount_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
 		return;
 	if (!list_empty(&cred->cr_lru)) {
 		number_cred_unused--;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/sunrpc/auth.h |  8 ++++----
 net/sunrpc/auth.c           | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/include/linux/sunrpc/auth.h b/include/linux/sunrpc/auth.h
index b1bc62b..bd36e0b 100644
--- a/include/linux/sunrpc/auth.h
+++ b/include/linux/sunrpc/auth.h
@@ -15,7 +15,7 @@
 #include <linux/sunrpc/msg_prot.h>
 #include <linux/sunrpc/xdr.h>
 
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <linux/rcupdate.h>
 #include <linux/uidgid.h>
 #include <linux/utsname.h>
@@ -68,7 +68,7 @@ struct rpc_cred {
 #endif
 	unsigned long		cr_expire;	/* when to gc */
 	unsigned long		cr_flags;	/* various flags */
-	atomic_t		cr_count;	/* ref count */
+	refcount_t		cr_count;	/* ref count */
 
 	kuid_t			cr_uid;
 
@@ -209,7 +209,7 @@ static inline
 struct rpc_cred *	get_rpccred(struct rpc_cred *cred)
 {
 	if (cred != NULL)
-		atomic_inc(&cred->cr_count);
+		refcount_inc(&cred->cr_count);
 	return cred;
 }
 
@@ -226,7 +226,7 @@ struct rpc_cred *	get_rpccred(struct rpc_cred *cred)
 static inline struct rpc_cred *
 get_rpccred_rcu(struct rpc_cred *cred)
 {
-	if (atomic_inc_not_zero(&cred->cr_count))
+	if (refcount_inc_not_zero(&cred->cr_count))
 		return cred;
 	return NULL;
 }
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index 2bff63a..b6439b9 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -310,7 +310,7 @@ rpcauth_unhash_cred(struct rpc_cred *cred)
 
 	cache_lock = &cred->cr_auth->au_credcache->lock;
 	spin_lock(cache_lock);
-	ret = atomic_read(&cred->cr_count) = 0;
+	ret = refcount_read(&cred->cr_count) = 0;
 	if (ret)
 		rpcauth_unhash_cred_locked(cred);
 	spin_unlock(cache_lock);
@@ -470,12 +470,12 @@ rpcauth_prune_expired(struct list_head *free, int nr_to_scan)
 		list_del_init(&cred->cr_lru);
 		number_cred_unused--;
 		freed++;
-		if (atomic_read(&cred->cr_count) != 0)
+		if (refcount_read(&cred->cr_count) != 0)
 			continue;
 
 		cache_lock = &cred->cr_auth->au_credcache->lock;
 		spin_lock(cache_lock);
-		if (atomic_read(&cred->cr_count) = 0) {
+		if (refcount_read(&cred->cr_count) = 0) {
 			get_rpccred(cred);
 			list_add_tail(&cred->cr_lru, free);
 			rpcauth_unhash_cred_locked(cred);
@@ -642,7 +642,7 @@ rpcauth_init_cred(struct rpc_cred *cred, const struct auth_cred *acred,
 {
 	INIT_HLIST_NODE(&cred->cr_hash);
 	INIT_LIST_HEAD(&cred->cr_lru);
-	atomic_set(&cred->cr_count, 1);
+	refcount_set(&cred->cr_count, 1);
 	cred->cr_auth = auth;
 	cred->cr_ops = ops;
 	cred->cr_expire = jiffies;
@@ -715,12 +715,12 @@ put_rpccred(struct rpc_cred *cred)
 		return;
 	/* Fast path for unhashed credentials */
 	if (test_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags) = 0) {
-		if (atomic_dec_and_test(&cred->cr_count))
+		if (refcount_dec_and_test(&cred->cr_count))
 			cred->cr_ops->crdestroy(cred);
 		return;
 	}
 
-	if (!atomic_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
+	if (!refcount_dec_and_lock(&cred->cr_count, &rpc_credcache_lock))
 		return;
 	if (!list_empty(&cred->cr_lru)) {
 		number_cred_unused--;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 02/23] net, sunrpc: convert gss_cl_ctx.count from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/sunrpc/auth_gss.h | 3 ++-
 net/sunrpc/auth_gss/auth_gss.c  | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/sunrpc/auth_gss.h b/include/linux/sunrpc/auth_gss.h
index 36eebc4..cebdf87 100644
--- a/include/linux/sunrpc/auth_gss.h
+++ b/include/linux/sunrpc/auth_gss.h
@@ -13,6 +13,7 @@
 #define _LINUX_SUNRPC_AUTH_GSS_H
 
 #ifdef __KERNEL__
+#include <linux/refcount.h>
 #include <linux/sunrpc/auth.h>
 #include <linux/sunrpc/svc.h>
 #include <linux/sunrpc/gss_api.h>
@@ -65,7 +66,7 @@ struct rpc_gss_init_res {
  * the wire when communicating with a server. */
 
 struct gss_cl_ctx {
-	atomic_t		count;
+	refcount_t		count;
 	enum rpc_gss_proc	gc_proc;
 	u32			gc_seq;
 	spinlock_t		gc_seq_lock;
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 4f16953..72f129c 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -117,14 +117,14 @@ static const struct rpc_pipe_ops gss_upcall_ops_v1;
 static inline struct gss_cl_ctx *
 gss_get_ctx(struct gss_cl_ctx *ctx)
 {
-	atomic_inc(&ctx->count);
+	refcount_inc(&ctx->count);
 	return ctx;
 }
 
 static inline void
 gss_put_ctx(struct gss_cl_ctx *ctx)
 {
-	if (atomic_dec_and_test(&ctx->count))
+	if (refcount_dec_and_test(&ctx->count))
 		gss_free_ctx(ctx);
 }
 
@@ -200,7 +200,7 @@ gss_alloc_context(void)
 		ctx->gc_proc = RPC_GSS_PROC_DATA;
 		ctx->gc_seq = 1;	/* NetApp 6.4R1 doesn't accept seq. no. 0 */
 		spin_lock_init(&ctx->gc_seq_lock);
-		atomic_set(&ctx->count,1);
+		refcount_set(&ctx->count,1);
 	}
 	return ctx;
 }
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 02/23] net, sunrpc: convert gss_cl_ctx.count from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/sunrpc/auth_gss.h | 3 ++-
 net/sunrpc/auth_gss/auth_gss.c  | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/sunrpc/auth_gss.h b/include/linux/sunrpc/auth_gss.h
index 36eebc4..cebdf87 100644
--- a/include/linux/sunrpc/auth_gss.h
+++ b/include/linux/sunrpc/auth_gss.h
@@ -13,6 +13,7 @@
 #define _LINUX_SUNRPC_AUTH_GSS_H
 
 #ifdef __KERNEL__
+#include <linux/refcount.h>
 #include <linux/sunrpc/auth.h>
 #include <linux/sunrpc/svc.h>
 #include <linux/sunrpc/gss_api.h>
@@ -65,7 +66,7 @@ struct rpc_gss_init_res {
  * the wire when communicating with a server. */
 
 struct gss_cl_ctx {
-	atomic_t		count;
+	refcount_t		count;
 	enum rpc_gss_proc	gc_proc;
 	u32			gc_seq;
 	spinlock_t		gc_seq_lock;
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 4f16953..72f129c 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -117,14 +117,14 @@ static const struct rpc_pipe_ops gss_upcall_ops_v1;
 static inline struct gss_cl_ctx *
 gss_get_ctx(struct gss_cl_ctx *ctx)
 {
-	atomic_inc(&ctx->count);
+	refcount_inc(&ctx->count);
 	return ctx;
 }
 
 static inline void
 gss_put_ctx(struct gss_cl_ctx *ctx)
 {
-	if (atomic_dec_and_test(&ctx->count))
+	if (refcount_dec_and_test(&ctx->count))
 		gss_free_ctx(ctx);
 }
 
@@ -200,7 +200,7 @@ gss_alloc_context(void)
 		ctx->gc_proc = RPC_GSS_PROC_DATA;
 		ctx->gc_seq = 1;	/* NetApp 6.4R1 doesn't accept seq. no. 0 */
 		spin_lock_init(&ctx->gc_seq_lock);
-		atomic_set(&ctx->count,1);
+		refcount_set(&ctx->count,1);
 	}
 	return ctx;
 }
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 03/23] net, sunrpc: convert gss_upcall_msg.count from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/sunrpc/auth_gss/auth_gss.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 72f129c..e7c941a 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -287,7 +287,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct
 #define UPCALL_BUF_LEN 128
 
 struct gss_upcall_msg {
-	atomic_t count;
+	refcount_t count;
 	kuid_t	uid;
 	struct rpc_pipe_msg msg;
 	struct list_head list;
@@ -328,7 +328,7 @@ static void
 gss_release_msg(struct gss_upcall_msg *gss_msg)
 {
 	struct net *net = gss_msg->auth->net;
-	if (!atomic_dec_and_test(&gss_msg->count))
+	if (!refcount_dec_and_test(&gss_msg->count))
 		return;
 	put_pipe_version(net);
 	BUG_ON(!list_empty(&gss_msg->list));
@@ -348,7 +348,7 @@ __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth
 			continue;
 		if (auth && pos->auth->service != auth->service)
 			continue;
-		atomic_inc(&pos->count);
+		refcount_inc(&pos->count);
 		dprintk("RPC:       %s found msg %p\n", __func__, pos);
 		return pos;
 	}
@@ -369,7 +369,7 @@ gss_add_msg(struct gss_upcall_msg *gss_msg)
 	spin_lock(&pipe->lock);
 	old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
 	if (old == NULL) {
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		list_add(&gss_msg->list, &pipe->in_downcall);
 	} else
 		gss_msg = old;
@@ -383,7 +383,7 @@ __gss_unhash_msg(struct gss_upcall_msg *gss_msg)
 	list_del_init(&gss_msg->list);
 	rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
 	wake_up_all(&gss_msg->waitqueue);
-	atomic_dec(&gss_msg->count);
+	WARN_ON(refcount_dec_and_test(&gss_msg->count));
 }
 
 static void
@@ -506,7 +506,7 @@ gss_alloc_msg(struct gss_auth *gss_auth,
 	INIT_LIST_HEAD(&gss_msg->list);
 	rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq");
 	init_waitqueue_head(&gss_msg->waitqueue);
-	atomic_set(&gss_msg->count, 1);
+	refcount_set(&gss_msg->count, 1);
 	gss_msg->uid = uid;
 	gss_msg->auth = gss_auth;
 	switch (vers) {
@@ -542,11 +542,11 @@ gss_setup_upcall(struct gss_auth *gss_auth, struct rpc_cred *cred)
 	gss_msg = gss_add_msg(gss_new);
 	if (gss_msg == gss_new) {
 		int res;
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg);
 		if (res) {
 			gss_unhash_msg(gss_new);
-			atomic_dec(&gss_msg->count);
+			refcount_dec(&gss_msg->count);
 			gss_release_msg(gss_new);
 			gss_msg = ERR_PTR(res);
 		}
@@ -595,7 +595,7 @@ gss_refresh_upcall(struct rpc_task *task)
 		task->tk_timeout = 0;
 		gss_cred->gc_upcall = gss_msg;
 		/* gss_upcall_callback will release the reference to gss_upcall_msg */
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback);
 	} else {
 		gss_handle_downcall_result(gss_cred, gss_msg);
@@ -815,7 +815,7 @@ gss_pipe_release(struct inode *inode)
 		if (!list_empty(&gss_msg->msg.list))
 			continue;
 		gss_msg->msg.errno = -EPIPE;
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		__gss_unhash_msg(gss_msg);
 		spin_unlock(&pipe->lock);
 		gss_release_msg(gss_msg);
@@ -834,7 +834,7 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
 	if (msg->errno < 0) {
 		dprintk("RPC:       %s releasing msg %p\n",
 			__func__, gss_msg);
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		gss_unhash_msg(gss_msg);
 		if (msg->errno == -ETIMEDOUT)
 			warn_gssd();
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 03/23] net, sunrpc: convert gss_upcall_msg.count from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/sunrpc/auth_gss/auth_gss.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 72f129c..e7c941a 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -287,7 +287,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct
 #define UPCALL_BUF_LEN 128
 
 struct gss_upcall_msg {
-	atomic_t count;
+	refcount_t count;
 	kuid_t	uid;
 	struct rpc_pipe_msg msg;
 	struct list_head list;
@@ -328,7 +328,7 @@ static void
 gss_release_msg(struct gss_upcall_msg *gss_msg)
 {
 	struct net *net = gss_msg->auth->net;
-	if (!atomic_dec_and_test(&gss_msg->count))
+	if (!refcount_dec_and_test(&gss_msg->count))
 		return;
 	put_pipe_version(net);
 	BUG_ON(!list_empty(&gss_msg->list));
@@ -348,7 +348,7 @@ __gss_find_upcall(struct rpc_pipe *pipe, kuid_t uid, const struct gss_auth *auth
 			continue;
 		if (auth && pos->auth->service != auth->service)
 			continue;
-		atomic_inc(&pos->count);
+		refcount_inc(&pos->count);
 		dprintk("RPC:       %s found msg %p\n", __func__, pos);
 		return pos;
 	}
@@ -369,7 +369,7 @@ gss_add_msg(struct gss_upcall_msg *gss_msg)
 	spin_lock(&pipe->lock);
 	old = __gss_find_upcall(pipe, gss_msg->uid, gss_msg->auth);
 	if (old = NULL) {
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		list_add(&gss_msg->list, &pipe->in_downcall);
 	} else
 		gss_msg = old;
@@ -383,7 +383,7 @@ __gss_unhash_msg(struct gss_upcall_msg *gss_msg)
 	list_del_init(&gss_msg->list);
 	rpc_wake_up_status(&gss_msg->rpc_waitqueue, gss_msg->msg.errno);
 	wake_up_all(&gss_msg->waitqueue);
-	atomic_dec(&gss_msg->count);
+	WARN_ON(refcount_dec_and_test(&gss_msg->count));
 }
 
 static void
@@ -506,7 +506,7 @@ gss_alloc_msg(struct gss_auth *gss_auth,
 	INIT_LIST_HEAD(&gss_msg->list);
 	rpc_init_wait_queue(&gss_msg->rpc_waitqueue, "RPCSEC_GSS upcall waitq");
 	init_waitqueue_head(&gss_msg->waitqueue);
-	atomic_set(&gss_msg->count, 1);
+	refcount_set(&gss_msg->count, 1);
 	gss_msg->uid = uid;
 	gss_msg->auth = gss_auth;
 	switch (vers) {
@@ -542,11 +542,11 @@ gss_setup_upcall(struct gss_auth *gss_auth, struct rpc_cred *cred)
 	gss_msg = gss_add_msg(gss_new);
 	if (gss_msg = gss_new) {
 		int res;
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		res = rpc_queue_upcall(gss_new->pipe, &gss_new->msg);
 		if (res) {
 			gss_unhash_msg(gss_new);
-			atomic_dec(&gss_msg->count);
+			refcount_dec(&gss_msg->count);
 			gss_release_msg(gss_new);
 			gss_msg = ERR_PTR(res);
 		}
@@ -595,7 +595,7 @@ gss_refresh_upcall(struct rpc_task *task)
 		task->tk_timeout = 0;
 		gss_cred->gc_upcall = gss_msg;
 		/* gss_upcall_callback will release the reference to gss_upcall_msg */
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		rpc_sleep_on(&gss_msg->rpc_waitqueue, task, gss_upcall_callback);
 	} else {
 		gss_handle_downcall_result(gss_cred, gss_msg);
@@ -815,7 +815,7 @@ gss_pipe_release(struct inode *inode)
 		if (!list_empty(&gss_msg->msg.list))
 			continue;
 		gss_msg->msg.errno = -EPIPE;
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		__gss_unhash_msg(gss_msg);
 		spin_unlock(&pipe->lock);
 		gss_release_msg(gss_msg);
@@ -834,7 +834,7 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
 	if (msg->errno < 0) {
 		dprintk("RPC:       %s releasing msg %p\n",
 			__func__, gss_msg);
-		atomic_inc(&gss_msg->count);
+		refcount_inc(&gss_msg->count);
 		gss_unhash_msg(gss_msg);
 		if (msg->errno = -ETIMEDOUT)
 			warn_gssd();
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 04/23] net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/ceph/libceph.h | 3 ++-
 net/ceph/snapshot.c          | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
index 1816c5e..26dc674 100644
--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -14,6 +14,7 @@
 #include <linux/wait.h>
 #include <linux/writeback.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 
 #include <linux/ceph/types.h>
 #include <linux/ceph/messenger.h>
@@ -159,7 +160,7 @@ struct ceph_client {
  * dirtied.
  */
 struct ceph_snap_context {
-	atomic_t nref;
+	refcount_t nref;
 	u64 seq;
 	u32 num_snaps;
 	u64 snaps[];
diff --git a/net/ceph/snapshot.c b/net/ceph/snapshot.c
index 705414e..e14a5d0 100644
--- a/net/ceph/snapshot.c
+++ b/net/ceph/snapshot.c
@@ -49,7 +49,7 @@ struct ceph_snap_context *ceph_create_snap_context(u32 snap_count,
 	if (!snapc)
 		return NULL;
 
-	atomic_set(&snapc->nref, 1);
+	refcount_set(&snapc->nref, 1);
 	snapc->num_snaps = snap_count;
 
 	return snapc;
@@ -59,7 +59,7 @@ EXPORT_SYMBOL(ceph_create_snap_context);
 struct ceph_snap_context *ceph_get_snap_context(struct ceph_snap_context *sc)
 {
 	if (sc)
-		atomic_inc(&sc->nref);
+		refcount_inc(&sc->nref);
 	return sc;
 }
 EXPORT_SYMBOL(ceph_get_snap_context);
@@ -68,7 +68,7 @@ void ceph_put_snap_context(struct ceph_snap_context *sc)
 {
 	if (!sc)
 		return;
-	if (atomic_dec_and_test(&sc->nref)) {
+	if (refcount_dec_and_test(&sc->nref)) {
 		/*printk(" deleting snap_context %p\n", sc);*/
 		kfree(sc);
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 04/23] net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/ceph/libceph.h | 3 ++-
 net/ceph/snapshot.c          | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
index 1816c5e..26dc674 100644
--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -14,6 +14,7 @@
 #include <linux/wait.h>
 #include <linux/writeback.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 
 #include <linux/ceph/types.h>
 #include <linux/ceph/messenger.h>
@@ -159,7 +160,7 @@ struct ceph_client {
  * dirtied.
  */
 struct ceph_snap_context {
-	atomic_t nref;
+	refcount_t nref;
 	u64 seq;
 	u32 num_snaps;
 	u64 snaps[];
diff --git a/net/ceph/snapshot.c b/net/ceph/snapshot.c
index 705414e..e14a5d0 100644
--- a/net/ceph/snapshot.c
+++ b/net/ceph/snapshot.c
@@ -49,7 +49,7 @@ struct ceph_snap_context *ceph_create_snap_context(u32 snap_count,
 	if (!snapc)
 		return NULL;
 
-	atomic_set(&snapc->nref, 1);
+	refcount_set(&snapc->nref, 1);
 	snapc->num_snaps = snap_count;
 
 	return snapc;
@@ -59,7 +59,7 @@ EXPORT_SYMBOL(ceph_create_snap_context);
 struct ceph_snap_context *ceph_get_snap_context(struct ceph_snap_context *sc)
 {
 	if (sc)
-		atomic_inc(&sc->nref);
+		refcount_inc(&sc->nref);
 	return sc;
 }
 EXPORT_SYMBOL(ceph_get_snap_context);
@@ -68,7 +68,7 @@ void ceph_put_snap_context(struct ceph_snap_context *sc)
 {
 	if (!sc)
 		return;
-	if (atomic_dec_and_test(&sc->nref)) {
+	if (refcount_dec_and_test(&sc->nref)) {
 		/*printk(" deleting snap_context %p\n", sc);*/
 		kfree(sc);
 	}
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 05/23] net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/ceph/osd_client.h |  3 ++-
 net/ceph/osd_client.c           | 16 ++++++++--------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h
index 2ea0c28..5ce0cd6 100644
--- a/include/linux/ceph/osd_client.h
+++ b/include/linux/ceph/osd_client.h
@@ -5,6 +5,7 @@
 #include <linux/kref.h>
 #include <linux/mempool.h>
 #include <linux/rbtree.h>
+#include <linux/refcount.h>
 
 #include <linux/ceph/types.h>
 #include <linux/ceph/osdmap.h>
@@ -27,7 +28,7 @@ typedef void (*ceph_osdc_callback_t)(struct ceph_osd_request *);
 
 /* a given osd we're communicating with */
 struct ceph_osd {
-	atomic_t o_ref;
+	refcount_t o_ref;
 	struct ceph_osd_client *o_osdc;
 	int o_osd;
 	int o_incarnation;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index b65bbf9..99a51f0 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1005,7 +1005,7 @@ static bool osd_registered(struct ceph_osd *osd)
  */
 static void osd_init(struct ceph_osd *osd)
 {
-	atomic_set(&osd->o_ref, 1);
+	refcount_set(&osd->o_ref, 1);
 	RB_CLEAR_NODE(&osd->o_node);
 	osd->o_requests = RB_ROOT;
 	osd->o_linger_requests = RB_ROOT;
@@ -1050,9 +1050,9 @@ static struct ceph_osd *create_osd(struct ceph_osd_client *osdc, int onum)
 
 static struct ceph_osd *get_osd(struct ceph_osd *osd)
 {
-	if (atomic_inc_not_zero(&osd->o_ref)) {
-		dout("get_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref)-1,
-		     atomic_read(&osd->o_ref));
+	if (refcount_inc_not_zero(&osd->o_ref)) {
+		dout("get_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref)-1,
+		     refcount_read(&osd->o_ref));
 		return osd;
 	} else {
 		dout("get_osd %p FAIL\n", osd);
@@ -1062,9 +1062,9 @@ static struct ceph_osd *get_osd(struct ceph_osd *osd)
 
 static void put_osd(struct ceph_osd *osd)
 {
-	dout("put_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref),
-	     atomic_read(&osd->o_ref) - 1);
-	if (atomic_dec_and_test(&osd->o_ref)) {
+	dout("put_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref),
+	     refcount_read(&osd->o_ref) - 1);
+	if (refcount_dec_and_test(&osd->o_ref)) {
 		osd_cleanup(osd);
 		kfree(osd);
 	}
@@ -4092,7 +4092,7 @@ void ceph_osdc_stop(struct ceph_osd_client *osdc)
 		close_osd(osd);
 	}
 	up_write(&osdc->lock);
-	WARN_ON(atomic_read(&osdc->homeless_osd.o_ref) != 1);
+	WARN_ON(refcount_read(&osdc->homeless_osd.o_ref) != 1);
 	osd_cleanup(&osdc->homeless_osd);
 
 	WARN_ON(!list_empty(&osdc->osd_lru));
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 05/23] net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/linux/ceph/osd_client.h |  3 ++-
 net/ceph/osd_client.c           | 16 ++++++++--------
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h
index 2ea0c28..5ce0cd6 100644
--- a/include/linux/ceph/osd_client.h
+++ b/include/linux/ceph/osd_client.h
@@ -5,6 +5,7 @@
 #include <linux/kref.h>
 #include <linux/mempool.h>
 #include <linux/rbtree.h>
+#include <linux/refcount.h>
 
 #include <linux/ceph/types.h>
 #include <linux/ceph/osdmap.h>
@@ -27,7 +28,7 @@ typedef void (*ceph_osdc_callback_t)(struct ceph_osd_request *);
 
 /* a given osd we're communicating with */
 struct ceph_osd {
-	atomic_t o_ref;
+	refcount_t o_ref;
 	struct ceph_osd_client *o_osdc;
 	int o_osd;
 	int o_incarnation;
diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
index b65bbf9..99a51f0 100644
--- a/net/ceph/osd_client.c
+++ b/net/ceph/osd_client.c
@@ -1005,7 +1005,7 @@ static bool osd_registered(struct ceph_osd *osd)
  */
 static void osd_init(struct ceph_osd *osd)
 {
-	atomic_set(&osd->o_ref, 1);
+	refcount_set(&osd->o_ref, 1);
 	RB_CLEAR_NODE(&osd->o_node);
 	osd->o_requests = RB_ROOT;
 	osd->o_linger_requests = RB_ROOT;
@@ -1050,9 +1050,9 @@ static struct ceph_osd *create_osd(struct ceph_osd_client *osdc, int onum)
 
 static struct ceph_osd *get_osd(struct ceph_osd *osd)
 {
-	if (atomic_inc_not_zero(&osd->o_ref)) {
-		dout("get_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref)-1,
-		     atomic_read(&osd->o_ref));
+	if (refcount_inc_not_zero(&osd->o_ref)) {
+		dout("get_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref)-1,
+		     refcount_read(&osd->o_ref));
 		return osd;
 	} else {
 		dout("get_osd %p FAIL\n", osd);
@@ -1062,9 +1062,9 @@ static struct ceph_osd *get_osd(struct ceph_osd *osd)
 
 static void put_osd(struct ceph_osd *osd)
 {
-	dout("put_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref),
-	     atomic_read(&osd->o_ref) - 1);
-	if (atomic_dec_and_test(&osd->o_ref)) {
+	dout("put_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref),
+	     refcount_read(&osd->o_ref) - 1);
+	if (refcount_dec_and_test(&osd->o_ref)) {
 		osd_cleanup(osd);
 		kfree(osd);
 	}
@@ -4092,7 +4092,7 @@ void ceph_osdc_stop(struct ceph_osd_client *osdc)
 		close_osd(osd);
 	}
 	up_write(&osdc->lock);
-	WARN_ON(atomic_read(&osdc->homeless_osd.o_ref) != 1);
+	WARN_ON(refcount_read(&osdc->homeless_osd.o_ref) != 1);
 	osd_cleanup(&osdc->homeless_osd);
 
 	WARN_ON(!list_empty(&osdc->osd_lru));
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 06/23] net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 fs/ceph/mds_client.c          | 2 +-
 include/linux/ceph/pagelist.h | 6 +++---
 net/ceph/pagelist.c           | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index c681762..7b38e6c 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -1991,7 +1991,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
 
 	if (req->r_pagelist) {
 		struct ceph_pagelist *pagelist = req->r_pagelist;
-		atomic_inc(&pagelist->refcnt);
+		refcount_inc(&pagelist->refcnt);
 		ceph_msg_data_add_pagelist(msg, pagelist);
 		msg->hdr.data_len = cpu_to_le32(pagelist->length);
 	} else {
diff --git a/include/linux/ceph/pagelist.h b/include/linux/ceph/pagelist.h
index 13d71fe..75a7db2 100644
--- a/include/linux/ceph/pagelist.h
+++ b/include/linux/ceph/pagelist.h
@@ -2,7 +2,7 @@
 #define __FS_CEPH_PAGELIST_H
 
 #include <asm/byteorder.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <linux/list.h>
 #include <linux/types.h>
 
@@ -13,7 +13,7 @@ struct ceph_pagelist {
 	size_t room;
 	struct list_head free_list;
 	size_t num_pages_free;
-	atomic_t refcnt;
+	refcount_t refcnt;
 };
 
 struct ceph_pagelist_cursor {
@@ -30,7 +30,7 @@ static inline void ceph_pagelist_init(struct ceph_pagelist *pl)
 	pl->room = 0;
 	INIT_LIST_HEAD(&pl->free_list);
 	pl->num_pages_free = 0;
-	atomic_set(&pl->refcnt, 1);
+	refcount_set(&pl->refcnt, 1);
 }
 
 extern void ceph_pagelist_release(struct ceph_pagelist *pl);
diff --git a/net/ceph/pagelist.c b/net/ceph/pagelist.c
index 6864007..ce09f73 100644
--- a/net/ceph/pagelist.c
+++ b/net/ceph/pagelist.c
@@ -16,7 +16,7 @@ static void ceph_pagelist_unmap_tail(struct ceph_pagelist *pl)
 
 void ceph_pagelist_release(struct ceph_pagelist *pl)
 {
-	if (!atomic_dec_and_test(&pl->refcnt))
+	if (!refcount_dec_and_test(&pl->refcnt))
 		return;
 	ceph_pagelist_unmap_tail(pl);
 	while (!list_empty(&pl->head)) {
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 06/23] net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 fs/ceph/mds_client.c          | 2 +-
 include/linux/ceph/pagelist.h | 6 +++---
 net/ceph/pagelist.c           | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index c681762..7b38e6c 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -1991,7 +1991,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
 
 	if (req->r_pagelist) {
 		struct ceph_pagelist *pagelist = req->r_pagelist;
-		atomic_inc(&pagelist->refcnt);
+		refcount_inc(&pagelist->refcnt);
 		ceph_msg_data_add_pagelist(msg, pagelist);
 		msg->hdr.data_len = cpu_to_le32(pagelist->length);
 	} else {
diff --git a/include/linux/ceph/pagelist.h b/include/linux/ceph/pagelist.h
index 13d71fe..75a7db2 100644
--- a/include/linux/ceph/pagelist.h
+++ b/include/linux/ceph/pagelist.h
@@ -2,7 +2,7 @@
 #define __FS_CEPH_PAGELIST_H
 
 #include <asm/byteorder.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <linux/list.h>
 #include <linux/types.h>
 
@@ -13,7 +13,7 @@ struct ceph_pagelist {
 	size_t room;
 	struct list_head free_list;
 	size_t num_pages_free;
-	atomic_t refcnt;
+	refcount_t refcnt;
 };
 
 struct ceph_pagelist_cursor {
@@ -30,7 +30,7 @@ static inline void ceph_pagelist_init(struct ceph_pagelist *pl)
 	pl->room = 0;
 	INIT_LIST_HEAD(&pl->free_list);
 	pl->num_pages_free = 0;
-	atomic_set(&pl->refcnt, 1);
+	refcount_set(&pl->refcnt, 1);
 }
 
 extern void ceph_pagelist_release(struct ceph_pagelist *pl);
diff --git a/net/ceph/pagelist.c b/net/ceph/pagelist.c
index 6864007..ce09f73 100644
--- a/net/ceph/pagelist.c
+++ b/net/ceph/pagelist.c
@@ -16,7 +16,7 @@ static void ceph_pagelist_unmap_tail(struct ceph_pagelist *pl)
 
 void ceph_pagelist_release(struct ceph_pagelist *pl)
 {
-	if (!atomic_dec_and_test(&pl->refcnt))
+	if (!refcount_dec_and_test(&pl->refcnt))
 		return;
 	ceph_pagelist_unmap_tail(pl);
 	while (!list_empty(&pl->head)) {
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 07/23] net, rds: convert rds_ib_device.refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/ib.c      | 12 ++++++------
 net/rds/ib.h      |  2 +-
 net/rds/ib_rdma.c |  4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/net/rds/ib.c b/net/rds/ib.c
index 91fe46f..bb19cda 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -118,8 +118,8 @@ static void rds_ib_dev_free(struct work_struct *work)
 
 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
 {
-	BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
-	if (atomic_dec_and_test(&rds_ibdev->refcount))
+	BUG_ON(refcount_read(&rds_ibdev->refcount) == 0);
+	if (refcount_dec_and_test(&rds_ibdev->refcount))
 		queue_work(rds_wq, &rds_ibdev->free_work);
 }
 
@@ -137,7 +137,7 @@ static void rds_ib_add_one(struct ib_device *device)
 		return;
 
 	spin_lock_init(&rds_ibdev->spinlock);
-	atomic_set(&rds_ibdev->refcount, 1);
+	refcount_set(&rds_ibdev->refcount, 1);
 	INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free);
 
 	rds_ibdev->max_wrs = device->attrs.max_qp_wr;
@@ -205,10 +205,10 @@ static void rds_ib_add_one(struct ib_device *device)
 	down_write(&rds_ib_devices_lock);
 	list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices);
 	up_write(&rds_ib_devices_lock);
-	atomic_inc(&rds_ibdev->refcount);
+	refcount_inc(&rds_ibdev->refcount);
 
 	ib_set_client_data(device, &rds_ib_client, rds_ibdev);
-	atomic_inc(&rds_ibdev->refcount);
+	refcount_inc(&rds_ibdev->refcount);
 
 	rds_ib_nodev_connect();
 
@@ -239,7 +239,7 @@ struct rds_ib_device *rds_ib_get_client_data(struct ib_device *device)
 	rcu_read_lock();
 	rds_ibdev = ib_get_client_data(device, &rds_ib_client);
 	if (rds_ibdev)
-		atomic_inc(&rds_ibdev->refcount);
+		refcount_inc(&rds_ibdev->refcount);
 	rcu_read_unlock();
 	return rds_ibdev;
 }
diff --git a/net/rds/ib.h b/net/rds/ib.h
index ec55062..bf48224 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -230,7 +230,7 @@ struct rds_ib_device {
 	unsigned int		max_initiator_depth;
 	unsigned int		max_responder_resources;
 	spinlock_t		spinlock;	/* protect the above */
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct work_struct	free_work;
 	int			*vector_load;
 };
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 977f698..9a3c54e 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -52,7 +52,7 @@ static struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
 	list_for_each_entry_rcu(rds_ibdev, &rds_ib_devices, list) {
 		list_for_each_entry_rcu(i_ipaddr, &rds_ibdev->ipaddr_list, list) {
 			if (i_ipaddr->ipaddr == ipaddr) {
-				atomic_inc(&rds_ibdev->refcount);
+				refcount_inc(&rds_ibdev->refcount);
 				rcu_read_unlock();
 				return rds_ibdev;
 			}
@@ -134,7 +134,7 @@ void rds_ib_add_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *con
 	spin_unlock_irq(&ib_nodev_conns_lock);
 
 	ic->rds_ibdev = rds_ibdev;
-	atomic_inc(&rds_ibdev->refcount);
+	refcount_inc(&rds_ibdev->refcount);
 }
 
 void rds_ib_remove_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *conn)
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 07/23] net, rds: convert rds_ib_device.refcount from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/ib.c      | 12 ++++++------
 net/rds/ib.h      |  2 +-
 net/rds/ib_rdma.c |  4 ++--
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/net/rds/ib.c b/net/rds/ib.c
index 91fe46f..bb19cda 100644
--- a/net/rds/ib.c
+++ b/net/rds/ib.c
@@ -118,8 +118,8 @@ static void rds_ib_dev_free(struct work_struct *work)
 
 void rds_ib_dev_put(struct rds_ib_device *rds_ibdev)
 {
-	BUG_ON(atomic_read(&rds_ibdev->refcount) <= 0);
-	if (atomic_dec_and_test(&rds_ibdev->refcount))
+	BUG_ON(refcount_read(&rds_ibdev->refcount) = 0);
+	if (refcount_dec_and_test(&rds_ibdev->refcount))
 		queue_work(rds_wq, &rds_ibdev->free_work);
 }
 
@@ -137,7 +137,7 @@ static void rds_ib_add_one(struct ib_device *device)
 		return;
 
 	spin_lock_init(&rds_ibdev->spinlock);
-	atomic_set(&rds_ibdev->refcount, 1);
+	refcount_set(&rds_ibdev->refcount, 1);
 	INIT_WORK(&rds_ibdev->free_work, rds_ib_dev_free);
 
 	rds_ibdev->max_wrs = device->attrs.max_qp_wr;
@@ -205,10 +205,10 @@ static void rds_ib_add_one(struct ib_device *device)
 	down_write(&rds_ib_devices_lock);
 	list_add_tail_rcu(&rds_ibdev->list, &rds_ib_devices);
 	up_write(&rds_ib_devices_lock);
-	atomic_inc(&rds_ibdev->refcount);
+	refcount_inc(&rds_ibdev->refcount);
 
 	ib_set_client_data(device, &rds_ib_client, rds_ibdev);
-	atomic_inc(&rds_ibdev->refcount);
+	refcount_inc(&rds_ibdev->refcount);
 
 	rds_ib_nodev_connect();
 
@@ -239,7 +239,7 @@ struct rds_ib_device *rds_ib_get_client_data(struct ib_device *device)
 	rcu_read_lock();
 	rds_ibdev = ib_get_client_data(device, &rds_ib_client);
 	if (rds_ibdev)
-		atomic_inc(&rds_ibdev->refcount);
+		refcount_inc(&rds_ibdev->refcount);
 	rcu_read_unlock();
 	return rds_ibdev;
 }
diff --git a/net/rds/ib.h b/net/rds/ib.h
index ec55062..bf48224 100644
--- a/net/rds/ib.h
+++ b/net/rds/ib.h
@@ -230,7 +230,7 @@ struct rds_ib_device {
 	unsigned int		max_initiator_depth;
 	unsigned int		max_responder_resources;
 	spinlock_t		spinlock;	/* protect the above */
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct work_struct	free_work;
 	int			*vector_load;
 };
diff --git a/net/rds/ib_rdma.c b/net/rds/ib_rdma.c
index 977f698..9a3c54e 100644
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -52,7 +52,7 @@ static struct rds_ib_device *rds_ib_get_device(__be32 ipaddr)
 	list_for_each_entry_rcu(rds_ibdev, &rds_ib_devices, list) {
 		list_for_each_entry_rcu(i_ipaddr, &rds_ibdev->ipaddr_list, list) {
 			if (i_ipaddr->ipaddr = ipaddr) {
-				atomic_inc(&rds_ibdev->refcount);
+				refcount_inc(&rds_ibdev->refcount);
 				rcu_read_unlock();
 				return rds_ibdev;
 			}
@@ -134,7 +134,7 @@ void rds_ib_add_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *con
 	spin_unlock_irq(&ib_nodev_conns_lock);
 
 	ic->rds_ibdev = rds_ibdev;
-	atomic_inc(&rds_ibdev->refcount);
+	refcount_inc(&rds_ibdev->refcount);
 }
 
 void rds_ib_remove_conn(struct rds_ib_device *rds_ibdev, struct rds_connection *conn)
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 08/23] net, rds: convert rds_incoming.i_refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/rds.h  |  3 ++-
 net/rds/recv.c | 12 ++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/net/rds/rds.h b/net/rds/rds.h
index 966d2ee..d8070c7 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -8,6 +8,7 @@
 #include <linux/mutex.h>
 #include <linux/rds.h>
 #include <linux/rhashtable.h>
+#include <linux/refcount.h>
 
 #include "info.h"
 
@@ -260,7 +261,7 @@ struct rds_ext_header_rdma_dest {
 #define	RDS_MSG_RX_CMSG		3
 
 struct rds_incoming {
-	atomic_t		i_refcount;
+	refcount_t		i_refcount;
 	struct list_head	i_item;
 	struct rds_connection	*i_conn;
 	struct rds_conn_path	*i_conn_path;
diff --git a/net/rds/recv.c b/net/rds/recv.c
index 8b7e7b7..7d5e35e 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -45,7 +45,7 @@ void rds_inc_init(struct rds_incoming *inc, struct rds_connection *conn,
 {
 	int i;
 
-	atomic_set(&inc->i_refcount, 1);
+	refcount_set(&inc->i_refcount, 1);
 	INIT_LIST_HEAD(&inc->i_item);
 	inc->i_conn = conn;
 	inc->i_saddr = saddr;
@@ -61,7 +61,7 @@ EXPORT_SYMBOL_GPL(rds_inc_init);
 void rds_inc_path_init(struct rds_incoming *inc, struct rds_conn_path *cp,
 		       __be32 saddr)
 {
-	atomic_set(&inc->i_refcount, 1);
+	refcount_set(&inc->i_refcount, 1);
 	INIT_LIST_HEAD(&inc->i_item);
 	inc->i_conn = cp->cp_conn;
 	inc->i_conn_path = cp;
@@ -74,14 +74,14 @@ EXPORT_SYMBOL_GPL(rds_inc_path_init);
 
 static void rds_inc_addref(struct rds_incoming *inc)
 {
-	rdsdebug("addref inc %p ref %d\n", inc, atomic_read(&inc->i_refcount));
-	atomic_inc(&inc->i_refcount);
+	rdsdebug("addref inc %p ref %d\n", inc, refcount_read(&inc->i_refcount));
+	refcount_inc(&inc->i_refcount);
 }
 
 void rds_inc_put(struct rds_incoming *inc)
 {
-	rdsdebug("put inc %p ref %d\n", inc, atomic_read(&inc->i_refcount));
-	if (atomic_dec_and_test(&inc->i_refcount)) {
+	rdsdebug("put inc %p ref %d\n", inc, refcount_read(&inc->i_refcount));
+	if (refcount_dec_and_test(&inc->i_refcount)) {
 		BUG_ON(!list_empty(&inc->i_item));
 
 		inc->i_conn->c_trans->inc_free(inc);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 08/23] net, rds: convert rds_incoming.i_refcount from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/rds.h  |  3 ++-
 net/rds/recv.c | 12 ++++++------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/net/rds/rds.h b/net/rds/rds.h
index 966d2ee..d8070c7 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -8,6 +8,7 @@
 #include <linux/mutex.h>
 #include <linux/rds.h>
 #include <linux/rhashtable.h>
+#include <linux/refcount.h>
 
 #include "info.h"
 
@@ -260,7 +261,7 @@ struct rds_ext_header_rdma_dest {
 #define	RDS_MSG_RX_CMSG		3
 
 struct rds_incoming {
-	atomic_t		i_refcount;
+	refcount_t		i_refcount;
 	struct list_head	i_item;
 	struct rds_connection	*i_conn;
 	struct rds_conn_path	*i_conn_path;
diff --git a/net/rds/recv.c b/net/rds/recv.c
index 8b7e7b7..7d5e35e 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -45,7 +45,7 @@ void rds_inc_init(struct rds_incoming *inc, struct rds_connection *conn,
 {
 	int i;
 
-	atomic_set(&inc->i_refcount, 1);
+	refcount_set(&inc->i_refcount, 1);
 	INIT_LIST_HEAD(&inc->i_item);
 	inc->i_conn = conn;
 	inc->i_saddr = saddr;
@@ -61,7 +61,7 @@ EXPORT_SYMBOL_GPL(rds_inc_init);
 void rds_inc_path_init(struct rds_incoming *inc, struct rds_conn_path *cp,
 		       __be32 saddr)
 {
-	atomic_set(&inc->i_refcount, 1);
+	refcount_set(&inc->i_refcount, 1);
 	INIT_LIST_HEAD(&inc->i_item);
 	inc->i_conn = cp->cp_conn;
 	inc->i_conn_path = cp;
@@ -74,14 +74,14 @@ EXPORT_SYMBOL_GPL(rds_inc_path_init);
 
 static void rds_inc_addref(struct rds_incoming *inc)
 {
-	rdsdebug("addref inc %p ref %d\n", inc, atomic_read(&inc->i_refcount));
-	atomic_inc(&inc->i_refcount);
+	rdsdebug("addref inc %p ref %d\n", inc, refcount_read(&inc->i_refcount));
+	refcount_inc(&inc->i_refcount);
 }
 
 void rds_inc_put(struct rds_incoming *inc)
 {
-	rdsdebug("put inc %p ref %d\n", inc, atomic_read(&inc->i_refcount));
-	if (atomic_dec_and_test(&inc->i_refcount)) {
+	rdsdebug("put inc %p ref %d\n", inc, refcount_read(&inc->i_refcount));
+	if (refcount_dec_and_test(&inc->i_refcount)) {
 		BUG_ON(!list_empty(&inc->i_item));
 
 		inc->i_conn->c_trans->inc_free(inc);
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 09/23] net, rds: convert rds_mr.r_refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/rdma.c | 10 +++++-----
 net/rds/rds.h  |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index f06fac4..8886f15 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -84,7 +84,7 @@ static struct rds_mr *rds_mr_tree_walk(struct rb_root *root, u64 key,
 	if (insert) {
 		rb_link_node(&insert->r_rb_node, parent, p);
 		rb_insert_color(&insert->r_rb_node, root);
-		atomic_inc(&insert->r_refcount);
+		refcount_inc(&insert->r_refcount);
 	}
 	return NULL;
 }
@@ -99,7 +99,7 @@ static void rds_destroy_mr(struct rds_mr *mr)
 	unsigned long flags;
 
 	rdsdebug("RDS: destroy mr key is %x refcnt %u\n",
-			mr->r_key, atomic_read(&mr->r_refcount));
+			mr->r_key, refcount_read(&mr->r_refcount));
 
 	if (test_and_set_bit(RDS_MR_DEAD, &mr->r_state))
 		return;
@@ -223,7 +223,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
 		goto out;
 	}
 
-	atomic_set(&mr->r_refcount, 1);
+	refcount_set(&mr->r_refcount, 1);
 	RB_CLEAR_NODE(&mr->r_rb_node);
 	mr->r_trans = rs->rs_transport;
 	mr->r_sock = rs;
@@ -307,7 +307,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
 
 	rdsdebug("RDS: get_mr key is %x\n", mr->r_key);
 	if (mr_ret) {
-		atomic_inc(&mr->r_refcount);
+		refcount_inc(&mr->r_refcount);
 		*mr_ret = mr;
 	}
 
@@ -756,7 +756,7 @@ int rds_cmsg_rdma_dest(struct rds_sock *rs, struct rds_message *rm,
 	if (!mr)
 		err = -EINVAL;	/* invalid r_key */
 	else
-		atomic_inc(&mr->r_refcount);
+		refcount_inc(&mr->r_refcount);
 	spin_unlock_irqrestore(&rs->rs_rdma_lock, flags);
 
 	if (mr) {
diff --git a/net/rds/rds.h b/net/rds/rds.h
index d8070c7..7487597 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -276,7 +276,7 @@ struct rds_incoming {
 
 struct rds_mr {
 	struct rb_node		r_rb_node;
-	atomic_t		r_refcount;
+	refcount_t		r_refcount;
 	u32			r_key;
 
 	/* A copy of the creation flags */
@@ -855,7 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 void __rds_put_mr_final(struct rds_mr *mr);
 static inline void rds_mr_put(struct rds_mr *mr)
 {
-	if (atomic_dec_and_test(&mr->r_refcount))
+	if (refcount_dec_and_test(&mr->r_refcount))
 		__rds_put_mr_final(mr);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 09/23] net, rds: convert rds_mr.r_refcount from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/rdma.c | 10 +++++-----
 net/rds/rds.h  |  4 ++--
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index f06fac4..8886f15 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -84,7 +84,7 @@ static struct rds_mr *rds_mr_tree_walk(struct rb_root *root, u64 key,
 	if (insert) {
 		rb_link_node(&insert->r_rb_node, parent, p);
 		rb_insert_color(&insert->r_rb_node, root);
-		atomic_inc(&insert->r_refcount);
+		refcount_inc(&insert->r_refcount);
 	}
 	return NULL;
 }
@@ -99,7 +99,7 @@ static void rds_destroy_mr(struct rds_mr *mr)
 	unsigned long flags;
 
 	rdsdebug("RDS: destroy mr key is %x refcnt %u\n",
-			mr->r_key, atomic_read(&mr->r_refcount));
+			mr->r_key, refcount_read(&mr->r_refcount));
 
 	if (test_and_set_bit(RDS_MR_DEAD, &mr->r_state))
 		return;
@@ -223,7 +223,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
 		goto out;
 	}
 
-	atomic_set(&mr->r_refcount, 1);
+	refcount_set(&mr->r_refcount, 1);
 	RB_CLEAR_NODE(&mr->r_rb_node);
 	mr->r_trans = rs->rs_transport;
 	mr->r_sock = rs;
@@ -307,7 +307,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
 
 	rdsdebug("RDS: get_mr key is %x\n", mr->r_key);
 	if (mr_ret) {
-		atomic_inc(&mr->r_refcount);
+		refcount_inc(&mr->r_refcount);
 		*mr_ret = mr;
 	}
 
@@ -756,7 +756,7 @@ int rds_cmsg_rdma_dest(struct rds_sock *rs, struct rds_message *rm,
 	if (!mr)
 		err = -EINVAL;	/* invalid r_key */
 	else
-		atomic_inc(&mr->r_refcount);
+		refcount_inc(&mr->r_refcount);
 	spin_unlock_irqrestore(&rs->rs_rdma_lock, flags);
 
 	if (mr) {
diff --git a/net/rds/rds.h b/net/rds/rds.h
index d8070c7..7487597 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -276,7 +276,7 @@ struct rds_incoming {
 
 struct rds_mr {
 	struct rb_node		r_rb_node;
-	atomic_t		r_refcount;
+	refcount_t		r_refcount;
 	u32			r_key;
 
 	/* A copy of the creation flags */
@@ -855,7 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 void __rds_put_mr_final(struct rds_mr *mr);
 static inline void rds_mr_put(struct rds_mr *mr)
 {
-	if (atomic_dec_and_test(&mr->r_refcount))
+	if (refcount_dec_and_test(&mr->r_refcount))
 		__rds_put_mr_final(mr);
 }
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 10/23] net, rds: convert rds_message.m_refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 net/rds/message.c | 12 ++++++------
 net/rds/rds.h     |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/rds/message.c b/net/rds/message.c
index 49bfb51..4318cc9 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -48,8 +48,8 @@ static unsigned int	rds_exthdr_size[__RDS_EXTHDR_MAX] = {
 
 void rds_message_addref(struct rds_message *rm)
 {
-	rdsdebug("addref rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-	atomic_inc(&rm->m_refcount);
+	rdsdebug("addref rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+	refcount_inc(&rm->m_refcount);
 }
 EXPORT_SYMBOL_GPL(rds_message_addref);
 
@@ -83,9 +83,9 @@ static void rds_message_purge(struct rds_message *rm)
 
 void rds_message_put(struct rds_message *rm)
 {
-	rdsdebug("put rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-	WARN(!atomic_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
-	if (atomic_dec_and_test(&rm->m_refcount)) {
+	rdsdebug("put rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+	WARN(!refcount_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
+	if (refcount_dec_and_test(&rm->m_refcount)) {
 		BUG_ON(!list_empty(&rm->m_sock_item));
 		BUG_ON(!list_empty(&rm->m_conn_item));
 		rds_message_purge(rm);
@@ -206,7 +206,7 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp)
 	rm->m_used_sgs = 0;
 	rm->m_total_sgs = extra_len / sizeof(struct scatterlist);
 
-	atomic_set(&rm->m_refcount, 1);
+	refcount_set(&rm->m_refcount, 1);
 	INIT_LIST_HEAD(&rm->m_sock_item);
 	INIT_LIST_HEAD(&rm->m_conn_item);
 	spin_lock_init(&rm->m_rs_lock);
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 7487597..8c205ff 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -355,7 +355,7 @@ static inline u32 rds_rdma_cookie_offset(rds_rdma_cookie_t cookie)
 #define RDS_MSG_FLUSH		8
 
 struct rds_message {
-	atomic_t		m_refcount;
+	refcount_t		m_refcount;
 	struct list_head	m_sock_item;
 	struct list_head	m_conn_item;
 	struct rds_incoming	m_inc;
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 10/23] net, rds: convert rds_message.m_refcount from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/message.c | 12 ++++++------
 net/rds/rds.h     |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/rds/message.c b/net/rds/message.c
index 49bfb51..4318cc9 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -48,8 +48,8 @@ static unsigned int	rds_exthdr_size[__RDS_EXTHDR_MAX] = {
 
 void rds_message_addref(struct rds_message *rm)
 {
-	rdsdebug("addref rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-	atomic_inc(&rm->m_refcount);
+	rdsdebug("addref rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+	refcount_inc(&rm->m_refcount);
 }
 EXPORT_SYMBOL_GPL(rds_message_addref);
 
@@ -83,9 +83,9 @@ static void rds_message_purge(struct rds_message *rm)
 
 void rds_message_put(struct rds_message *rm)
 {
-	rdsdebug("put rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-	WARN(!atomic_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
-	if (atomic_dec_and_test(&rm->m_refcount)) {
+	rdsdebug("put rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+	WARN(!refcount_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
+	if (refcount_dec_and_test(&rm->m_refcount)) {
 		BUG_ON(!list_empty(&rm->m_sock_item));
 		BUG_ON(!list_empty(&rm->m_conn_item));
 		rds_message_purge(rm);
@@ -206,7 +206,7 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp)
 	rm->m_used_sgs = 0;
 	rm->m_total_sgs = extra_len / sizeof(struct scatterlist);
 
-	atomic_set(&rm->m_refcount, 1);
+	refcount_set(&rm->m_refcount, 1);
 	INIT_LIST_HEAD(&rm->m_sock_item);
 	INIT_LIST_HEAD(&rm->m_conn_item);
 	spin_lock_init(&rm->m_rs_lock);
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 7487597..8c205ff 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -355,7 +355,7 @@ static inline u32 rds_rdma_cookie_offset(rds_rdma_cookie_t cookie)
 #define RDS_MSG_FLUSH		8
 
 struct rds_message {
-	atomic_t		m_refcount;
+	refcount_t		m_refcount;
 	struct list_head	m_sock_item;
 	struct list_head	m_conn_item;
 	struct rds_incoming	m_inc;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 10/23] net, rds: convert rds_message.m_refcount from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 net/rds/message.c | 12 ++++++------
 net/rds/rds.h     |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/rds/message.c b/net/rds/message.c
index 49bfb51..4318cc9 100644
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -48,8 +48,8 @@ static unsigned int	rds_exthdr_size[__RDS_EXTHDR_MAX] = {
 
 void rds_message_addref(struct rds_message *rm)
 {
-	rdsdebug("addref rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-	atomic_inc(&rm->m_refcount);
+	rdsdebug("addref rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+	refcount_inc(&rm->m_refcount);
 }
 EXPORT_SYMBOL_GPL(rds_message_addref);
 
@@ -83,9 +83,9 @@ static void rds_message_purge(struct rds_message *rm)
 
 void rds_message_put(struct rds_message *rm)
 {
-	rdsdebug("put rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-	WARN(!atomic_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
-	if (atomic_dec_and_test(&rm->m_refcount)) {
+	rdsdebug("put rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+	WARN(!refcount_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
+	if (refcount_dec_and_test(&rm->m_refcount)) {
 		BUG_ON(!list_empty(&rm->m_sock_item));
 		BUG_ON(!list_empty(&rm->m_conn_item));
 		rds_message_purge(rm);
@@ -206,7 +206,7 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp)
 	rm->m_used_sgs = 0;
 	rm->m_total_sgs = extra_len / sizeof(struct scatterlist);
 
-	atomic_set(&rm->m_refcount, 1);
+	refcount_set(&rm->m_refcount, 1);
 	INIT_LIST_HEAD(&rm->m_sock_item);
 	INIT_LIST_HEAD(&rm->m_conn_item);
 	spin_lock_init(&rm->m_rs_lock);
diff --git a/net/rds/rds.h b/net/rds/rds.h
index 7487597..8c205ff 100644
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -355,7 +355,7 @@ static inline u32 rds_rdma_cookie_offset(rds_rdma_cookie_t cookie)
 #define RDS_MSG_FLUSH		8
 
 struct rds_message {
-	atomic_t		m_refcount;
+	refcount_t		m_refcount;
 	struct list_head	m_sock_item;
 	struct list_head	m_conn_item;
 	struct rds_incoming	m_inc;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 11/23] net, x25: convert x25_route.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/x25.h   | 7 ++++---
 net/x25/x25_route.c | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/net/x25.h b/include/net/x25.h
index c383aa4..83a6d31 100644
--- a/include/net/x25.h
+++ b/include/net/x25.h
@@ -11,6 +11,7 @@
 #define _X25_H 
 #include <linux/x25.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 #include <net/sock.h>
 
 #define	X25_ADDR_LEN			16
@@ -129,7 +130,7 @@ struct x25_route {
 	struct x25_address	address;
 	unsigned int		sigdigits;
 	struct net_device	*dev;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 };
 
 struct x25_neigh {
@@ -265,12 +266,12 @@ void x25_route_free(void);
 
 static __inline__ void x25_route_hold(struct x25_route *rt)
 {
-	atomic_inc(&rt->refcnt);
+	refcount_inc(&rt->refcnt);
 }
 
 static __inline__ void x25_route_put(struct x25_route *rt)
 {
-	if (atomic_dec_and_test(&rt->refcnt))
+	if (refcount_dec_and_test(&rt->refcnt))
 		kfree(rt);
 }
 
diff --git a/net/x25/x25_route.c b/net/x25/x25_route.c
index 277c8d2..b85b889 100644
--- a/net/x25/x25_route.c
+++ b/net/x25/x25_route.c
@@ -55,7 +55,7 @@ static int x25_add_route(struct x25_address *address, unsigned int sigdigits,
 
 	rt->sigdigits = sigdigits;
 	rt->dev       = dev;
-	atomic_set(&rt->refcnt, 1);
+	refcount_set(&rt->refcnt, 1);
 
 	list_add(&rt->node, &x25_route_list);
 	rc = 0;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 11/23] net, x25: convert x25_route.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/x25.h   | 7 ++++---
 net/x25/x25_route.c | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/net/x25.h b/include/net/x25.h
index c383aa4..83a6d31 100644
--- a/include/net/x25.h
+++ b/include/net/x25.h
@@ -11,6 +11,7 @@
 #define _X25_H 
 #include <linux/x25.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 #include <net/sock.h>
 
 #define	X25_ADDR_LEN			16
@@ -129,7 +130,7 @@ struct x25_route {
 	struct x25_address	address;
 	unsigned int		sigdigits;
 	struct net_device	*dev;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 };
 
 struct x25_neigh {
@@ -265,12 +266,12 @@ void x25_route_free(void);
 
 static __inline__ void x25_route_hold(struct x25_route *rt)
 {
-	atomic_inc(&rt->refcnt);
+	refcount_inc(&rt->refcnt);
 }
 
 static __inline__ void x25_route_put(struct x25_route *rt)
 {
-	if (atomic_dec_and_test(&rt->refcnt))
+	if (refcount_dec_and_test(&rt->refcnt))
 		kfree(rt);
 }
 
diff --git a/net/x25/x25_route.c b/net/x25/x25_route.c
index 277c8d2..b85b889 100644
--- a/net/x25/x25_route.c
+++ b/net/x25/x25_route.c
@@ -55,7 +55,7 @@ static int x25_add_route(struct x25_address *address, unsigned int sigdigits,
 
 	rt->sigdigits = sigdigits;
 	rt->dev       = dev;
-	atomic_set(&rt->refcnt, 1);
+	refcount_set(&rt->refcnt, 1);
 
 	list_add(&rt->node, &x25_route_list);
 	rc = 0;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 12/23] net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/x25.h  | 6 +++---
 net/x25/x25_link.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/x25.h b/include/net/x25.h
index 83a6d31..265756c 100644
--- a/include/net/x25.h
+++ b/include/net/x25.h
@@ -142,7 +142,7 @@ struct x25_neigh {
 	unsigned long		t20;
 	struct timer_list	t20timer;
 	unsigned long		global_facil_mask;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 };
 
 struct x25_sock {
@@ -243,12 +243,12 @@ void x25_link_free(void);
 /* x25_neigh.c */
 static __inline__ void x25_neigh_hold(struct x25_neigh *nb)
 {
-	atomic_inc(&nb->refcnt);
+	refcount_inc(&nb->refcnt);
 }
 
 static __inline__ void x25_neigh_put(struct x25_neigh *nb)
 {
-	if (atomic_dec_and_test(&nb->refcnt))
+	if (refcount_dec_and_test(&nb->refcnt))
 		kfree(nb);
 }
 
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index bcaa180..e0cd04d 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -266,7 +266,7 @@ void x25_link_device_up(struct net_device *dev)
 				       X25_MASK_PACKET_SIZE |
 				       X25_MASK_WINDOW_SIZE;
 	nb->t20      = sysctl_x25_restart_request_timeout;
-	atomic_set(&nb->refcnt, 1);
+	refcount_set(&nb->refcnt, 1);
 
 	write_lock_bh(&x25_neigh_list_lock);
 	list_add(&nb->node, &x25_neigh_list);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 12/23] net, x25: convert x25_neigh.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/x25.h  | 6 +++---
 net/x25/x25_link.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/x25.h b/include/net/x25.h
index 83a6d31..265756c 100644
--- a/include/net/x25.h
+++ b/include/net/x25.h
@@ -142,7 +142,7 @@ struct x25_neigh {
 	unsigned long		t20;
 	struct timer_list	t20timer;
 	unsigned long		global_facil_mask;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 };
 
 struct x25_sock {
@@ -243,12 +243,12 @@ void x25_link_free(void);
 /* x25_neigh.c */
 static __inline__ void x25_neigh_hold(struct x25_neigh *nb)
 {
-	atomic_inc(&nb->refcnt);
+	refcount_inc(&nb->refcnt);
 }
 
 static __inline__ void x25_neigh_put(struct x25_neigh *nb)
 {
-	if (atomic_dec_and_test(&nb->refcnt))
+	if (refcount_dec_and_test(&nb->refcnt))
 		kfree(nb);
 }
 
diff --git a/net/x25/x25_link.c b/net/x25/x25_link.c
index bcaa180..e0cd04d 100644
--- a/net/x25/x25_link.c
+++ b/net/x25/x25_link.c
@@ -266,7 +266,7 @@ void x25_link_device_up(struct net_device *dev)
 				       X25_MASK_PACKET_SIZE |
 				       X25_MASK_WINDOW_SIZE;
 	nb->t20      = sysctl_x25_restart_request_timeout;
-	atomic_set(&nb->refcnt, 1);
+	refcount_set(&nb->refcnt, 1);
 
 	write_lock_bh(&x25_neigh_list_lock);
 	list_add(&nb->node, &x25_neigh_list);
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 13/23] net, xfrm: convert xfrm_state.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/net/xfrm.h    | 9 +++++----
 net/xfrm/xfrm_state.c | 4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 14d82bf..163cda5 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -13,6 +13,7 @@
 #include <linux/mutex.h>
 #include <linux/audit.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 
 #include <net/sock.h>
 #include <net/dst.h>
@@ -130,7 +131,7 @@ struct xfrm_state {
 	struct hlist_node	bysrc;
 	struct hlist_node	byspi;
 
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	spinlock_t		lock;
 
 	struct xfrm_id		id;
@@ -802,18 +803,18 @@ void __xfrm_state_destroy(struct xfrm_state *);
 
 static inline void __xfrm_state_put(struct xfrm_state *x)
 {
-	atomic_dec(&x->refcnt);
+	refcount_dec(&x->refcnt);
 }
 
 static inline void xfrm_state_put(struct xfrm_state *x)
 {
-	if (atomic_dec_and_test(&x->refcnt))
+	if (refcount_dec_and_test(&x->refcnt))
 		__xfrm_state_destroy(x);
 }
 
 static inline void xfrm_state_hold(struct xfrm_state *x)
 {
-	atomic_inc(&x->refcnt);
+	refcount_inc(&x->refcnt);
 }
 
 static inline bool addr_match(const void *token1, const void *token2,
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5a597db..a91109f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -48,7 +48,7 @@ static HLIST_HEAD(xfrm_state_gc_list);
 
 static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x)
 {
-	return atomic_inc_not_zero(&x->refcnt);
+	return refcount_inc_not_zero(&x->refcnt);
 }
 
 static inline unsigned int xfrm_dst_hash(struct net *net,
@@ -486,7 +486,7 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
 
 	if (x) {
 		write_pnet(&x->xs_net, net);
-		atomic_set(&x->refcnt, 1);
+		refcount_set(&x->refcnt, 1);
 		atomic_set(&x->tunnel_users, 0);
 		INIT_LIST_HEAD(&x->km.all);
 		INIT_HLIST_NODE(&x->bydst);
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 13/23] net, xfrm: convert xfrm_state.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/xfrm.h    | 9 +++++----
 net/xfrm/xfrm_state.c | 4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 14d82bf..163cda5 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -13,6 +13,7 @@
 #include <linux/mutex.h>
 #include <linux/audit.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 
 #include <net/sock.h>
 #include <net/dst.h>
@@ -130,7 +131,7 @@ struct xfrm_state {
 	struct hlist_node	bysrc;
 	struct hlist_node	byspi;
 
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	spinlock_t		lock;
 
 	struct xfrm_id		id;
@@ -802,18 +803,18 @@ void __xfrm_state_destroy(struct xfrm_state *);
 
 static inline void __xfrm_state_put(struct xfrm_state *x)
 {
-	atomic_dec(&x->refcnt);
+	refcount_dec(&x->refcnt);
 }
 
 static inline void xfrm_state_put(struct xfrm_state *x)
 {
-	if (atomic_dec_and_test(&x->refcnt))
+	if (refcount_dec_and_test(&x->refcnt))
 		__xfrm_state_destroy(x);
 }
 
 static inline void xfrm_state_hold(struct xfrm_state *x)
 {
-	atomic_inc(&x->refcnt);
+	refcount_inc(&x->refcnt);
 }
 
 static inline bool addr_match(const void *token1, const void *token2,
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5a597db..a91109f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -48,7 +48,7 @@ static HLIST_HEAD(xfrm_state_gc_list);
 
 static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x)
 {
-	return atomic_inc_not_zero(&x->refcnt);
+	return refcount_inc_not_zero(&x->refcnt);
 }
 
 static inline unsigned int xfrm_dst_hash(struct net *net,
@@ -486,7 +486,7 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
 
 	if (x) {
 		write_pnet(&x->xs_net, net);
-		atomic_set(&x->refcnt, 1);
+		refcount_set(&x->refcnt, 1);
 		atomic_set(&x->tunnel_users, 0);
 		INIT_LIST_HEAD(&x->km.all);
 		INIT_HLIST_NODE(&x->bydst);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 13/23] net, xfrm: convert xfrm_state.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/xfrm.h    | 9 +++++----
 net/xfrm/xfrm_state.c | 4 ++--
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 14d82bf..163cda5 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -13,6 +13,7 @@
 #include <linux/mutex.h>
 #include <linux/audit.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 
 #include <net/sock.h>
 #include <net/dst.h>
@@ -130,7 +131,7 @@ struct xfrm_state {
 	struct hlist_node	bysrc;
 	struct hlist_node	byspi;
 
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	spinlock_t		lock;
 
 	struct xfrm_id		id;
@@ -802,18 +803,18 @@ void __xfrm_state_destroy(struct xfrm_state *);
 
 static inline void __xfrm_state_put(struct xfrm_state *x)
 {
-	atomic_dec(&x->refcnt);
+	refcount_dec(&x->refcnt);
 }
 
 static inline void xfrm_state_put(struct xfrm_state *x)
 {
-	if (atomic_dec_and_test(&x->refcnt))
+	if (refcount_dec_and_test(&x->refcnt))
 		__xfrm_state_destroy(x);
 }
 
 static inline void xfrm_state_hold(struct xfrm_state *x)
 {
-	atomic_inc(&x->refcnt);
+	refcount_inc(&x->refcnt);
 }
 
 static inline bool addr_match(const void *token1, const void *token2,
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 5a597db..a91109f 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -48,7 +48,7 @@ static HLIST_HEAD(xfrm_state_gc_list);
 
 static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x)
 {
-	return atomic_inc_not_zero(&x->refcnt);
+	return refcount_inc_not_zero(&x->refcnt);
 }
 
 static inline unsigned int xfrm_dst_hash(struct net *net,
@@ -486,7 +486,7 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
 
 	if (x) {
 		write_pnet(&x->xs_net, net);
-		atomic_set(&x->refcnt, 1);
+		refcount_set(&x->refcnt, 1);
 		atomic_set(&x->tunnel_users, 0);
 		INIT_LIST_HEAD(&x->km.all);
 		INIT_HLIST_NODE(&x->bydst);
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 14/23] net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/net/xfrm.h     | 6 +++---
 net/key/af_key.c       | 2 +-
 net/xfrm/xfrm_policy.c | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 163cda5..be30846 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -525,7 +525,7 @@ struct xfrm_policy {
 
 	/* This lock only affects elements except for entry. */
 	rwlock_t		lock;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	struct timer_list	timer;
 
 	struct flow_cache_object flo;
@@ -781,14 +781,14 @@ static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 {
 	if (likely(policy != NULL))
-		atomic_inc(&policy->refcnt);
+		refcount_inc(&policy->refcnt);
 }
 
 void xfrm_policy_destroy(struct xfrm_policy *policy);
 
 static inline void xfrm_pol_put(struct xfrm_policy *policy)
 {
-	if (atomic_dec_and_test(&policy->refcnt))
+	if (refcount_dec_and_test(&policy->refcnt))
 		xfrm_policy_destroy(policy);
 }
 
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c6252ed..d3611af 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2152,7 +2152,7 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *
 	}
 
 	hdr->sadb_msg_len = size / sizeof(uint64_t);
-	hdr->sadb_msg_reserved = atomic_read(&xp->refcnt);
+	hdr->sadb_msg_reserved = refcount_read(&xp->refcnt);
 
 	return 0;
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 236cbbc..91cf3e7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -62,7 +62,7 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
 
 static inline bool xfrm_pol_hold_rcu(struct xfrm_policy *policy)
 {
-	return atomic_inc_not_zero(&policy->refcnt);
+	return refcount_inc_not_zero(&policy->refcnt);
 }
 
 static inline bool
@@ -292,7 +292,7 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
 		INIT_HLIST_NODE(&policy->bydst);
 		INIT_HLIST_NODE(&policy->byidx);
 		rwlock_init(&policy->lock);
-		atomic_set(&policy->refcnt, 1);
+		refcount_set(&policy->refcnt, 1);
 		skb_queue_head_init(&policy->polq.hold_queue);
 		setup_timer(&policy->timer, xfrm_policy_timer,
 				(unsigned long)policy);
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 14/23] net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/xfrm.h     | 6 +++---
 net/key/af_key.c       | 2 +-
 net/xfrm/xfrm_policy.c | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 163cda5..be30846 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -525,7 +525,7 @@ struct xfrm_policy {
 
 	/* This lock only affects elements except for entry. */
 	rwlock_t		lock;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	struct timer_list	timer;
 
 	struct flow_cache_object flo;
@@ -781,14 +781,14 @@ static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 {
 	if (likely(policy != NULL))
-		atomic_inc(&policy->refcnt);
+		refcount_inc(&policy->refcnt);
 }
 
 void xfrm_policy_destroy(struct xfrm_policy *policy);
 
 static inline void xfrm_pol_put(struct xfrm_policy *policy)
 {
-	if (atomic_dec_and_test(&policy->refcnt))
+	if (refcount_dec_and_test(&policy->refcnt))
 		xfrm_policy_destroy(policy);
 }
 
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c6252ed..d3611af 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2152,7 +2152,7 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *
 	}
 
 	hdr->sadb_msg_len = size / sizeof(uint64_t);
-	hdr->sadb_msg_reserved = atomic_read(&xp->refcnt);
+	hdr->sadb_msg_reserved = refcount_read(&xp->refcnt);
 
 	return 0;
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 236cbbc..91cf3e7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -62,7 +62,7 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
 
 static inline bool xfrm_pol_hold_rcu(struct xfrm_policy *policy)
 {
-	return atomic_inc_not_zero(&policy->refcnt);
+	return refcount_inc_not_zero(&policy->refcnt);
 }
 
 static inline bool
@@ -292,7 +292,7 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
 		INIT_HLIST_NODE(&policy->bydst);
 		INIT_HLIST_NODE(&policy->byidx);
 		rwlock_init(&policy->lock);
-		atomic_set(&policy->refcnt, 1);
+		refcount_set(&policy->refcnt, 1);
 		skb_queue_head_init(&policy->polq.hold_queue);
 		setup_timer(&policy->timer, xfrm_policy_timer,
 				(unsigned long)policy);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 14/23] net, xfrm: convert xfrm_policy.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/xfrm.h     | 6 +++---
 net/key/af_key.c       | 2 +-
 net/xfrm/xfrm_policy.c | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 163cda5..be30846 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -525,7 +525,7 @@ struct xfrm_policy {
 
 	/* This lock only affects elements except for entry. */
 	rwlock_t		lock;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	struct timer_list	timer;
 
 	struct flow_cache_object flo;
@@ -781,14 +781,14 @@ static inline void xfrm_audit_state_icvfail(struct xfrm_state *x,
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
 {
 	if (likely(policy != NULL))
-		atomic_inc(&policy->refcnt);
+		refcount_inc(&policy->refcnt);
 }
 
 void xfrm_policy_destroy(struct xfrm_policy *policy);
 
 static inline void xfrm_pol_put(struct xfrm_policy *policy)
 {
-	if (atomic_dec_and_test(&policy->refcnt))
+	if (refcount_dec_and_test(&policy->refcnt))
 		xfrm_policy_destroy(policy);
 }
 
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c6252ed..d3611af 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2152,7 +2152,7 @@ static int pfkey_xfrm_policy2msg(struct sk_buff *skb, const struct xfrm_policy *
 	}
 
 	hdr->sadb_msg_len = size / sizeof(uint64_t);
-	hdr->sadb_msg_reserved = atomic_read(&xp->refcnt);
+	hdr->sadb_msg_reserved = refcount_read(&xp->refcnt);
 
 	return 0;
 }
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 236cbbc..91cf3e7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -62,7 +62,7 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
 
 static inline bool xfrm_pol_hold_rcu(struct xfrm_policy *policy)
 {
-	return atomic_inc_not_zero(&policy->refcnt);
+	return refcount_inc_not_zero(&policy->refcnt);
 }
 
 static inline bool
@@ -292,7 +292,7 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
 		INIT_HLIST_NODE(&policy->bydst);
 		INIT_HLIST_NODE(&policy->byidx);
 		rwlock_init(&policy->lock);
-		atomic_set(&policy->refcnt, 1);
+		refcount_set(&policy->refcnt, 1);
 		skb_queue_head_init(&policy->polq.hold_queue);
 		setup_timer(&policy->timer, xfrm_policy_timer,
 				(unsigned long)policy);
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 15/23] net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/xfrm.h    | 6 +++---
 net/xfrm/xfrm_input.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index be30846..35d1cca 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1005,7 +1005,7 @@ struct xfrm_offload {
 };
 
 struct sec_path {
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	int			len;
 	int			olen;
 
@@ -1026,7 +1026,7 @@ static inline struct sec_path *
 secpath_get(struct sec_path *sp)
 {
 	if (sp)
-		atomic_inc(&sp->refcnt);
+		refcount_inc(&sp->refcnt);
 	return sp;
 }
 
@@ -1035,7 +1035,7 @@ void __secpath_destroy(struct sec_path *sp);
 static inline void
 secpath_put(struct sec_path *sp)
 {
-	if (sp && atomic_dec_and_test(&sp->refcnt))
+	if (sp && refcount_dec_and_test(&sp->refcnt))
 		__secpath_destroy(sp);
 }
 
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 46bdb4f..203ba90 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -114,7 +114,7 @@ struct sec_path *secpath_dup(struct sec_path *src)
 		for (i = 0; i < sp->len; i++)
 			xfrm_state_hold(sp->xvec[i]);
 	}
-	atomic_set(&sp->refcnt, 1);
+	refcount_set(&sp->refcnt, 1);
 	return sp;
 }
 EXPORT_SYMBOL(secpath_dup);
@@ -124,7 +124,7 @@ int secpath_set(struct sk_buff *skb)
 	struct sec_path *sp;
 
 	/* Allocate new secpath or COW existing one. */
-	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
+	if (!skb->sp || refcount_read(&skb->sp->refcnt) != 1) {
 		sp = secpath_dup(skb->sp);
 		if (!sp)
 			return -ENOMEM;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 15/23] net, xfrm: convert sec_path.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/xfrm.h    | 6 +++---
 net/xfrm/xfrm_input.c | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index be30846..35d1cca 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1005,7 +1005,7 @@ struct xfrm_offload {
 };
 
 struct sec_path {
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	int			len;
 	int			olen;
 
@@ -1026,7 +1026,7 @@ static inline struct sec_path *
 secpath_get(struct sec_path *sp)
 {
 	if (sp)
-		atomic_inc(&sp->refcnt);
+		refcount_inc(&sp->refcnt);
 	return sp;
 }
 
@@ -1035,7 +1035,7 @@ void __secpath_destroy(struct sec_path *sp);
 static inline void
 secpath_put(struct sec_path *sp)
 {
-	if (sp && atomic_dec_and_test(&sp->refcnt))
+	if (sp && refcount_dec_and_test(&sp->refcnt))
 		__secpath_destroy(sp);
 }
 
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 46bdb4f..203ba90 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -114,7 +114,7 @@ struct sec_path *secpath_dup(struct sec_path *src)
 		for (i = 0; i < sp->len; i++)
 			xfrm_state_hold(sp->xvec[i]);
 	}
-	atomic_set(&sp->refcnt, 1);
+	refcount_set(&sp->refcnt, 1);
 	return sp;
 }
 EXPORT_SYMBOL(secpath_dup);
@@ -124,7 +124,7 @@ int secpath_set(struct sk_buff *skb)
 	struct sec_path *sp;
 
 	/* Allocate new secpath or COW existing one. */
-	if (!skb->sp || atomic_read(&skb->sp->refcnt) != 1) {
+	if (!skb->sp || refcount_read(&skb->sp->refcnt) != 1) {
 		sp = secpath_dup(skb->sp);
 		if (!sp)
 			return -ENOMEM;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 16/23] net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/auth.h | 5 +++--
 net/sctp/auth.c         | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/auth.h b/include/net/sctp/auth.h
index 9b9fb12..328fccc 100644
--- a/include/net/sctp/auth.h
+++ b/include/net/sctp/auth.h
@@ -31,6 +31,7 @@
 #define __sctp_auth_h__
 
 #include <linux/list.h>
+#include <linux/refcount.h>
 
 struct sctp_endpoint;
 struct sctp_association;
@@ -53,7 +54,7 @@ struct sctp_hmac {
  * over SCTP-AUTH
  */
 struct sctp_auth_bytes {
-	atomic_t refcnt;
+	refcount_t refcnt;
 	__u32 len;
 	__u8  data[];
 };
@@ -76,7 +77,7 @@ static inline void sctp_auth_key_hold(struct sctp_auth_bytes *key)
 	if (!key)
 		return;
 
-	atomic_inc(&key->refcnt);
+	refcount_inc(&key->refcnt);
 }
 
 void sctp_auth_key_put(struct sctp_auth_bytes *key);
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index f99d485..b6c98fe 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -63,7 +63,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key)
 	if (!key)
 		return;
 
-	if (atomic_dec_and_test(&key->refcnt)) {
+	if (refcount_dec_and_test(&key->refcnt)) {
 		kzfree(key);
 		SCTP_DBG_OBJCNT_DEC(keys);
 	}
@@ -84,7 +84,7 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp)
 		return NULL;
 
 	key->len = key_len;
-	atomic_set(&key->refcnt, 1);
+	refcount_set(&key->refcnt, 1);
 	SCTP_DBG_OBJCNT_INC(keys);
 
 	return key;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 16/23] net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/auth.h | 5 +++--
 net/sctp/auth.c         | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/auth.h b/include/net/sctp/auth.h
index 9b9fb12..328fccc 100644
--- a/include/net/sctp/auth.h
+++ b/include/net/sctp/auth.h
@@ -31,6 +31,7 @@
 #define __sctp_auth_h__
 
 #include <linux/list.h>
+#include <linux/refcount.h>
 
 struct sctp_endpoint;
 struct sctp_association;
@@ -53,7 +54,7 @@ struct sctp_hmac {
  * over SCTP-AUTH
  */
 struct sctp_auth_bytes {
-	atomic_t refcnt;
+	refcount_t refcnt;
 	__u32 len;
 	__u8  data[];
 };
@@ -76,7 +77,7 @@ static inline void sctp_auth_key_hold(struct sctp_auth_bytes *key)
 	if (!key)
 		return;
 
-	atomic_inc(&key->refcnt);
+	refcount_inc(&key->refcnt);
 }
 
 void sctp_auth_key_put(struct sctp_auth_bytes *key);
diff --git a/net/sctp/auth.c b/net/sctp/auth.c
index f99d485..b6c98fe 100644
--- a/net/sctp/auth.c
+++ b/net/sctp/auth.c
@@ -63,7 +63,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key)
 	if (!key)
 		return;
 
-	if (atomic_dec_and_test(&key->refcnt)) {
+	if (refcount_dec_and_test(&key->refcnt)) {
 		kzfree(key);
 		SCTP_DBG_OBJCNT_DEC(keys);
 	}
@@ -84,7 +84,7 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp)
 		return NULL;
 
 	key->len = key_len;
-	atomic_set(&key->refcnt, 1);
+	refcount_set(&key->refcnt, 1);
 	SCTP_DBG_OBJCNT_INC(keys);
 
 	return key;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 17/23] net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/chunk.c           | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index a244db5..106e1d3 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -491,7 +491,7 @@ struct sctp_datamsg {
 	/* Chunks waiting to be submitted to lower layer. */
 	struct list_head chunks;
 	/* Reference counting. */
-	atomic_t refcnt;
+	refcount_t refcnt;
 	/* When is this message no longer interesting to the peer? */
 	unsigned long expires_at;
 	/* Did the messenge fail to send? */
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index e3621cb..30c73ce 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -49,7 +49,7 @@
 /* Initialize datamsg from memory. */
 static void sctp_datamsg_init(struct sctp_datamsg *msg)
 {
-	atomic_set(&msg->refcnt, 1);
+	refcount_set(&msg->refcnt, 1);
 	msg->send_failed = 0;
 	msg->send_error = 0;
 	msg->can_delay = 1;
@@ -136,13 +136,13 @@ static void sctp_datamsg_destroy(struct sctp_datamsg *msg)
 /* Hold a reference. */
 static void sctp_datamsg_hold(struct sctp_datamsg *msg)
 {
-	atomic_inc(&msg->refcnt);
+	refcount_inc(&msg->refcnt);
 }
 
 /* Release a reference. */
 void sctp_datamsg_put(struct sctp_datamsg *msg)
 {
-	if (atomic_dec_and_test(&msg->refcnt))
+	if (refcount_dec_and_test(&msg->refcnt))
 		sctp_datamsg_destroy(msg);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 17/23] net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/chunk.c           | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index a244db5..106e1d3 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -491,7 +491,7 @@ struct sctp_datamsg {
 	/* Chunks waiting to be submitted to lower layer. */
 	struct list_head chunks;
 	/* Reference counting. */
-	atomic_t refcnt;
+	refcount_t refcnt;
 	/* When is this message no longer interesting to the peer? */
 	unsigned long expires_at;
 	/* Did the messenge fail to send? */
diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index e3621cb..30c73ce 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -49,7 +49,7 @@
 /* Initialize datamsg from memory. */
 static void sctp_datamsg_init(struct sctp_datamsg *msg)
 {
-	atomic_set(&msg->refcnt, 1);
+	refcount_set(&msg->refcnt, 1);
 	msg->send_failed = 0;
 	msg->send_error = 0;
 	msg->can_delay = 1;
@@ -136,13 +136,13 @@ static void sctp_datamsg_destroy(struct sctp_datamsg *msg)
 /* Hold a reference. */
 static void sctp_datamsg_hold(struct sctp_datamsg *msg)
 {
-	atomic_inc(&msg->refcnt);
+	refcount_inc(&msg->refcnt);
 }
 
 /* Release a reference. */
 void sctp_datamsg_put(struct sctp_datamsg *msg)
 {
-	if (atomic_dec_and_test(&msg->refcnt))
+	if (refcount_dec_and_test(&msg->refcnt))
 		sctp_datamsg_destroy(msg);
 }
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 18/23] net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/sm_make_chunk.c   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 106e1d3..7ee0c26 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -520,7 +520,7 @@ int sctp_chunk_abandoned(struct sctp_chunk *);
 struct sctp_chunk {
 	struct list_head list;
 
-	atomic_t refcnt;
+	refcount_t refcnt;
 
 	/* How many times this chunk have been sent, for prsctp RTX policy */
 	int sent_count;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 969a30c..a54add6 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1346,7 +1346,7 @@ struct sctp_chunk *sctp_chunkify(struct sk_buff *skb,
 	INIT_LIST_HEAD(&retval->transmitted_list);
 	INIT_LIST_HEAD(&retval->frag_list);
 	SCTP_DBG_OBJCNT_INC(chunk);
-	atomic_set(&retval->refcnt, 1);
+	refcount_set(&retval->refcnt, 1);
 
 nodata:
 	return retval;
@@ -1459,13 +1459,13 @@ void sctp_chunk_free(struct sctp_chunk *chunk)
 /* Grab a reference to the chunk. */
 void sctp_chunk_hold(struct sctp_chunk *ch)
 {
-	atomic_inc(&ch->refcnt);
+	refcount_inc(&ch->refcnt);
 }
 
 /* Release a reference to the chunk. */
 void sctp_chunk_put(struct sctp_chunk *ch)
 {
-	if (atomic_dec_and_test(&ch->refcnt))
+	if (refcount_dec_and_test(&ch->refcnt))
 		sctp_chunk_destroy(ch);
 }
 
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 18/23] net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/sm_make_chunk.c   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 106e1d3..7ee0c26 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -520,7 +520,7 @@ int sctp_chunk_abandoned(struct sctp_chunk *);
 struct sctp_chunk {
 	struct list_head list;
 
-	atomic_t refcnt;
+	refcount_t refcnt;
 
 	/* How many times this chunk have been sent, for prsctp RTX policy */
 	int sent_count;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 969a30c..a54add6 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1346,7 +1346,7 @@ struct sctp_chunk *sctp_chunkify(struct sk_buff *skb,
 	INIT_LIST_HEAD(&retval->transmitted_list);
 	INIT_LIST_HEAD(&retval->frag_list);
 	SCTP_DBG_OBJCNT_INC(chunk);
-	atomic_set(&retval->refcnt, 1);
+	refcount_set(&retval->refcnt, 1);
 
 nodata:
 	return retval;
@@ -1459,13 +1459,13 @@ void sctp_chunk_free(struct sctp_chunk *chunk)
 /* Grab a reference to the chunk. */
 void sctp_chunk_hold(struct sctp_chunk *ch)
 {
-	atomic_inc(&ch->refcnt);
+	refcount_inc(&ch->refcnt);
 }
 
 /* Release a reference to the chunk. */
 void sctp_chunk_put(struct sctp_chunk *ch)
 {
-	if (atomic_dec_and_test(&ch->refcnt))
+	if (refcount_dec_and_test(&ch->refcnt))
 		sctp_chunk_destroy(ch);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 18/23] net, sctp: convert sctp_chunk.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/sm_make_chunk.c   | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 106e1d3..7ee0c26 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -520,7 +520,7 @@ int sctp_chunk_abandoned(struct sctp_chunk *);
 struct sctp_chunk {
 	struct list_head list;
 
-	atomic_t refcnt;
+	refcount_t refcnt;
 
 	/* How many times this chunk have been sent, for prsctp RTX policy */
 	int sent_count;
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 969a30c..a54add6 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1346,7 +1346,7 @@ struct sctp_chunk *sctp_chunkify(struct sk_buff *skb,
 	INIT_LIST_HEAD(&retval->transmitted_list);
 	INIT_LIST_HEAD(&retval->frag_list);
 	SCTP_DBG_OBJCNT_INC(chunk);
-	atomic_set(&retval->refcnt, 1);
+	refcount_set(&retval->refcnt, 1);
 
 nodata:
 	return retval;
@@ -1459,13 +1459,13 @@ void sctp_chunk_free(struct sctp_chunk *chunk)
 /* Grab a reference to the chunk. */
 void sctp_chunk_hold(struct sctp_chunk *ch)
 {
-	atomic_inc(&ch->refcnt);
+	refcount_inc(&ch->refcnt);
 }
 
 /* Release a reference to the chunk. */
 void sctp_chunk_put(struct sctp_chunk *ch)
 {
-	if (atomic_dec_and_test(&ch->refcnt))
+	if (refcount_dec_and_test(&ch->refcnt))
 		sctp_chunk_destroy(ch);
 }
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 19/23] net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/transport.c       | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7ee0c26..ac3184e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -731,7 +731,7 @@ struct sctp_transport {
 	struct rhlist_head node;
 
 	/* Reference counting. */
-	atomic_t refcnt;
+	refcount_t refcnt;
 		/* RTO-Pending : A flag used to track if one of the DATA
 		 *		chunks sent to this address is currently being
 		 *		used to compute a RTT. If this flag is 0,
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 3379668..45a5774 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -99,7 +99,7 @@ static struct sctp_transport *sctp_transport_init(struct net *net,
 	/* Initialize the 64-bit random nonce sent with heartbeat. */
 	get_random_bytes(&peer->hb_nonce, sizeof(peer->hb_nonce));
 
-	atomic_set(&peer->refcnt, 1);
+	refcount_set(&peer->refcnt, 1);
 
 	return peer;
 }
@@ -172,7 +172,7 @@ static void sctp_transport_destroy_rcu(struct rcu_head *head)
  */
 static void sctp_transport_destroy(struct sctp_transport *transport)
 {
-	if (unlikely(atomic_read(&transport->refcnt))) {
+	if (unlikely(refcount_read(&transport->refcnt))) {
 		WARN(1, "Attempt to destroy undead transport %p!\n", transport);
 		return;
 	}
@@ -316,7 +316,7 @@ void sctp_transport_route(struct sctp_transport *transport,
 /* Hold a reference to a transport.  */
 int sctp_transport_hold(struct sctp_transport *transport)
 {
-	return atomic_add_unless(&transport->refcnt, 1, 0);
+	return refcount_inc_not_zero(&transport->refcnt);
 }
 
 /* Release a reference to a transport and clean up
@@ -324,7 +324,7 @@ int sctp_transport_hold(struct sctp_transport *transport)
  */
 void sctp_transport_put(struct sctp_transport *transport)
 {
-	if (atomic_dec_and_test(&transport->refcnt))
+	if (refcount_dec_and_test(&transport->refcnt))
 		sctp_transport_destroy(transport);
 }
 
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 19/23] net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/transport.c       | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7ee0c26..ac3184e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -731,7 +731,7 @@ struct sctp_transport {
 	struct rhlist_head node;
 
 	/* Reference counting. */
-	atomic_t refcnt;
+	refcount_t refcnt;
 		/* RTO-Pending : A flag used to track if one of the DATA
 		 *		chunks sent to this address is currently being
 		 *		used to compute a RTT. If this flag is 0,
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 3379668..45a5774 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -99,7 +99,7 @@ static struct sctp_transport *sctp_transport_init(struct net *net,
 	/* Initialize the 64-bit random nonce sent with heartbeat. */
 	get_random_bytes(&peer->hb_nonce, sizeof(peer->hb_nonce));
 
-	atomic_set(&peer->refcnt, 1);
+	refcount_set(&peer->refcnt, 1);
 
 	return peer;
 }
@@ -172,7 +172,7 @@ static void sctp_transport_destroy_rcu(struct rcu_head *head)
  */
 static void sctp_transport_destroy(struct sctp_transport *transport)
 {
-	if (unlikely(atomic_read(&transport->refcnt))) {
+	if (unlikely(refcount_read(&transport->refcnt))) {
 		WARN(1, "Attempt to destroy undead transport %p!\n", transport);
 		return;
 	}
@@ -316,7 +316,7 @@ void sctp_transport_route(struct sctp_transport *transport,
 /* Hold a reference to a transport.  */
 int sctp_transport_hold(struct sctp_transport *transport)
 {
-	return atomic_add_unless(&transport->refcnt, 1, 0);
+	return refcount_inc_not_zero(&transport->refcnt);
 }
 
 /* Release a reference to a transport and clean up
@@ -324,7 +324,7 @@ int sctp_transport_hold(struct sctp_transport *transport)
  */
 void sctp_transport_put(struct sctp_transport *transport)
 {
-	if (atomic_dec_and_test(&transport->refcnt))
+	if (refcount_dec_and_test(&transport->refcnt))
 		sctp_transport_destroy(transport);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 19/23] net, sctp: convert sctp_transport.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/transport.c       | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7ee0c26..ac3184e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -731,7 +731,7 @@ struct sctp_transport {
 	struct rhlist_head node;
 
 	/* Reference counting. */
-	atomic_t refcnt;
+	refcount_t refcnt;
 		/* RTO-Pending : A flag used to track if one of the DATA
 		 *		chunks sent to this address is currently being
 		 *		used to compute a RTT. If this flag is 0,
diff --git a/net/sctp/transport.c b/net/sctp/transport.c
index 3379668..45a5774 100644
--- a/net/sctp/transport.c
+++ b/net/sctp/transport.c
@@ -99,7 +99,7 @@ static struct sctp_transport *sctp_transport_init(struct net *net,
 	/* Initialize the 64-bit random nonce sent with heartbeat. */
 	get_random_bytes(&peer->hb_nonce, sizeof(peer->hb_nonce));
 
-	atomic_set(&peer->refcnt, 1);
+	refcount_set(&peer->refcnt, 1);
 
 	return peer;
 }
@@ -172,7 +172,7 @@ static void sctp_transport_destroy_rcu(struct rcu_head *head)
  */
 static void sctp_transport_destroy(struct sctp_transport *transport)
 {
-	if (unlikely(atomic_read(&transport->refcnt))) {
+	if (unlikely(refcount_read(&transport->refcnt))) {
 		WARN(1, "Attempt to destroy undead transport %p!\n", transport);
 		return;
 	}
@@ -316,7 +316,7 @@ void sctp_transport_route(struct sctp_transport *transport,
 /* Hold a reference to a transport.  */
 int sctp_transport_hold(struct sctp_transport *transport)
 {
-	return atomic_add_unless(&transport->refcnt, 1, 0);
+	return refcount_inc_not_zero(&transport->refcnt);
 }
 
 /* Release a reference to a transport and clean up
@@ -324,7 +324,7 @@ int sctp_transport_hold(struct sctp_transport *transport)
  */
 void sctp_transport_put(struct sctp_transport *transport)
 {
-	if (atomic_dec_and_test(&transport->refcnt))
+	if (refcount_dec_and_test(&transport->refcnt))
 		sctp_transport_destroy(transport);
 }
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 20/23] net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/associola.c       | 6 +++---
 net/sctp/endpointola.c     | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index ac3184e..7a9ce11 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1170,7 +1170,7 @@ struct sctp_ep_common {
 	 *   refcnt   - Reference count access to this object.
 	 *   dead     - Do not attempt to use this object.
 	 */
-	atomic_t    refcnt;
+	refcount_t    refcnt;
 	bool	    dead;
 
 	/* What socket does this endpoint belong to?  */
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 2a6835b..e5b60b5 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -89,7 +89,7 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
 	asoc->base.type = SCTP_EP_TYPE_ASSOCIATION;
 
 	/* Initialize the object handling fields.  */
-	atomic_set(&asoc->base.refcnt, 1);
+	refcount_set(&asoc->base.refcnt, 1);
 
 	/* Initialize the bind addr area.  */
 	sctp_bind_addr_init(&asoc->base.bind_addr, ep->base.bind_addr.port);
@@ -869,7 +869,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
 /* Hold a reference to an association. */
 void sctp_association_hold(struct sctp_association *asoc)
 {
-	atomic_inc(&asoc->base.refcnt);
+	refcount_inc(&asoc->base.refcnt);
 }
 
 /* Release a reference to an association and cleanup
@@ -877,7 +877,7 @@ void sctp_association_hold(struct sctp_association *asoc)
  */
 void sctp_association_put(struct sctp_association *asoc)
 {
-	if (atomic_dec_and_test(&asoc->base.refcnt))
+	if (refcount_dec_and_test(&asoc->base.refcnt))
 		sctp_association_destroy(asoc);
 }
 
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 8c58923..9189a9f 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -113,7 +113,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
 	ep->base.type = SCTP_EP_TYPE_SOCKET;
 
 	/* Initialize the basic object fields. */
-	atomic_set(&ep->base.refcnt, 1);
+	refcount_set(&ep->base.refcnt, 1);
 	ep->base.dead = false;
 
 	/* Create an input queue.  */
@@ -285,7 +285,7 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
 /* Hold a reference to an endpoint. */
 void sctp_endpoint_hold(struct sctp_endpoint *ep)
 {
-	atomic_inc(&ep->base.refcnt);
+	refcount_inc(&ep->base.refcnt);
 }
 
 /* Release a reference to an endpoint and clean up if there are
@@ -293,7 +293,7 @@ void sctp_endpoint_hold(struct sctp_endpoint *ep)
  */
 void sctp_endpoint_put(struct sctp_endpoint *ep)
 {
-	if (atomic_dec_and_test(&ep->base.refcnt))
+	if (refcount_dec_and_test(&ep->base.refcnt))
 		sctp_endpoint_destroy(ep);
 }
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 20/23] net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/sctp/structs.h | 2 +-
 net/sctp/associola.c       | 6 +++---
 net/sctp/endpointola.c     | 6 +++---
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index ac3184e..7a9ce11 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1170,7 +1170,7 @@ struct sctp_ep_common {
 	 *   refcnt   - Reference count access to this object.
 	 *   dead     - Do not attempt to use this object.
 	 */
-	atomic_t    refcnt;
+	refcount_t    refcnt;
 	bool	    dead;
 
 	/* What socket does this endpoint belong to?  */
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 2a6835b..e5b60b5 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -89,7 +89,7 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
 	asoc->base.type = SCTP_EP_TYPE_ASSOCIATION;
 
 	/* Initialize the object handling fields.  */
-	atomic_set(&asoc->base.refcnt, 1);
+	refcount_set(&asoc->base.refcnt, 1);
 
 	/* Initialize the bind addr area.  */
 	sctp_bind_addr_init(&asoc->base.bind_addr, ep->base.bind_addr.port);
@@ -869,7 +869,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
 /* Hold a reference to an association. */
 void sctp_association_hold(struct sctp_association *asoc)
 {
-	atomic_inc(&asoc->base.refcnt);
+	refcount_inc(&asoc->base.refcnt);
 }
 
 /* Release a reference to an association and cleanup
@@ -877,7 +877,7 @@ void sctp_association_hold(struct sctp_association *asoc)
  */
 void sctp_association_put(struct sctp_association *asoc)
 {
-	if (atomic_dec_and_test(&asoc->base.refcnt))
+	if (refcount_dec_and_test(&asoc->base.refcnt))
 		sctp_association_destroy(asoc);
 }
 
diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 8c58923..9189a9f 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -113,7 +113,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
 	ep->base.type = SCTP_EP_TYPE_SOCKET;
 
 	/* Initialize the basic object fields. */
-	atomic_set(&ep->base.refcnt, 1);
+	refcount_set(&ep->base.refcnt, 1);
 	ep->base.dead = false;
 
 	/* Create an input queue.  */
@@ -285,7 +285,7 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
 /* Hold a reference to an endpoint. */
 void sctp_endpoint_hold(struct sctp_endpoint *ep)
 {
-	atomic_inc(&ep->base.refcnt);
+	refcount_inc(&ep->base.refcnt);
 }
 
 /* Release a reference to an endpoint and clean up if there are
@@ -293,7 +293,7 @@ void sctp_endpoint_hold(struct sctp_endpoint *ep)
  */
 void sctp_endpoint_put(struct sctp_endpoint *ep)
 {
-	if (atomic_dec_and_test(&ep->base.refcnt))
+	if (refcount_dec_and_test(&ep->base.refcnt))
 		sctp_endpoint_destroy(ep);
 }
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 21/23] net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/net/ax25.h  | 8 ++++----
 net/ax25/ax25_uid.c | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index e602f81..edd82f0 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -11,7 +11,7 @@
 #include <linux/timer.h>
 #include <linux/list.h>
 #include <linux/slab.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <net/neighbour.h>
 #include <net/sock.h>
 
@@ -158,7 +158,7 @@ enum {
 
 typedef struct ax25_uid_assoc {
 	struct hlist_node	uid_node;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	kuid_t			uid;
 	ax25_address		call;
 } ax25_uid_assoc;
@@ -167,11 +167,11 @@ typedef struct ax25_uid_assoc {
 	hlist_for_each_entry(__ax25, list, uid_node)
 
 #define ax25_uid_hold(ax25) \
-	atomic_inc(&((ax25)->refcount))
+	refcount_inc(&((ax25)->refcount))
 
 static inline void ax25_uid_put(ax25_uid_assoc *assoc)
 {
-	if (atomic_dec_and_test(&assoc->refcount)) {
+	if (refcount_dec_and_test(&assoc->refcount)) {
 		kfree(assoc);
 	}
 }
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index 0403b0d..83b035f 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -107,7 +107,7 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
 		if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) == NULL)
 			return -ENOMEM;
 
-		atomic_set(&ax25_uid->refcount, 1);
+		refcount_set(&ax25_uid->refcount, 1);
 		ax25_uid->uid  = sax25_kuid;
 		ax25_uid->call = sax->sax25_call;
 
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 21/23] net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/ax25.h  | 8 ++++----
 net/ax25/ax25_uid.c | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index e602f81..edd82f0 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -11,7 +11,7 @@
 #include <linux/timer.h>
 #include <linux/list.h>
 #include <linux/slab.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <net/neighbour.h>
 #include <net/sock.h>
 
@@ -158,7 +158,7 @@ enum {
 
 typedef struct ax25_uid_assoc {
 	struct hlist_node	uid_node;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	kuid_t			uid;
 	ax25_address		call;
 } ax25_uid_assoc;
@@ -167,11 +167,11 @@ typedef struct ax25_uid_assoc {
 	hlist_for_each_entry(__ax25, list, uid_node)
 
 #define ax25_uid_hold(ax25) \
-	atomic_inc(&((ax25)->refcount))
+	refcount_inc(&((ax25)->refcount))
 
 static inline void ax25_uid_put(ax25_uid_assoc *assoc)
 {
-	if (atomic_dec_and_test(&assoc->refcount)) {
+	if (refcount_dec_and_test(&assoc->refcount)) {
 		kfree(assoc);
 	}
 }
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index 0403b0d..83b035f 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -107,7 +107,7 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
 		if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) == NULL)
 			return -ENOMEM;
 
-		atomic_set(&ax25_uid->refcount, 1);
+		refcount_set(&ax25_uid->refcount, 1);
 		ax25_uid->uid  = sax25_kuid;
 		ax25_uid->call = sax->sax25_call;
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 21/23] net, ax25: convert ax25_uid_assoc.refcount from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/ax25.h  | 8 ++++----
 net/ax25/ax25_uid.c | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index e602f81..edd82f0 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -11,7 +11,7 @@
 #include <linux/timer.h>
 #include <linux/list.h>
 #include <linux/slab.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <net/neighbour.h>
 #include <net/sock.h>
 
@@ -158,7 +158,7 @@ enum {
 
 typedef struct ax25_uid_assoc {
 	struct hlist_node	uid_node;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	kuid_t			uid;
 	ax25_address		call;
 } ax25_uid_assoc;
@@ -167,11 +167,11 @@ typedef struct ax25_uid_assoc {
 	hlist_for_each_entry(__ax25, list, uid_node)
 
 #define ax25_uid_hold(ax25) \
-	atomic_inc(&((ax25)->refcount))
+	refcount_inc(&((ax25)->refcount))
 
 static inline void ax25_uid_put(ax25_uid_assoc *assoc)
 {
-	if (atomic_dec_and_test(&assoc->refcount)) {
+	if (refcount_dec_and_test(&assoc->refcount)) {
 		kfree(assoc);
 	}
 }
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index 0403b0d..83b035f 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -107,7 +107,7 @@ int ax25_uid_ioctl(int cmd, struct sockaddr_ax25 *sax)
 		if ((ax25_uid = kmalloc(sizeof(*ax25_uid), GFP_KERNEL)) = NULL)
 			return -ENOMEM;
 
-		atomic_set(&ax25_uid->refcount, 1);
+		refcount_set(&ax25_uid->refcount, 1);
 		ax25_uid->uid  = sax25_kuid;
 		ax25_uid->call = sax->sax25_call;
 
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 22/23] net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
  (?)
@ 2017-03-17 12:10     ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
---
 include/net/ax25.h    | 6 +++---
 net/ax25/ax25_route.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index edd82f0..e3467ba 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -185,7 +185,7 @@ typedef struct {
 
 typedef struct ax25_route {
 	struct ax25_route	*next;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	ax25_address		callsign;
 	struct net_device	*dev;
 	ax25_digi		*digipeat;
@@ -194,14 +194,14 @@ typedef struct ax25_route {
 
 static inline void ax25_hold_route(ax25_route *ax25_rt)
 {
-	atomic_inc(&ax25_rt->refcount);
+	refcount_inc(&ax25_rt->refcount);
 }
 
 void __ax25_put_route(ax25_route *ax25_rt);
 
 static inline void ax25_put_route(ax25_route *ax25_rt)
 {
-	if (atomic_dec_and_test(&ax25_rt->refcount))
+	if (refcount_dec_and_test(&ax25_rt->refcount))
 		__ax25_put_route(ax25_rt);
 }
 
diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c
index e1fda27..0446b89 100644
--- a/net/ax25/ax25_route.c
+++ b/net/ax25/ax25_route.c
@@ -114,7 +114,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route)
 		return -ENOMEM;
 	}
 
-	atomic_set(&ax25_rt->refcount, 1);
+	refcount_set(&ax25_rt->refcount, 1);
 	ax25_rt->callsign     = route->dest_addr;
 	ax25_rt->dev          = ax25_dev->dev;
 	ax25_rt->digipeat     = NULL;
-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 22/23] net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/ax25.h    | 6 +++---
 net/ax25/ax25_route.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index edd82f0..e3467ba 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -185,7 +185,7 @@ typedef struct {
 
 typedef struct ax25_route {
 	struct ax25_route	*next;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	ax25_address		callsign;
 	struct net_device	*dev;
 	ax25_digi		*digipeat;
@@ -194,14 +194,14 @@ typedef struct ax25_route {
 
 static inline void ax25_hold_route(ax25_route *ax25_rt)
 {
-	atomic_inc(&ax25_rt->refcount);
+	refcount_inc(&ax25_rt->refcount);
 }
 
 void __ax25_put_route(ax25_route *ax25_rt);
 
 static inline void ax25_put_route(ax25_route *ax25_rt)
 {
-	if (atomic_dec_and_test(&ax25_rt->refcount))
+	if (refcount_dec_and_test(&ax25_rt->refcount))
 		__ax25_put_route(ax25_rt);
 }
 
diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c
index e1fda27..0446b89 100644
--- a/net/ax25/ax25_route.c
+++ b/net/ax25/ax25_route.c
@@ -114,7 +114,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route)
 		return -ENOMEM;
 	}
 
-	atomic_set(&ax25_rt->refcount, 1);
+	refcount_set(&ax25_rt->refcount, 1);
 	ax25_rt->callsign     = route->dest_addr;
 	ax25_rt->dev          = ax25_dev->dev;
 	ax25_rt->digipeat     = NULL;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 22/23] net, ax25: convert ax25_route.refcount from atomic_t to refcount_t
@ 2017-03-17 12:10     ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	ceph-devel-u79uwXL29TY76Z2rM5mHXA, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage-H+wXaHxf7aLQT0dZR+AlfA, bfields-uC3wQj2KruNg9hUCZPvPmw,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw, Elena Reshetova,
	Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/ax25.h    | 6 +++---
 net/ax25/ax25_route.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index edd82f0..e3467ba 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -185,7 +185,7 @@ typedef struct {
 
 typedef struct ax25_route {
 	struct ax25_route	*next;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	ax25_address		callsign;
 	struct net_device	*dev;
 	ax25_digi		*digipeat;
@@ -194,14 +194,14 @@ typedef struct ax25_route {
 
 static inline void ax25_hold_route(ax25_route *ax25_rt)
 {
-	atomic_inc(&ax25_rt->refcount);
+	refcount_inc(&ax25_rt->refcount);
 }
 
 void __ax25_put_route(ax25_route *ax25_rt);
 
 static inline void ax25_put_route(ax25_route *ax25_rt)
 {
-	if (atomic_dec_and_test(&ax25_rt->refcount))
+	if (refcount_dec_and_test(&ax25_rt->refcount))
 		__ax25_put_route(ax25_rt);
 }
 
diff --git a/net/ax25/ax25_route.c b/net/ax25/ax25_route.c
index e1fda27..0446b89 100644
--- a/net/ax25/ax25_route.c
+++ b/net/ax25/ax25_route.c
@@ -114,7 +114,7 @@ static int __must_check ax25_rt_add(struct ax25_routes_struct *route)
 		return -ENOMEM;
 	}
 
-	atomic_set(&ax25_rt->refcount, 1);
+	refcount_set(&ax25_rt->refcount, 1);
 	ax25_rt->callsign     = route->dest_addr;
 	ax25_rt->dev          = ax25_dev->dev;
 	ax25_rt->digipeat     = NULL;
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 23/23] net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
  2017-03-17 12:10 ` Elena Reshetova
@ 2017-03-17 12:10   ` Elena Reshetova
  -1 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/ax25.h | 6 +++---
 net/ax25/af_ax25.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index e3467ba..c4a0cf6 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -244,7 +244,7 @@ typedef struct ax25_cb {
 	unsigned char		window;
 	struct timer_list	timer, dtimer;
 	struct sock		*sk;		/* Backlink to socket */
-	atomic_t		refcount;
+	refcount_t		refcount;
 } ax25_cb;
 
 struct ax25_sock {
@@ -266,11 +266,11 @@ static inline struct ax25_cb *sk_to_ax25(const struct sock *sk)
 	hlist_for_each_entry(__ax25, list, ax25_node)
 
 #define ax25_cb_hold(__ax25) \
-	atomic_inc(&((__ax25)->refcount))
+	refcount_inc(&((__ax25)->refcount))
 
 static __inline__ void ax25_cb_put(ax25_cb *ax25)
 {
-	if (atomic_dec_and_test(&ax25->refcount)) {
+	if (refcount_dec_and_test(&ax25->refcount)) {
 		kfree(ax25->digipeat);
 		kfree(ax25);
 	}
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 90fcf5f..163e81f 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -510,7 +510,7 @@ ax25_cb *ax25_create_cb(void)
 	if ((ax25 = kzalloc(sizeof(*ax25), GFP_ATOMIC)) == NULL)
 		return NULL;
 
-	atomic_set(&ax25->refcount, 1);
+	refcount_set(&ax25->refcount, 1);
 
 	skb_queue_head_init(&ax25->write_queue);
 	skb_queue_head_init(&ax25->frag_queue);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 80+ messages in thread

* [PATCH 23/23] net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
@ 2017-03-17 12:10   ` Elena Reshetova
  0 siblings, 0 replies; 80+ messages in thread
From: Elena Reshetova @ 2017-03-17 12:10 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-rdma, davem, linux-x25, linux-sctp,
	vyasevich, nhorman, linux-hams, linux-nfs, ceph-devel, zyan,
	sage, bfields, jlayton, steffen.klassert, herbert,
	santosh.shilimkar, jreuter, ralf, peterz, keescook,
	Elena Reshetova, Hans Liljestrand, David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 include/net/ax25.h | 6 +++---
 net/ax25/af_ax25.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/net/ax25.h b/include/net/ax25.h
index e3467ba..c4a0cf6 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -244,7 +244,7 @@ typedef struct ax25_cb {
 	unsigned char		window;
 	struct timer_list	timer, dtimer;
 	struct sock		*sk;		/* Backlink to socket */
-	atomic_t		refcount;
+	refcount_t		refcount;
 } ax25_cb;
 
 struct ax25_sock {
@@ -266,11 +266,11 @@ static inline struct ax25_cb *sk_to_ax25(const struct sock *sk)
 	hlist_for_each_entry(__ax25, list, ax25_node)
 
 #define ax25_cb_hold(__ax25) \
-	atomic_inc(&((__ax25)->refcount))
+	refcount_inc(&((__ax25)->refcount))
 
 static __inline__ void ax25_cb_put(ax25_cb *ax25)
 {
-	if (atomic_dec_and_test(&ax25->refcount)) {
+	if (refcount_dec_and_test(&ax25->refcount)) {
 		kfree(ax25->digipeat);
 		kfree(ax25);
 	}
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 90fcf5f..163e81f 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -510,7 +510,7 @@ ax25_cb *ax25_create_cb(void)
 	if ((ax25 = kzalloc(sizeof(*ax25), GFP_ATOMIC)) = NULL)
 		return NULL;
 
-	atomic_set(&ax25->refcount, 1);
+	refcount_set(&ax25->refcount, 1);
 
 	skb_queue_head_init(&ax25->write_queue);
 	skb_queue_head_init(&ax25->frag_queue);
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  2017-03-17 12:10   ` Elena Reshetova
                         ` (2 preceding siblings ...)
  (?)
@ 2017-03-17 12:50       ` Trond Myklebust
  -1 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 12:50 UTC (permalink / raw)
  To: elena.reshetova-ral2JQCrhuEAvxtiuMwx3w, netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	peterz-wEGCiKHe2LqWVfeAwA7xHQ, ralf-6z/3iImG2C8G8FEW9MqTrA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	ishkamiel-Re5JQEeQqe8AvxtiuMwx3w, bfields-uC3wQj2KruNg9hUCZPvPmw,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	nhorman-2XuSBdqkA4R54TAoqtyWWQ, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	jreuter-K7Hl1MveuGQ, santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ, dwindsor-Re5JQEeQqe8AvxtiuMwx3w,
	keescook-F7+t8E8rja9g9hUCZPvPmw

On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
> 
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/sunrpc/auth.h |  8 ++++----
>  net/sunrpc/auth.c           | 12 ++++++------
>  2 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/sunrpc/auth.h
> b/include/linux/sunrpc/auth.h
> index b1bc62b..bd36e0b 100644
> --- a/include/linux/sunrpc/auth.h
> +++ b/include/linux/sunrpc/auth.h
> @@ -15,7 +15,7 @@
>  #include <linux/sunrpc/msg_prot.h>
>  #include <linux/sunrpc/xdr.h>
>  
> -#include <linux/atomic.h>
> +#include <linux/refcount.h>
>  #include <linux/rcupdate.h>
>  #include <linux/uidgid.h>
>  #include <linux/utsname.h>
> @@ -68,7 +68,7 @@ struct rpc_cred {
>  #endif
>  	unsigned long		cr_expire;	/* when to gc
> */
>  	unsigned long		cr_flags;	/* various
> flags */
> -	atomic_t		cr_count;	/* ref count */
> +	refcount_t		cr_count;	/* ref count */
> 

NACK. That's going to be hitting WARN_ONCE(!refcount_inc_not_zero(r),
"refcount_t: increment on 0; use-after-free.\n") like there's no
tomorrow...

Please stop with these automated conversions. They are going to cause a
lot more bugs than they fix.

-- 
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 12:50       ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 12:50 UTC (permalink / raw)
  To: elena.reshetova, netdev
  Cc: linux-kernel, peterz, ralf, linux-rdma, ishkamiel, bfields,
	steffen.klassert, nhorman, linux-nfs, jreuter, santosh.shilimkar,
	linux-hams, jlayton, dwindsor, keescook, zyan, sage, davem,
	linux-sctp, vyasevich, linux-x25, herbert, ceph-devel

On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
> 
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/sunrpc/auth.h |  8 ++++----
>  net/sunrpc/auth.c           | 12 ++++++------
>  2 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/sunrpc/auth.h
> b/include/linux/sunrpc/auth.h
> index b1bc62b..bd36e0b 100644
> --- a/include/linux/sunrpc/auth.h
> +++ b/include/linux/sunrpc/auth.h
> @@ -15,7 +15,7 @@
>  #include <linux/sunrpc/msg_prot.h>
>  #include <linux/sunrpc/xdr.h>
>  
> -#include <linux/atomic.h>
> +#include <linux/refcount.h>
>  #include <linux/rcupdate.h>
>  #include <linux/uidgid.h>
>  #include <linux/utsname.h>
> @@ -68,7 +68,7 @@ struct rpc_cred {
>  #endif
>  	unsigned long		cr_expire;	/* when to gc
> */
>  	unsigned long		cr_flags;	/* various
> flags */
> -	atomic_t		cr_count;	/* ref count */
> +	refcount_t		cr_count;	/* ref count */
> 

NACK. That's going to be hitting WARN_ONCE(!refcount_inc_not_zero(r),
"refcount_t: increment on 0; use-after-free.\n") like there's no
tomorrow...

Please stop with these automated conversions. They are going to cause a
lot more bugs than they fix.

-- 
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 12:50       ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 12:50 UTC (permalink / raw)
  To: elena.reshetova-ral2JQCrhuEAvxtiuMwx3w, netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	peterz-wEGCiKHe2LqWVfeAwA7xHQ, ralf-6z/3iImG2C8G8FEW9MqTrA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	ishkamiel-Re5JQEeQqe8AvxtiuMwx3w, bfields-uC3wQj2KruNg9hUCZPvPmw,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	nhorman-2XuSBdqkA4R54TAoqtyWWQ, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	jreuter-K7Hl1MveuGQ, santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ, dwindsor-Re5JQEeQqe8AvxtiuMwx3w,
	keescook-F7+t8E8rja9g9hUCZPvPmw

On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
> 
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/sunrpc/auth.h |  8 ++++----
>  net/sunrpc/auth.c           | 12 ++++++------
>  2 files changed, 10 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/sunrpc/auth.h
> b/include/linux/sunrpc/auth.h
> index b1bc62b..bd36e0b 100644
> --- a/include/linux/sunrpc/auth.h
> +++ b/include/linux/sunrpc/auth.h
> @@ -15,7 +15,7 @@
>  #include <linux/sunrpc/msg_prot.h>
>  #include <linux/sunrpc/xdr.h>
>  
> -#include <linux/atomic.h>
> +#include <linux/refcount.h>
>  #include <linux/rcupdate.h>
>  #include <linux/uidgid.h>
>  #include <linux/utsname.h>
> @@ -68,7 +68,7 @@ struct rpc_cred {
>  #endif
>  	unsigned long		cr_expire;	/* when to gc
> */
>  	unsigned long		cr_flags;	/* various
> flags */
> -	atomic_t		cr_count;	/* ref count */
> +	refcount_t		cr_count;	/* ref count */
> 

NACK. That's going to be hitting WARN_ONCE(!refcount_inc_not_zero(r),
"refcount_t: increment on 0; use-after-free.\n") like there's no
tomorrow...

Please stop with these automated conversions. They are going to cause a
lot more bugs than they fix.

-- 
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 12:50       ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 12:50 UTC (permalink / raw)
  To: elena.reshetova-ral2JQCrhuEAvxtiuMwx3w, netdev-u79uwXL29TY76Z2rM5mHXA
  Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	peterz-wEGCiKHe2LqWVfeAwA7xHQ, ralf-6z/3iImG2C8G8FEW9MqTrA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	ishkamiel-Re5JQEeQqe8AvxtiuMwx3w, bfields-uC3wQj2KruNg9hUCZPvPmw,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	nhorman-2XuSBdqkA4R54TAoqtyWWQ, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	jreuter-K7Hl1MveuGQ, santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	jlayton-vpEMnDpepFuMZCB2o+C8xQ, dwindsor-Re5JQEeQqe8AvxtiuMwx3w,
	keescook-F7+t8E8rja9g9hUCZPvPmw

T24gRnJpLCAyMDE3LTAzLTE3IGF0IDE0OjEwICswMjAwLCBFbGVuYSBSZXNoZXRvdmEgd3JvdGU6
DQo+IHJlZmNvdW50X3QgdHlwZSBhbmQgY29ycmVzcG9uZGluZyBBUEkgc2hvdWxkIGJlDQo+IHVz
ZWQgaW5zdGVhZCBvZiBhdG9taWNfdCB3aGVuIHRoZSB2YXJpYWJsZSBpcyB1c2VkIGFzDQo+IGEg
cmVmZXJlbmNlIGNvdW50ZXIuIFRoaXMgYWxsb3dzIHRvIGF2b2lkIGFjY2lkZW50YWwNCj4gcmVm
Y291bnRlciBvdmVyZmxvd3MgdGhhdCBtaWdodCBsZWFkIHRvIHVzZS1hZnRlci1mcmVlDQo+IHNp
dHVhdGlvbnMuDQo+IA0KPiBTaWduZWQtb2ZmLWJ5OiBFbGVuYSBSZXNoZXRvdmEgPGVsZW5hLnJl
c2hldG92YUBpbnRlbC5jb20+DQo+IFNpZ25lZC1vZmYtYnk6IEhhbnMgTGlsamVzdHJhbmQgPGlz
aGthbWllbEBnbWFpbC5jb20+DQo+IFNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tA
Y2hyb21pdW0ub3JnPg0KPiBTaWduZWQtb2ZmLWJ5OiBEYXZpZCBXaW5kc29yIDxkd2luZHNvckBn
bWFpbC5jb20+DQo+IC0tLQ0KPiDCoGluY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaCB8wqDCoDgg
KysrKy0tLS0NCj4gwqBuZXQvc3VucnBjL2F1dGguY8KgwqDCoMKgwqDCoMKgwqDCoMKgwqB8IDEy
ICsrKysrKy0tLS0tLQ0KPiDCoDIgZmlsZXMgY2hhbmdlZCwgMTAgaW5zZXJ0aW9ucygrKSwgMTAg
ZGVsZXRpb25zKC0pDQo+IA0KPiBkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC9zdW5ycGMvYXV0
aC5oDQo+IGIvaW5jbHVkZS9saW51eC9zdW5ycGMvYXV0aC5oDQo+IGluZGV4IGIxYmM2MmIuLmJk
MzZlMGIgMTAwNjQ0DQo+IC0tLSBhL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaA0KPiArKysg
Yi9pbmNsdWRlL2xpbnV4L3N1bnJwYy9hdXRoLmgNCj4gQEAgLTE1LDcgKzE1LDcgQEANCj4gwqAj
aW5jbHVkZSA8bGludXgvc3VucnBjL21zZ19wcm90Lmg+DQo+IMKgI2luY2x1ZGUgPGxpbnV4L3N1
bnJwYy94ZHIuaD4NCj4gwqANCj4gLSNpbmNsdWRlIDxsaW51eC9hdG9taWMuaD4NCj4gKyNpbmNs
dWRlIDxsaW51eC9yZWZjb3VudC5oPg0KPiDCoCNpbmNsdWRlIDxsaW51eC9yY3VwZGF0ZS5oPg0K
PiDCoCNpbmNsdWRlIDxsaW51eC91aWRnaWQuaD4NCj4gwqAjaW5jbHVkZSA8bGludXgvdXRzbmFt
ZS5oPg0KPiBAQCAtNjgsNyArNjgsNyBAQCBzdHJ1Y3QgcnBjX2NyZWQgew0KPiDCoCNlbmRpZg0K
PiDCoAl1bnNpZ25lZCBsb25nCQljcl9leHBpcmU7CS8qIHdoZW4gdG8gZ2MNCj4gKi8NCj4gwqAJ
dW5zaWduZWQgbG9uZwkJY3JfZmxhZ3M7CS8qIHZhcmlvdXMNCj4gZmxhZ3MgKi8NCj4gLQlhdG9t
aWNfdAkJY3JfY291bnQ7CS8qIHJlZiBjb3VudCAqLw0KPiArCXJlZmNvdW50X3QJCWNyX2NvdW50
OwkvKiByZWYgY291bnQgKi8NCj4gDQoNCk5BQ0suIFRoYXQncyBnb2luZyB0byBiZSBoaXR0aW5n
IFdBUk5fT05DRSghcmVmY291bnRfaW5jX25vdF96ZXJvKHIpLA0KInJlZmNvdW50X3Q6IGluY3Jl
bWVudCBvbiAwOyB1c2UtYWZ0ZXItZnJlZS5cbiIpIGxpa2UgdGhlcmUncyBubw0KdG9tb3Jyb3cu
Li4NCg0KUGxlYXNlIHN0b3Agd2l0aCB0aGVzZSBhdXRvbWF0ZWQgY29udmVyc2lvbnMuIFRoZXkg
YXJlIGdvaW5nIHRvIGNhdXNlIGENCmxvdCBtb3JlIGJ1Z3MgdGhhbiB0aGV5IGZpeC4NCg0KLS0g
DQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBjbGllbnQgbWFpbnRhaW5lciwgUHJpbWFyeURh
dGENCnRyb25kLm15a2xlYnVzdEBwcmltYXJ5ZGF0YS5jb20NCg=


^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 12:50       ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 12:50 UTC (permalink / raw)
  To: elena.reshetova, netdev
  Cc: linux-kernel, peterz, ralf, linux-rdma, ishkamiel, bfields,
	steffen.klassert, nhorman, linux-nfs, jreuter, santosh.shilimkar,
	linux-hams, jlayton, dwindsor, keescook, zyan, sage, davem,
	linux-sctp, vyasevich, linux-x25, herbert, ceph-devel

T24gRnJpLCAyMDE3LTAzLTE3IGF0IDE0OjEwICswMjAwLCBFbGVuYSBSZXNoZXRvdmEgd3JvdGU6
DQo+IHJlZmNvdW50X3QgdHlwZSBhbmQgY29ycmVzcG9uZGluZyBBUEkgc2hvdWxkIGJlDQo+IHVz
ZWQgaW5zdGVhZCBvZiBhdG9taWNfdCB3aGVuIHRoZSB2YXJpYWJsZSBpcyB1c2VkIGFzDQo+IGEg
cmVmZXJlbmNlIGNvdW50ZXIuIFRoaXMgYWxsb3dzIHRvIGF2b2lkIGFjY2lkZW50YWwNCj4gcmVm
Y291bnRlciBvdmVyZmxvd3MgdGhhdCBtaWdodCBsZWFkIHRvIHVzZS1hZnRlci1mcmVlDQo+IHNp
dHVhdGlvbnMuDQo+IA0KPiBTaWduZWQtb2ZmLWJ5OiBFbGVuYSBSZXNoZXRvdmEgPGVsZW5hLnJl
c2hldG92YUBpbnRlbC5jb20+DQo+IFNpZ25lZC1vZmYtYnk6IEhhbnMgTGlsamVzdHJhbmQgPGlz
aGthbWllbEBnbWFpbC5jb20+DQo+IFNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tA
Y2hyb21pdW0ub3JnPg0KPiBTaWduZWQtb2ZmLWJ5OiBEYXZpZCBXaW5kc29yIDxkd2luZHNvckBn
bWFpbC5jb20+DQo+IC0tLQ0KPiDCoGluY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaCB8wqDCoDgg
KysrKy0tLS0NCj4gwqBuZXQvc3VucnBjL2F1dGguY8KgwqDCoMKgwqDCoMKgwqDCoMKgwqB8IDEy
ICsrKysrKy0tLS0tLQ0KPiDCoDIgZmlsZXMgY2hhbmdlZCwgMTAgaW5zZXJ0aW9ucygrKSwgMTAg
ZGVsZXRpb25zKC0pDQo+IA0KPiBkaWZmIC0tZ2l0IGEvaW5jbHVkZS9saW51eC9zdW5ycGMvYXV0
aC5oDQo+IGIvaW5jbHVkZS9saW51eC9zdW5ycGMvYXV0aC5oDQo+IGluZGV4IGIxYmM2MmIuLmJk
MzZlMGIgMTAwNjQ0DQo+IC0tLSBhL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaA0KPiArKysg
Yi9pbmNsdWRlL2xpbnV4L3N1bnJwYy9hdXRoLmgNCj4gQEAgLTE1LDcgKzE1LDcgQEANCj4gwqAj
aW5jbHVkZSA8bGludXgvc3VucnBjL21zZ19wcm90Lmg+DQo+IMKgI2luY2x1ZGUgPGxpbnV4L3N1
bnJwYy94ZHIuaD4NCj4gwqANCj4gLSNpbmNsdWRlIDxsaW51eC9hdG9taWMuaD4NCj4gKyNpbmNs
dWRlIDxsaW51eC9yZWZjb3VudC5oPg0KPiDCoCNpbmNsdWRlIDxsaW51eC9yY3VwZGF0ZS5oPg0K
PiDCoCNpbmNsdWRlIDxsaW51eC91aWRnaWQuaD4NCj4gwqAjaW5jbHVkZSA8bGludXgvdXRzbmFt
ZS5oPg0KPiBAQCAtNjgsNyArNjgsNyBAQCBzdHJ1Y3QgcnBjX2NyZWQgew0KPiDCoCNlbmRpZg0K
PiDCoAl1bnNpZ25lZCBsb25nCQljcl9leHBpcmU7CS8qIHdoZW4gdG8gZ2MNCj4gKi8NCj4gwqAJ
dW5zaWduZWQgbG9uZwkJY3JfZmxhZ3M7CS8qIHZhcmlvdXMNCj4gZmxhZ3MgKi8NCj4gLQlhdG9t
aWNfdAkJY3JfY291bnQ7CS8qIHJlZiBjb3VudCAqLw0KPiArCXJlZmNvdW50X3QJCWNyX2NvdW50
OwkvKiByZWYgY291bnQgKi8NCj4gDQoNCk5BQ0suIFRoYXQncyBnb2luZyB0byBiZSBoaXR0aW5n
IFdBUk5fT05DRSghcmVmY291bnRfaW5jX25vdF96ZXJvKHIpLA0KInJlZmNvdW50X3Q6IGluY3Jl
bWVudCBvbiAwOyB1c2UtYWZ0ZXItZnJlZS5cbiIpIGxpa2UgdGhlcmUncyBubw0KdG9tb3Jyb3cu
Li4NCg0KUGxlYXNlIHN0b3Agd2l0aCB0aGVzZSBhdXRvbWF0ZWQgY29udmVyc2lvbnMuIFRoZXkg
YXJlIGdvaW5nIHRvIGNhdXNlIGENCmxvdCBtb3JlIGJ1Z3MgdGhhbiB0aGV5IGZpeC4NCg0KLS0g
DQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBjbGllbnQgbWFpbnRhaW5lciwgUHJpbWFyeURh
dGENCnRyb25kLm15a2xlYnVzdEBwcmltYXJ5ZGF0YS5jb20NCg==


^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  2017-03-17 12:50       ` Trond Myklebust
  (?)
@ 2017-03-17 13:02         ` Jeff Layton
  -1 siblings, 0 replies; 80+ messages in thread
From: Jeff Layton @ 2017-03-17 13:02 UTC (permalink / raw)
  To: Trond Myklebust, elena.reshetova, netdev
  Cc: linux-kernel, peterz, ralf, linux-rdma, ishkamiel, bfields,
	steffen.klassert, nhorman, linux-nfs, jreuter, santosh.shilimkar,
	linux-hams, dwindsor, keescook, zyan, sage

On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > refcount_t type and corresponding API should be
> > used instead of atomic_t when the variable is used as
> > a reference counter. This allows to avoid accidental
> > refcounter overflows that might lead to use-after-free
> > situations.
> > 
> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > ---
> >  include/linux/sunrpc/auth.h |  8 ++++----
> >  net/sunrpc/auth.c           | 12 ++++++------
> >  2 files changed, 10 insertions(+), 10 deletions(-)
> > 
> > diff --git a/include/linux/sunrpc/auth.h
> > b/include/linux/sunrpc/auth.h
> > index b1bc62b..bd36e0b 100644
> > --- a/include/linux/sunrpc/auth.h
> > +++ b/include/linux/sunrpc/auth.h
> > @@ -15,7 +15,7 @@
> >  #include <linux/sunrpc/msg_prot.h>
> >  #include <linux/sunrpc/xdr.h>
> >  
> > -#include <linux/atomic.h>
> > +#include <linux/refcount.h>
> >  #include <linux/rcupdate.h>
> >  #include <linux/uidgid.h>
> >  #include <linux/utsname.h>
> > @@ -68,7 +68,7 @@ struct rpc_cred {
> >  #endif
> >  	unsigned long		cr_expire;	/* when to gc
> > */
> >  	unsigned long		cr_flags;	/* various
> > flags */
> > -	atomic_t		cr_count;	/* ref count */
> > +	refcount_t		cr_count;	/* ref count */
> > 
> 
> NACK. That's going to be hitting WARN_ONCE(!refcount_inc_not_zero(r),
> "refcount_t: increment on 0; use-after-free.\n") like there's no
> tomorrow...
> 
> Please stop with these automated conversions. They are going to cause a
> lot more bugs than they fix.
> 

Agreed. These patchsets are touching places where we've already banged
out most of the refcounting bugs. I'm against doing large scale
conversions like this without a damned good reason.

I think it may be best to do this sort of thing in a more piecemeal
fashion. Pick a subsystem or two and do the conversions there to prove
that they're better than what we have. If the subsystem already has
problems with its refcounting, then so much the better. Point to bugs
that this new infrastructure helped find.

Encourage people to adopt your new infrastructure as new refcounted
objects are introduced into the kernel. You might even consider a LWN
article about this.

Eventually we'll get around to changing existing code to use it, once
there is a sufficient advantage to doing so. Most likely when we're
reworking the code for other reasons, or when we're chasing some horrid
refcounting bug and think that this might help find it.
-- 
Jeff Layton <jlayton@poochiereds.net>

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 13:02         ` Jeff Layton
  0 siblings, 0 replies; 80+ messages in thread
From: Jeff Layton @ 2017-03-17 13:02 UTC (permalink / raw)
  To: Trond Myklebust, elena.reshetova, netdev
  Cc: linux-kernel, peterz, ralf, linux-rdma, ishkamiel, bfields,
	steffen.klassert, nhorman, linux-nfs, jreuter, santosh.shilimkar,
	linux-hams, dwindsor, keescook, zyan, sage, davem, linux-sctp,
	vyasevich, linux-x25, herbert, ceph-devel

On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > refcount_t type and corresponding API should be
> > used instead of atomic_t when the variable is used as
> > a reference counter. This allows to avoid accidental
> > refcounter overflows that might lead to use-after-free
> > situations.
> > 
> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > ---
> >  include/linux/sunrpc/auth.h |  8 ++++----
> >  net/sunrpc/auth.c           | 12 ++++++------
> >  2 files changed, 10 insertions(+), 10 deletions(-)
> > 
> > diff --git a/include/linux/sunrpc/auth.h
> > b/include/linux/sunrpc/auth.h
> > index b1bc62b..bd36e0b 100644
> > --- a/include/linux/sunrpc/auth.h
> > +++ b/include/linux/sunrpc/auth.h
> > @@ -15,7 +15,7 @@
> >  #include <linux/sunrpc/msg_prot.h>
> >  #include <linux/sunrpc/xdr.h>
> >  
> > -#include <linux/atomic.h>
> > +#include <linux/refcount.h>
> >  #include <linux/rcupdate.h>
> >  #include <linux/uidgid.h>
> >  #include <linux/utsname.h>
> > @@ -68,7 +68,7 @@ struct rpc_cred {
> >  #endif
> >  	unsigned long		cr_expire;	/* when to gc
> > */
> >  	unsigned long		cr_flags;	/* various
> > flags */
> > -	atomic_t		cr_count;	/* ref count */
> > +	refcount_t		cr_count;	/* ref count */
> > 
> 
> NACK. That's going to be hitting WARN_ONCE(!refcount_inc_not_zero(r),
> "refcount_t: increment on 0; use-after-free.\n") like there's no
> tomorrow...
> 
> Please stop with these automated conversions. They are going to cause a
> lot more bugs than they fix.
> 

Agreed. These patchsets are touching places where we've already banged
out most of the refcounting bugs. I'm against doing large scale
conversions like this without a damned good reason.

I think it may be best to do this sort of thing in a more piecemeal
fashion. Pick a subsystem or two and do the conversions there to prove
that they're better than what we have. If the subsystem already has
problems with its refcounting, then so much the better. Point to bugs
that this new infrastructure helped find.

Encourage people to adopt your new infrastructure as new refcounted
objects are introduced into the kernel. You might even consider a LWN
article about this.

Eventually we'll get around to changing existing code to use it, once
there is a sufficient advantage to doing so. Most likely when we're
reworking the code for other reasons, or when we're chasing some horrid
refcounting bug and think that this might help find it.
-- 
Jeff Layton <jlayton@poochiereds.net>

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 13:02         ` Jeff Layton
  0 siblings, 0 replies; 80+ messages in thread
From: Jeff Layton @ 2017-03-17 13:02 UTC (permalink / raw)
  To: Trond Myklebust, elena.reshetova, netdev
  Cc: linux-kernel, peterz, ralf, linux-rdma, ishkamiel, bfields,
	steffen.klassert, nhorman, linux-nfs, jreuter, santosh.shilimkar,
	linux-hams, dwindsor, keescook, zyan, sage

On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > refcount_t type and corresponding API should be
> > used instead of atomic_t when the variable is used as
> > a reference counter. This allows to avoid accidental
> > refcounter overflows that might lead to use-after-free
> > situations.
> > 
> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > ---
> >  include/linux/sunrpc/auth.h |  8 ++++----
> >  net/sunrpc/auth.c           | 12 ++++++------
> >  2 files changed, 10 insertions(+), 10 deletions(-)
> > 
> > diff --git a/include/linux/sunrpc/auth.h
> > b/include/linux/sunrpc/auth.h
> > index b1bc62b..bd36e0b 100644
> > --- a/include/linux/sunrpc/auth.h
> > +++ b/include/linux/sunrpc/auth.h
> > @@ -15,7 +15,7 @@
> >  #include <linux/sunrpc/msg_prot.h>
> >  #include <linux/sunrpc/xdr.h>
> >  
> > -#include <linux/atomic.h>
> > +#include <linux/refcount.h>
> >  #include <linux/rcupdate.h>
> >  #include <linux/uidgid.h>
> >  #include <linux/utsname.h>
> > @@ -68,7 +68,7 @@ struct rpc_cred {
> >  #endif
> >  	unsigned long		cr_expire;	/* when to gc
> > */
> >  	unsigned long		cr_flags;	/* various
> > flags */
> > -	atomic_t		cr_count;	/* ref count */
> > +	refcount_t		cr_count;	/* ref count */
> > 
> 
> NACK. That's going to be hitting WARN_ONCE(!refcount_inc_not_zero(r),
> "refcount_t: increment on 0; use-after-free.\n") like there's no
> tomorrow...
> 
> Please stop with these automated conversions. They are going to cause a
> lot more bugs than they fix.
> 

Agreed. These patchsets are touching places where we've already banged
out most of the refcounting bugs. I'm against doing large scale
conversions like this without a damned good reason.

I think it may be best to do this sort of thing in a more piecemeal
fashion. Pick a subsystem or two and do the conversions there to prove
that they're better than what we have. If the subsystem already has
problems with its refcounting, then so much the better. Point to bugs
that this new infrastructure helped find.

Encourage people to adopt your new infrastructure as new refcounted
objects are introduced into the kernel. You might even consider a LWN
article about this.

Eventually we'll get around to changing existing code to use it, once
there is a sufficient advantage to doing so. Most likely when we're
reworking the code for other reasons, or when we're chasing some horrid
refcounting bug and think that this might help find it.
-- 
Jeff Layton <jlayton@poochiereds.net>

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  2017-03-17 13:02         ` Jeff Layton
  (?)
  (?)
@ 2017-03-17 14:28             ` Trond Myklebust
  -1 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 14:28 UTC (permalink / raw)
  To: elena.reshetova-ral2JQCrhuEAvxtiuMwx3w,
	netdev-u79uwXL29TY76Z2rM5mHXA, jlayton-vpEMnDpepFuMZCB2o+C8xQ
  Cc: herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	peterz-wEGCiKHe2LqWVfeAwA7xHQ, ralf-6z/3iImG2C8G8FEW9MqTrA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	ishkamiel-Re5JQEeQqe8AvxtiuMwx3w, bfields-uC3wQj2KruNg9hUCZPvPmw,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	nhorman-2XuSBdqkA4R54TAoqtyWWQ, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	jreuter-K7Hl1MveuGQ, keescook-F7+t8E8rja9g9hUCZPvPmw,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	dwindsor-Re5JQEeQqe8AvxtiuMwx3w, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage

On Fri, 2017-03-17 at 09:02 -0400, Jeff Layton wrote:
> On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> > On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > > refcount_t type and corresponding API should be
> > > used instead of atomic_t when the variable is used as
> > > a reference counter. This allows to avoid accidental
> > > refcounter overflows that might lead to use-after-free
> > > situations.
> > > 
> > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > > ---
> > >  include/linux/sunrpc/auth.h |  8 ++++----
> > >  net/sunrpc/auth.c           | 12 ++++++------
> > >  2 files changed, 10 insertions(+), 10 deletions(-)
> > > 
> > > diff --git a/include/linux/sunrpc/auth.h
> > > b/include/linux/sunrpc/auth.h
> > > index b1bc62b..bd36e0b 100644
> > > --- a/include/linux/sunrpc/auth.h
> > > +++ b/include/linux/sunrpc/auth.h
> > > @@ -15,7 +15,7 @@
> > >  #include <linux/sunrpc/msg_prot.h>
> > >  #include <linux/sunrpc/xdr.h>
> > >  
> > > -#include <linux/atomic.h>
> > > +#include <linux/refcount.h>
> > >  #include <linux/rcupdate.h>
> > >  #include <linux/uidgid.h>
> > >  #include <linux/utsname.h>
> > > @@ -68,7 +68,7 @@ struct rpc_cred {
> > >  #endif
> > >  	unsigned long		cr_expire;	/* when
> > > to gc
> > > */
> > >  	unsigned long		cr_flags;	/* various
> > > flags */
> > > -	atomic_t		cr_count;	/* ref count */
> > > +	refcount_t		cr_count;	/* ref count
> > > */
> > > 
> > 
> > NACK. That's going to be hitting
> > WARN_ONCE(!refcount_inc_not_zero(r),
> > "refcount_t: increment on 0; use-after-free.\n") like there's no
> > tomorrow...
> > 
> > Please stop with these automated conversions. They are going to
> > cause a
> > lot more bugs than they fix.
> > 
> 
> Agreed. These patchsets are touching places where we've already
> banged
> out most of the refcounting bugs. I'm against doing large scale
> conversions like this without a damned good reason.
> 
> I think it may be best to do this sort of thing in a more piecemeal
> fashion. Pick a subsystem or two and do the conversions there to
> prove
> that they're better than what we have. If the subsystem already has
> problems with its refcounting, then so much the better. Point to bugs
> that this new infrastructure helped find.
> 
> Encourage people to adopt your new infrastructure as new refcounted
> objects are introduced into the kernel. You might even consider a LWN
> article about this.
> 
> Eventually we'll get around to changing existing code to use it, once
> there is a sufficient advantage to doing so. Most likely when we're
> reworking the code for other reasons, or when we're chasing some
> horrid
> refcounting bug and think that this might help find it.

The main issue is that this "refcount_t" implementation appears to be
assuming that there is one and only one model for refcounts (the one
where a value of "0" means "free me immediately").

The kernel has a plethora of object caching implementations where this
is simply not the case; the dcache is a prime example, and this cache
is another. In both these implementation, the atomic_t variable is
being used more as a semaphore-style lock that prevents freeing of the
object while it is in active use as opposed to being freeable, but
cached. This is why these automated conversions are a nuisance and a
source of bugs.

-- 
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 14:28             ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 14:28 UTC (permalink / raw)
  To: elena.reshetova, netdev, jlayton
  Cc: herbert, linux-kernel, peterz, ralf, linux-rdma, ishkamiel,
	bfields, steffen.klassert, nhorman, linux-nfs, jreuter, keescook,
	linux-hams, dwindsor, zyan, sage, davem, linux-sctp, vyasevich,
	linux-x25, santosh.shilimkar, ceph-devel

On Fri, 2017-03-17 at 09:02 -0400, Jeff Layton wrote:
> On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> > On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > > refcount_t type and corresponding API should be
> > > used instead of atomic_t when the variable is used as
> > > a reference counter. This allows to avoid accidental
> > > refcounter overflows that might lead to use-after-free
> > > situations.
> > > 
> > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > > ---
> > >  include/linux/sunrpc/auth.h |  8 ++++----
> > >  net/sunrpc/auth.c           | 12 ++++++------
> > >  2 files changed, 10 insertions(+), 10 deletions(-)
> > > 
> > > diff --git a/include/linux/sunrpc/auth.h
> > > b/include/linux/sunrpc/auth.h
> > > index b1bc62b..bd36e0b 100644
> > > --- a/include/linux/sunrpc/auth.h
> > > +++ b/include/linux/sunrpc/auth.h
> > > @@ -15,7 +15,7 @@
> > >  #include <linux/sunrpc/msg_prot.h>
> > >  #include <linux/sunrpc/xdr.h>
> > >  
> > > -#include <linux/atomic.h>
> > > +#include <linux/refcount.h>
> > >  #include <linux/rcupdate.h>
> > >  #include <linux/uidgid.h>
> > >  #include <linux/utsname.h>
> > > @@ -68,7 +68,7 @@ struct rpc_cred {
> > >  #endif
> > >  	unsigned long		cr_expire;	/* when
> > > to gc
> > > */
> > >  	unsigned long		cr_flags;	/* various
> > > flags */
> > > -	atomic_t		cr_count;	/* ref count */
> > > +	refcount_t		cr_count;	/* ref count
> > > */
> > > 
> > 
> > NACK. That's going to be hitting
> > WARN_ONCE(!refcount_inc_not_zero(r),
> > "refcount_t: increment on 0; use-after-free.\n") like there's no
> > tomorrow...
> > 
> > Please stop with these automated conversions. They are going to
> > cause a
> > lot more bugs than they fix.
> > 
> 
> Agreed. These patchsets are touching places where we've already
> banged
> out most of the refcounting bugs. I'm against doing large scale
> conversions like this without a damned good reason.
> 
> I think it may be best to do this sort of thing in a more piecemeal
> fashion. Pick a subsystem or two and do the conversions there to
> prove
> that they're better than what we have. If the subsystem already has
> problems with its refcounting, then so much the better. Point to bugs
> that this new infrastructure helped find.
> 
> Encourage people to adopt your new infrastructure as new refcounted
> objects are introduced into the kernel. You might even consider a LWN
> article about this.
> 
> Eventually we'll get around to changing existing code to use it, once
> there is a sufficient advantage to doing so. Most likely when we're
> reworking the code for other reasons, or when we're chasing some
> horrid
> refcounting bug and think that this might help find it.

The main issue is that this "refcount_t" implementation appears to be
assuming that there is one and only one model for refcounts (the one
where a value of "0" means "free me immediately").

The kernel has a plethora of object caching implementations where this
is simply not the case; the dcache is a prime example, and this cache
is another. In both these implementation, the atomic_t variable is
being used more as a semaphore-style lock that prevents freeing of the
object while it is in active use as opposed to being freeable, but
cached. This is why these automated conversions are a nuisance and a
source of bugs.

-- 
Trond Myklebust
Linux NFS client maintainer, PrimaryData
trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 14:28             ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 14:28 UTC (permalink / raw)
  To: elena.reshetova-ral2JQCrhuEAvxtiuMwx3w,
	netdev-u79uwXL29TY76Z2rM5mHXA, jlayton-vpEMnDpepFuMZCB2o+C8xQ
  Cc: herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	peterz-wEGCiKHe2LqWVfeAwA7xHQ, ralf-6z/3iImG2C8G8FEW9MqTrA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	ishkamiel-Re5JQEeQqe8AvxtiuMwx3w, bfields-uC3wQj2KruNg9hUCZPvPmw,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ,
	nhorman-2XuSBdqkA4R54TAoqtyWWQ, linux-nfs-u79uwXL29TY76Z2rM5mHXA,
	jreuter-K7Hl1MveuGQ, keescook-F7+t8E8rja9g9hUCZPvPmw,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	dwindsor-Re5JQEeQqe8AvxtiuMwx3w, zyan-H+wXaHxf7aLQT0dZR+AlfA,
	sage

T24gRnJpLCAyMDE3LTAzLTE3IGF0IDA5OjAyIC0wNDAwLCBKZWZmIExheXRvbiB3cm90ZToNCj4g
T24gRnJpLCAyMDE3LTAzLTE3IGF0IDEyOjUwICswMDAwLCBUcm9uZCBNeWtsZWJ1c3Qgd3JvdGU6
DQo+ID4gT24gRnJpLCAyMDE3LTAzLTE3IGF0IDE0OjEwICswMjAwLCBFbGVuYSBSZXNoZXRvdmEg
d3JvdGU6DQo+ID4gPiByZWZjb3VudF90IHR5cGUgYW5kIGNvcnJlc3BvbmRpbmcgQVBJIHNob3Vs
ZCBiZQ0KPiA+ID4gdXNlZCBpbnN0ZWFkIG9mIGF0b21pY190IHdoZW4gdGhlIHZhcmlhYmxlIGlz
IHVzZWQgYXMNCj4gPiA+IGEgcmVmZXJlbmNlIGNvdW50ZXIuIFRoaXMgYWxsb3dzIHRvIGF2b2lk
IGFjY2lkZW50YWwNCj4gPiA+IHJlZmNvdW50ZXIgb3ZlcmZsb3dzIHRoYXQgbWlnaHQgbGVhZCB0
byB1c2UtYWZ0ZXItZnJlZQ0KPiA+ID4gc2l0dWF0aW9ucy4NCj4gPiA+IA0KPiA+ID4gU2lnbmVk
LW9mZi1ieTogRWxlbmEgUmVzaGV0b3ZhIDxlbGVuYS5yZXNoZXRvdmFAaW50ZWwuY29tPg0KPiA+
ID4gU2lnbmVkLW9mZi1ieTogSGFucyBMaWxqZXN0cmFuZCA8aXNoa2FtaWVsQGdtYWlsLmNvbT4N
Cj4gPiA+IFNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPg0K
PiA+ID4gU2lnbmVkLW9mZi1ieTogRGF2aWQgV2luZHNvciA8ZHdpbmRzb3JAZ21haWwuY29tPg0K
PiA+ID4gLS0tDQo+ID4gPiDCoGluY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaCB8wqDCoDggKysr
Ky0tLS0NCj4gPiA+IMKgbmV0L3N1bnJwYy9hdXRoLmPCoMKgwqDCoMKgwqDCoMKgwqDCoMKgfCAx
MiArKysrKystLS0tLS0NCj4gPiA+IMKgMiBmaWxlcyBjaGFuZ2VkLCAxMCBpbnNlcnRpb25zKCsp
LCAxMCBkZWxldGlvbnMoLSkNCj4gPiA+IA0KPiA+ID4gZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGlu
dXgvc3VucnBjL2F1dGguaA0KPiA+ID4gYi9pbmNsdWRlL2xpbnV4L3N1bnJwYy9hdXRoLmgNCj4g
PiA+IGluZGV4IGIxYmM2MmIuLmJkMzZlMGIgMTAwNjQ0DQo+ID4gPiAtLS0gYS9pbmNsdWRlL2xp
bnV4L3N1bnJwYy9hdXRoLmgNCj4gPiA+ICsrKyBiL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGgu
aA0KPiA+ID4gQEAgLTE1LDcgKzE1LDcgQEANCj4gPiA+IMKgI2luY2x1ZGUgPGxpbnV4L3N1bnJw
Yy9tc2dfcHJvdC5oPg0KPiA+ID4gwqAjaW5jbHVkZSA8bGludXgvc3VucnBjL3hkci5oPg0KPiA+
ID4gwqANCj4gPiA+IC0jaW5jbHVkZSA8bGludXgvYXRvbWljLmg+DQo+ID4gPiArI2luY2x1ZGUg
PGxpbnV4L3JlZmNvdW50Lmg+DQo+ID4gPiDCoCNpbmNsdWRlIDxsaW51eC9yY3VwZGF0ZS5oPg0K
PiA+ID4gwqAjaW5jbHVkZSA8bGludXgvdWlkZ2lkLmg+DQo+ID4gPiDCoCNpbmNsdWRlIDxsaW51
eC91dHNuYW1lLmg+DQo+ID4gPiBAQCAtNjgsNyArNjgsNyBAQCBzdHJ1Y3QgcnBjX2NyZWQgew0K
PiA+ID4gwqAjZW5kaWYNCj4gPiA+IMKgCXVuc2lnbmVkIGxvbmcJCWNyX2V4cGlyZTsJLyogd2hl
bg0KPiA+ID4gdG8gZ2MNCj4gPiA+ICovDQo+ID4gPiDCoAl1bnNpZ25lZCBsb25nCQljcl9mbGFn
czsJLyogdmFyaW91cw0KPiA+ID4gZmxhZ3MgKi8NCj4gPiA+IC0JYXRvbWljX3QJCWNyX2NvdW50
OwkvKiByZWYgY291bnQgKi8NCj4gPiA+ICsJcmVmY291bnRfdAkJY3JfY291bnQ7CS8qIHJlZiBj
b3VudA0KPiA+ID4gKi8NCj4gPiA+IA0KPiA+IA0KPiA+IE5BQ0suIFRoYXQncyBnb2luZyB0byBi
ZSBoaXR0aW5nDQo+ID4gV0FSTl9PTkNFKCFyZWZjb3VudF9pbmNfbm90X3plcm8ociksDQo+ID4g
InJlZmNvdW50X3Q6IGluY3JlbWVudCBvbiAwOyB1c2UtYWZ0ZXItZnJlZS5cbiIpIGxpa2UgdGhl
cmUncyBubw0KPiA+IHRvbW9ycm93Li4uDQo+ID4gDQo+ID4gUGxlYXNlIHN0b3Agd2l0aCB0aGVz
ZSBhdXRvbWF0ZWQgY29udmVyc2lvbnMuIFRoZXkgYXJlIGdvaW5nIHRvDQo+ID4gY2F1c2UgYQ0K
PiA+IGxvdCBtb3JlIGJ1Z3MgdGhhbiB0aGV5IGZpeC4NCj4gPiANCj4gDQo+IEFncmVlZC4gVGhl
c2UgcGF0Y2hzZXRzIGFyZSB0b3VjaGluZyBwbGFjZXMgd2hlcmUgd2UndmUgYWxyZWFkeQ0KPiBi
YW5nZWQNCj4gb3V0IG1vc3Qgb2YgdGhlIHJlZmNvdW50aW5nIGJ1Z3MuIEknbSBhZ2FpbnN0IGRv
aW5nIGxhcmdlIHNjYWxlDQo+IGNvbnZlcnNpb25zIGxpa2UgdGhpcyB3aXRob3V0IGEgZGFtbmVk
IGdvb2QgcmVhc29uLg0KPiANCj4gSSB0aGluayBpdCBtYXkgYmUgYmVzdCB0byBkbyB0aGlzIHNv
cnQgb2YgdGhpbmcgaW4gYSBtb3JlIHBpZWNlbWVhbA0KPiBmYXNoaW9uLiBQaWNrIGEgc3Vic3lz
dGVtIG9yIHR3byBhbmQgZG8gdGhlIGNvbnZlcnNpb25zIHRoZXJlIHRvDQo+IHByb3ZlDQo+IHRo
YXQgdGhleSdyZSBiZXR0ZXIgdGhhbiB3aGF0IHdlIGhhdmUuIElmIHRoZSBzdWJzeXN0ZW0gYWxy
ZWFkeSBoYXMNCj4gcHJvYmxlbXMgd2l0aCBpdHMgcmVmY291bnRpbmcsIHRoZW4gc28gbXVjaCB0
aGUgYmV0dGVyLiBQb2ludCB0byBidWdzDQo+IHRoYXQgdGhpcyBuZXcgaW5mcmFzdHJ1Y3R1cmUg
aGVscGVkIGZpbmQuDQo+IA0KPiBFbmNvdXJhZ2UgcGVvcGxlIHRvIGFkb3B0IHlvdXIgbmV3IGlu
ZnJhc3RydWN0dXJlIGFzIG5ldyByZWZjb3VudGVkDQo+IG9iamVjdHMgYXJlIGludHJvZHVjZWQg
aW50byB0aGUga2VybmVsLiBZb3UgbWlnaHQgZXZlbiBjb25zaWRlciBhIExXTg0KPiBhcnRpY2xl
IGFib3V0IHRoaXMuDQo+IA0KPiBFdmVudHVhbGx5IHdlJ2xsIGdldCBhcm91bmQgdG8gY2hhbmdp
bmcgZXhpc3RpbmcgY29kZSB0byB1c2UgaXQsIG9uY2UNCj4gdGhlcmUgaXMgYSBzdWZmaWNpZW50
IGFkdmFudGFnZSB0byBkb2luZyBzby4gTW9zdCBsaWtlbHkgd2hlbiB3ZSdyZQ0KPiByZXdvcmtp
bmcgdGhlIGNvZGUgZm9yIG90aGVyIHJlYXNvbnMsIG9yIHdoZW4gd2UncmUgY2hhc2luZyBzb21l
DQo+IGhvcnJpZA0KPiByZWZjb3VudGluZyBidWcgYW5kIHRoaW5rIHRoYXQgdGhpcyBtaWdodCBo
ZWxwIGZpbmQgaXQuDQoNClRoZSBtYWluIGlzc3VlIGlzIHRoYXQgdGhpcyAicmVmY291bnRfdCIg
aW1wbGVtZW50YXRpb24gYXBwZWFycyB0byBiZQ0KYXNzdW1pbmcgdGhhdCB0aGVyZSBpcyBvbmUg
YW5kIG9ubHkgb25lIG1vZGVsIGZvciByZWZjb3VudHMgKHRoZSBvbmUNCndoZXJlIGEgdmFsdWUg
b2YgIjAiIG1lYW5zICJmcmVlIG1lIGltbWVkaWF0ZWx5IikuDQoNClRoZSBrZXJuZWwgaGFzIGEg
cGxldGhvcmEgb2Ygb2JqZWN0IGNhY2hpbmcgaW1wbGVtZW50YXRpb25zIHdoZXJlIHRoaXMNCmlz
IHNpbXBseSBub3QgdGhlIGNhc2U7IHRoZSBkY2FjaGUgaXMgYSBwcmltZSBleGFtcGxlLCBhbmQg
dGhpcyBjYWNoZQ0KaXMgYW5vdGhlci4gSW4gYm90aCB0aGVzZSBpbXBsZW1lbnRhdGlvbiwgdGhl
IGF0b21pY190IHZhcmlhYmxlIGlzDQpiZWluZyB1c2VkIG1vcmUgYXMgYSBzZW1hcGhvcmUtc3R5
bGUgbG9jayB0aGF0IHByZXZlbnRzIGZyZWVpbmcgb2YgdGhlDQpvYmplY3Qgd2hpbGUgaXQgaXMg
aW4gYWN0aXZlIHVzZSBhcyBvcHBvc2VkIHRvIGJlaW5nIGZyZWVhYmxlLCBidXQNCmNhY2hlZC4g
VGhpcyBpcyB3aHkgdGhlc2UgYXV0b21hdGVkIGNvbnZlcnNpb25zIGFyZSBhIG51aXNhbmNlIGFu
ZCBhDQpzb3VyY2Ugb2YgYnVncy4NCg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBj
bGllbnQgbWFpbnRhaW5lciwgUHJpbWFyeURhdGENCnRyb25kLm15a2xlYnVzdEBwcmltYXJ5ZGF0
YS5jb20NCg=


^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-17 14:28             ` Trond Myklebust
  0 siblings, 0 replies; 80+ messages in thread
From: Trond Myklebust @ 2017-03-17 14:28 UTC (permalink / raw)
  To: elena.reshetova, netdev, jlayton
  Cc: herbert, linux-kernel, peterz, ralf, linux-rdma, ishkamiel,
	bfields, steffen.klassert, nhorman, linux-nfs, jreuter, keescook,
	linux-hams, dwindsor, zyan, sage, davem, linux-sctp, vyasevich,
	linux-x25, santosh.shilimkar, ceph-devel

T24gRnJpLCAyMDE3LTAzLTE3IGF0IDA5OjAyIC0wNDAwLCBKZWZmIExheXRvbiB3cm90ZToNCj4g
T24gRnJpLCAyMDE3LTAzLTE3IGF0IDEyOjUwICswMDAwLCBUcm9uZCBNeWtsZWJ1c3Qgd3JvdGU6
DQo+ID4gT24gRnJpLCAyMDE3LTAzLTE3IGF0IDE0OjEwICswMjAwLCBFbGVuYSBSZXNoZXRvdmEg
d3JvdGU6DQo+ID4gPiByZWZjb3VudF90IHR5cGUgYW5kIGNvcnJlc3BvbmRpbmcgQVBJIHNob3Vs
ZCBiZQ0KPiA+ID4gdXNlZCBpbnN0ZWFkIG9mIGF0b21pY190IHdoZW4gdGhlIHZhcmlhYmxlIGlz
IHVzZWQgYXMNCj4gPiA+IGEgcmVmZXJlbmNlIGNvdW50ZXIuIFRoaXMgYWxsb3dzIHRvIGF2b2lk
IGFjY2lkZW50YWwNCj4gPiA+IHJlZmNvdW50ZXIgb3ZlcmZsb3dzIHRoYXQgbWlnaHQgbGVhZCB0
byB1c2UtYWZ0ZXItZnJlZQ0KPiA+ID4gc2l0dWF0aW9ucy4NCj4gPiA+IA0KPiA+ID4gU2lnbmVk
LW9mZi1ieTogRWxlbmEgUmVzaGV0b3ZhIDxlbGVuYS5yZXNoZXRvdmFAaW50ZWwuY29tPg0KPiA+
ID4gU2lnbmVkLW9mZi1ieTogSGFucyBMaWxqZXN0cmFuZCA8aXNoa2FtaWVsQGdtYWlsLmNvbT4N
Cj4gPiA+IFNpZ25lZC1vZmYtYnk6IEtlZXMgQ29vayA8a2Vlc2Nvb2tAY2hyb21pdW0ub3JnPg0K
PiA+ID4gU2lnbmVkLW9mZi1ieTogRGF2aWQgV2luZHNvciA8ZHdpbmRzb3JAZ21haWwuY29tPg0K
PiA+ID4gLS0tDQo+ID4gPiDCoGluY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaCB8wqDCoDggKysr
Ky0tLS0NCj4gPiA+IMKgbmV0L3N1bnJwYy9hdXRoLmPCoMKgwqDCoMKgwqDCoMKgwqDCoMKgfCAx
MiArKysrKystLS0tLS0NCj4gPiA+IMKgMiBmaWxlcyBjaGFuZ2VkLCAxMCBpbnNlcnRpb25zKCsp
LCAxMCBkZWxldGlvbnMoLSkNCj4gPiA+IA0KPiA+ID4gZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGlu
dXgvc3VucnBjL2F1dGguaA0KPiA+ID4gYi9pbmNsdWRlL2xpbnV4L3N1bnJwYy9hdXRoLmgNCj4g
PiA+IGluZGV4IGIxYmM2MmIuLmJkMzZlMGIgMTAwNjQ0DQo+ID4gPiAtLS0gYS9pbmNsdWRlL2xp
bnV4L3N1bnJwYy9hdXRoLmgNCj4gPiA+ICsrKyBiL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGgu
aA0KPiA+ID4gQEAgLTE1LDcgKzE1LDcgQEANCj4gPiA+IMKgI2luY2x1ZGUgPGxpbnV4L3N1bnJw
Yy9tc2dfcHJvdC5oPg0KPiA+ID4gwqAjaW5jbHVkZSA8bGludXgvc3VucnBjL3hkci5oPg0KPiA+
ID4gwqANCj4gPiA+IC0jaW5jbHVkZSA8bGludXgvYXRvbWljLmg+DQo+ID4gPiArI2luY2x1ZGUg
PGxpbnV4L3JlZmNvdW50Lmg+DQo+ID4gPiDCoCNpbmNsdWRlIDxsaW51eC9yY3VwZGF0ZS5oPg0K
PiA+ID4gwqAjaW5jbHVkZSA8bGludXgvdWlkZ2lkLmg+DQo+ID4gPiDCoCNpbmNsdWRlIDxsaW51
eC91dHNuYW1lLmg+DQo+ID4gPiBAQCAtNjgsNyArNjgsNyBAQCBzdHJ1Y3QgcnBjX2NyZWQgew0K
PiA+ID4gwqAjZW5kaWYNCj4gPiA+IMKgCXVuc2lnbmVkIGxvbmcJCWNyX2V4cGlyZTsJLyogd2hl
bg0KPiA+ID4gdG8gZ2MNCj4gPiA+ICovDQo+ID4gPiDCoAl1bnNpZ25lZCBsb25nCQljcl9mbGFn
czsJLyogdmFyaW91cw0KPiA+ID4gZmxhZ3MgKi8NCj4gPiA+IC0JYXRvbWljX3QJCWNyX2NvdW50
OwkvKiByZWYgY291bnQgKi8NCj4gPiA+ICsJcmVmY291bnRfdAkJY3JfY291bnQ7CS8qIHJlZiBj
b3VudA0KPiA+ID4gKi8NCj4gPiA+IA0KPiA+IA0KPiA+IE5BQ0suIFRoYXQncyBnb2luZyB0byBi
ZSBoaXR0aW5nDQo+ID4gV0FSTl9PTkNFKCFyZWZjb3VudF9pbmNfbm90X3plcm8ociksDQo+ID4g
InJlZmNvdW50X3Q6IGluY3JlbWVudCBvbiAwOyB1c2UtYWZ0ZXItZnJlZS5cbiIpIGxpa2UgdGhl
cmUncyBubw0KPiA+IHRvbW9ycm93Li4uDQo+ID4gDQo+ID4gUGxlYXNlIHN0b3Agd2l0aCB0aGVz
ZSBhdXRvbWF0ZWQgY29udmVyc2lvbnMuIFRoZXkgYXJlIGdvaW5nIHRvDQo+ID4gY2F1c2UgYQ0K
PiA+IGxvdCBtb3JlIGJ1Z3MgdGhhbiB0aGV5IGZpeC4NCj4gPiANCj4gDQo+IEFncmVlZC4gVGhl
c2UgcGF0Y2hzZXRzIGFyZSB0b3VjaGluZyBwbGFjZXMgd2hlcmUgd2UndmUgYWxyZWFkeQ0KPiBi
YW5nZWQNCj4gb3V0IG1vc3Qgb2YgdGhlIHJlZmNvdW50aW5nIGJ1Z3MuIEknbSBhZ2FpbnN0IGRv
aW5nIGxhcmdlIHNjYWxlDQo+IGNvbnZlcnNpb25zIGxpa2UgdGhpcyB3aXRob3V0IGEgZGFtbmVk
IGdvb2QgcmVhc29uLg0KPiANCj4gSSB0aGluayBpdCBtYXkgYmUgYmVzdCB0byBkbyB0aGlzIHNv
cnQgb2YgdGhpbmcgaW4gYSBtb3JlIHBpZWNlbWVhbA0KPiBmYXNoaW9uLiBQaWNrIGEgc3Vic3lz
dGVtIG9yIHR3byBhbmQgZG8gdGhlIGNvbnZlcnNpb25zIHRoZXJlIHRvDQo+IHByb3ZlDQo+IHRo
YXQgdGhleSdyZSBiZXR0ZXIgdGhhbiB3aGF0IHdlIGhhdmUuIElmIHRoZSBzdWJzeXN0ZW0gYWxy
ZWFkeSBoYXMNCj4gcHJvYmxlbXMgd2l0aCBpdHMgcmVmY291bnRpbmcsIHRoZW4gc28gbXVjaCB0
aGUgYmV0dGVyLiBQb2ludCB0byBidWdzDQo+IHRoYXQgdGhpcyBuZXcgaW5mcmFzdHJ1Y3R1cmUg
aGVscGVkIGZpbmQuDQo+IA0KPiBFbmNvdXJhZ2UgcGVvcGxlIHRvIGFkb3B0IHlvdXIgbmV3IGlu
ZnJhc3RydWN0dXJlIGFzIG5ldyByZWZjb3VudGVkDQo+IG9iamVjdHMgYXJlIGludHJvZHVjZWQg
aW50byB0aGUga2VybmVsLiBZb3UgbWlnaHQgZXZlbiBjb25zaWRlciBhIExXTg0KPiBhcnRpY2xl
IGFib3V0IHRoaXMuDQo+IA0KPiBFdmVudHVhbGx5IHdlJ2xsIGdldCBhcm91bmQgdG8gY2hhbmdp
bmcgZXhpc3RpbmcgY29kZSB0byB1c2UgaXQsIG9uY2UNCj4gdGhlcmUgaXMgYSBzdWZmaWNpZW50
IGFkdmFudGFnZSB0byBkb2luZyBzby4gTW9zdCBsaWtlbHkgd2hlbiB3ZSdyZQ0KPiByZXdvcmtp
bmcgdGhlIGNvZGUgZm9yIG90aGVyIHJlYXNvbnMsIG9yIHdoZW4gd2UncmUgY2hhc2luZyBzb21l
DQo+IGhvcnJpZA0KPiByZWZjb3VudGluZyBidWcgYW5kIHRoaW5rIHRoYXQgdGhpcyBtaWdodCBo
ZWxwIGZpbmQgaXQuDQoNClRoZSBtYWluIGlzc3VlIGlzIHRoYXQgdGhpcyAicmVmY291bnRfdCIg
aW1wbGVtZW50YXRpb24gYXBwZWFycyB0byBiZQ0KYXNzdW1pbmcgdGhhdCB0aGVyZSBpcyBvbmUg
YW5kIG9ubHkgb25lIG1vZGVsIGZvciByZWZjb3VudHMgKHRoZSBvbmUNCndoZXJlIGEgdmFsdWUg
b2YgIjAiIG1lYW5zICJmcmVlIG1lIGltbWVkaWF0ZWx5IikuDQoNClRoZSBrZXJuZWwgaGFzIGEg
cGxldGhvcmEgb2Ygb2JqZWN0IGNhY2hpbmcgaW1wbGVtZW50YXRpb25zIHdoZXJlIHRoaXMNCmlz
IHNpbXBseSBub3QgdGhlIGNhc2U7IHRoZSBkY2FjaGUgaXMgYSBwcmltZSBleGFtcGxlLCBhbmQg
dGhpcyBjYWNoZQ0KaXMgYW5vdGhlci4gSW4gYm90aCB0aGVzZSBpbXBsZW1lbnRhdGlvbiwgdGhl
IGF0b21pY190IHZhcmlhYmxlIGlzDQpiZWluZyB1c2VkIG1vcmUgYXMgYSBzZW1hcGhvcmUtc3R5
bGUgbG9jayB0aGF0IHByZXZlbnRzIGZyZWVpbmcgb2YgdGhlDQpvYmplY3Qgd2hpbGUgaXQgaXMg
aW4gYWN0aXZlIHVzZSBhcyBvcHBvc2VkIHRvIGJlaW5nIGZyZWVhYmxlLCBidXQNCmNhY2hlZC4g
VGhpcyBpcyB3aHkgdGhlc2UgYXV0b21hdGVkIGNvbnZlcnNpb25zIGFyZSBhIG51aXNhbmNlIGFu
ZCBhDQpzb3VyY2Ugb2YgYnVncy4NCg0KLS0gDQpUcm9uZCBNeWtsZWJ1c3QNCkxpbnV4IE5GUyBj
bGllbnQgbWFpbnRhaW5lciwgUHJpbWFyeURhdGENCnRyb25kLm15a2xlYnVzdEBwcmltYXJ5ZGF0
YS5jb20NCg==


^ permalink raw reply	[flat|nested] 80+ messages in thread

* RE: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
  2017-03-17 14:28             ` Trond Myklebust
  (?)
  (?)
@ 2017-03-20 16:15               ` Reshetova, Elena
  -1 siblings, 0 replies; 80+ messages in thread
From: Reshetova, Elena @ 2017-03-20 16:15 UTC (permalink / raw)
  To: Trond Myklebust, netdev, jlayton
  Cc: herbert, linux-kernel, peterz, ralf, linux-rdma, ishkamiel,
	bfields, steffen.klassert, nhorman, linux-nfs, jreuter, keescook,
	linux-hams, dwindsor, zyan, sage

> On Fri, 2017-03-17 at 09:02 -0400, Jeff Layton wrote:
> > On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> > > On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > > > refcount_t type and corresponding API should be
> > > > used instead of atomic_t when the variable is used as
> > > > a reference counter. This allows to avoid accidental
> > > > refcounter overflows that might lead to use-after-free
> > > > situations.
> > > >
> > > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > > > ---
> > > >  include/linux/sunrpc/auth.h |  8 ++++----
> > > >  net/sunrpc/auth.c           | 12 ++++++------
> > > >  2 files changed, 10 insertions(+), 10 deletions(-)
> > > >
> > > > diff --git a/include/linux/sunrpc/auth.h
> > > > b/include/linux/sunrpc/auth.h
> > > > index b1bc62b..bd36e0b 100644
> > > > --- a/include/linux/sunrpc/auth.h
> > > > +++ b/include/linux/sunrpc/auth.h
> > > > @@ -15,7 +15,7 @@
> > > >  #include <linux/sunrpc/msg_prot.h>
> > > >  #include <linux/sunrpc/xdr.h>
> > > >
> > > > -#include <linux/atomic.h>
> > > > +#include <linux/refcount.h>
> > > >  #include <linux/rcupdate.h>
> > > >  #include <linux/uidgid.h>
> > > >  #include <linux/utsname.h>
> > > > @@ -68,7 +68,7 @@ struct rpc_cred {
> > > >  #endif
> > > >  	unsigned long		cr_expire;	/* when
> > > > to gc
> > > > */
> > > >  	unsigned long		cr_flags;	/* various
> > > > flags */
> > > > -	atomic_t		cr_count;	/* ref count */
> > > > +	refcount_t		cr_count;	/* ref count
> > > > */
> > > >
> > >
> > > NACK. That's going to be hitting
> > > WARN_ONCE(!refcount_inc_not_zero(r),
> > > "refcount_t: increment on 0; use-after-free.\n") like there's no
> > > tomorrow...
> > >
> > > Please stop with these automated conversions. They are going to
> > > cause a
> > > lot more bugs than they fix.
> > >
> >
> > Agreed. These patchsets are touching places where we've already
> > banged
> > out most of the refcounting bugs. I'm against doing large scale
> > conversions like this without a damned good reason.
> >
> > I think it may be best to do this sort of thing in a more piecemeal
> > fashion. Pick a subsystem or two and do the conversions there to
> > prove
> > that they're better than what we have. If the subsystem already has
> > problems with its refcounting, then so much the better. Point to bugs
> > that this new infrastructure helped find.
> >
> > Encourage people to adopt your new infrastructure as new refcounted
> > objects are introduced into the kernel. You might even consider a LWN
> > article about this.
> >
> > Eventually we'll get around to changing existing code to use it, once
> > there is a sufficient advantage to doing so. Most likely when we're
> > reworking the code for other reasons, or when we're chasing some
> > horrid
> > refcounting bug and think that this might help find it.
> 
> The main issue is that this "refcount_t" implementation appears to be
> assuming that there is one and only one model for refcounts (the one
> where a value of "0" means "free me immediately").
> 
> The kernel has a plethora of object caching implementations where this
> is simply not the case; the dcache is a prime example, and this cache
> is another. In both these implementation, the atomic_t variable is
> being used more as a semaphore-style lock that prevents freeing of the
> object while it is in active use as opposed to being freeable, but
> cached. This is why these automated conversions are a nuisance and a
> source of bugs.

Ok, in this particular patch I agree that we missed that object is being reused 
(and yes there are many parts in kernel where similar thing happens as we learned from this exercise). 
Note that refcount_t implementation is fine with you "correctly" reusing your object:
i.e. when counter reaches zero, you take the object away from active use, but it might still stay in cache. 
BUT when you get a new object from cache you should initialize refcounter properly: set it to one vs. just do a "inc" on it. 
Problem really comes from this "increment me from zero". 

And the goal with these conversions is to take a look broadly on the kernel source and determine (with the feedback from maintainers who know code best, like your feedback now) what can be converted already now. 
Maintainers know their code and their usage of counters, so if it doesn't make sense to do it in a particular place (because of errors or other reasons), then it doesn't. 
But more we cover with new refcount_t, less chances we have with ever hitting refcounter bugs anywhere in the future. 

Best Regards,
Elena.

> 
> --
> Trond Myklebust
> Linux NFS client maintainer, PrimaryData
> trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* RE: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-20 16:15               ` Reshetova, Elena
  0 siblings, 0 replies; 80+ messages in thread
From: Reshetova, Elena @ 2017-03-20 16:15 UTC (permalink / raw)
  To: Trond Myklebust, netdev, jlayton
  Cc: herbert, linux-kernel, peterz, ralf, linux-rdma, ishkamiel,
	bfields, steffen.klassert, nhorman, linux-nfs, jreuter, keescook,
	linux-hams, dwindsor, zyan, sage, davem, linux-sctp, vyasevich,
	linux-x25, santosh.shilimkar, ceph-devel

> On Fri, 2017-03-17 at 09:02 -0400, Jeff Layton wrote:
> > On Fri, 2017-03-17 at 12:50 +0000, Trond Myklebust wrote:
> > > On Fri, 2017-03-17 at 14:10 +0200, Elena Reshetova wrote:
> > > > refcount_t type and corresponding API should be
> > > > used instead of atomic_t when the variable is used as
> > > > a reference counter. This allows to avoid accidental
> > > > refcounter overflows that might lead to use-after-free
> > > > situations.
> > > >
> > > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > > > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > > > ---
> > > >  include/linux/sunrpc/auth.h |  8 ++++----
> > > >  net/sunrpc/auth.c           | 12 ++++++------
> > > >  2 files changed, 10 insertions(+), 10 deletions(-)
> > > >
> > > > diff --git a/include/linux/sunrpc/auth.h
> > > > b/include/linux/sunrpc/auth.h
> > > > index b1bc62b..bd36e0b 100644
> > > > --- a/include/linux/sunrpc/auth.h
> > > > +++ b/include/linux/sunrpc/auth.h
> > > > @@ -15,7 +15,7 @@
> > > >  #include <linux/sunrpc/msg_prot.h>
> > > >  #include <linux/sunrpc/xdr.h>
> > > >
> > > > -#include <linux/atomic.h>
> > > > +#include <linux/refcount.h>
> > > >  #include <linux/rcupdate.h>
> > > >  #include <linux/uidgid.h>
> > > >  #include <linux/utsname.h>
> > > > @@ -68,7 +68,7 @@ struct rpc_cred {
> > > >  #endif
> > > >  	unsigned long		cr_expire;	/* when
> > > > to gc
> > > > */
> > > >  	unsigned long		cr_flags;	/* various
> > > > flags */
> > > > -	atomic_t		cr_count;	/* ref count */
> > > > +	refcount_t		cr_count;	/* ref count
> > > > */
> > > >
> > >
> > > NACK. That's going to be hitting
> > > WARN_ONCE(!refcount_inc_not_zero(r),
> > > "refcount_t: increment on 0; use-after-free.\n") like there's no
> > > tomorrow...
> > >
> > > Please stop with these automated conversions. They are going to
> > > cause a
> > > lot more bugs than they fix.
> > >
> >
> > Agreed. These patchsets are touching places where we've already
> > banged
> > out most of the refcounting bugs. I'm against doing large scale
> > conversions like this without a damned good reason.
> >
> > I think it may be best to do this sort of thing in a more piecemeal
> > fashion. Pick a subsystem or two and do the conversions there to
> > prove
> > that they're better than what we have. If the subsystem already has
> > problems with its refcounting, then so much the better. Point to bugs
> > that this new infrastructure helped find.
> >
> > Encourage people to adopt your new infrastructure as new refcounted
> > objects are introduced into the kernel. You might even consider a LWN
> > article about this.
> >
> > Eventually we'll get around to changing existing code to use it, once
> > there is a sufficient advantage to doing so. Most likely when we're
> > reworking the code for other reasons, or when we're chasing some
> > horrid
> > refcounting bug and think that this might help find it.
> 
> The main issue is that this "refcount_t" implementation appears to be
> assuming that there is one and only one model for refcounts (the one
> where a value of "0" means "free me immediately").
> 
> The kernel has a plethora of object caching implementations where this
> is simply not the case; the dcache is a prime example, and this cache
> is another. In both these implementation, the atomic_t variable is
> being used more as a semaphore-style lock that prevents freeing of the
> object while it is in active use as opposed to being freeable, but
> cached. This is why these automated conversions are a nuisance and a
> source of bugs.

Ok, in this particular patch I agree that we missed that object is being reused 
(and yes there are many parts in kernel where similar thing happens as we learned from this exercise). 
Note that refcount_t implementation is fine with you "correctly" reusing your object:
i.e. when counter reaches zero, you take the object away from active use, but it might still stay in cache. 
BUT when you get a new object from cache you should initialize refcounter properly: set it to one vs. just do a "inc" on it. 
Problem really comes from this "increment me from zero". 

And the goal with these conversions is to take a look broadly on the kernel source and determine (with the feedback from maintainers who know code best, like your feedback now) what can be converted already now. 
Maintainers know their code and their usage of counters, so if it doesn't make sense to do it in a particular place (because of errors or other reasons), then it doesn't. 
But more we cover with new refcount_t, less chances we have with ever hitting refcounter bugs anywhere in the future. 

Best Regards,
Elena.

> 
> --
> Trond Myklebust
> Linux NFS client maintainer, PrimaryData
> trond.myklebust@primarydata.com

^ permalink raw reply	[flat|nested] 80+ messages in thread

* RE: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-20 16:15               ` Reshetova, Elena
  0 siblings, 0 replies; 80+ messages in thread
From: Reshetova, Elena @ 2017-03-20 16:15 UTC (permalink / raw)
  To: Trond Myklebust, netdev, jlayton
  Cc: herbert, linux-kernel, peterz, ralf, linux-rdma, ishkamiel,
	bfields, steffen.klassert, nhorman, linux-nfs, jreuter, keescook,
	linux-hams, dwindsor, zyan, sage

PiBPbiBGcmksIDIwMTctMDMtMTcgYXQgMDk6MDIgLTA0MDAsIEplZmYgTGF5dG9uIHdyb3RlOg0K
PiA+IE9uIEZyaSwgMjAxNy0wMy0xNyBhdCAxMjo1MCArMDAwMCwgVHJvbmQgTXlrbGVidXN0IHdy
b3RlOg0KPiA+ID4gT24gRnJpLCAyMDE3LTAzLTE3IGF0IDE0OjEwICswMjAwLCBFbGVuYSBSZXNo
ZXRvdmEgd3JvdGU6DQo+ID4gPiA+IHJlZmNvdW50X3QgdHlwZSBhbmQgY29ycmVzcG9uZGluZyBB
UEkgc2hvdWxkIGJlDQo+ID4gPiA+IHVzZWQgaW5zdGVhZCBvZiBhdG9taWNfdCB3aGVuIHRoZSB2
YXJpYWJsZSBpcyB1c2VkIGFzDQo+ID4gPiA+IGEgcmVmZXJlbmNlIGNvdW50ZXIuIFRoaXMgYWxs
b3dzIHRvIGF2b2lkIGFjY2lkZW50YWwNCj4gPiA+ID4gcmVmY291bnRlciBvdmVyZmxvd3MgdGhh
dCBtaWdodCBsZWFkIHRvIHVzZS1hZnRlci1mcmVlDQo+ID4gPiA+IHNpdHVhdGlvbnMuDQo+ID4g
PiA+DQo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IEVsZW5hIFJlc2hldG92YSA8ZWxlbmEucmVzaGV0
b3ZhQGludGVsLmNvbT4NCj4gPiA+ID4gU2lnbmVkLW9mZi1ieTogSGFucyBMaWxqZXN0cmFuZCA8
aXNoa2FtaWVsQGdtYWlsLmNvbT4NCj4gPiA+ID4gU2lnbmVkLW9mZi1ieTogS2VlcyBDb29rIDxr
ZWVzY29va0BjaHJvbWl1bS5vcmc+DQo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IERhdmlkIFdpbmRz
b3IgPGR3aW5kc29yQGdtYWlsLmNvbT4NCj4gPiA+ID4gLS0tDQo+ID4gPiA+IMKgaW5jbHVkZS9s
aW51eC9zdW5ycGMvYXV0aC5oIHzCoMKgOCArKysrLS0tLQ0KPiA+ID4gPiDCoG5ldC9zdW5ycGMv
YXV0aC5jwqDCoMKgwqDCoMKgwqDCoMKgwqDCoHwgMTIgKysrKysrLS0tLS0tDQo+ID4gPiA+IMKg
MiBmaWxlcyBjaGFuZ2VkLCAxMCBpbnNlcnRpb25zKCspLCAxMCBkZWxldGlvbnMoLSkNCj4gPiA+
ID4NCj4gPiA+ID4gZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaA0KPiA+
ID4gPiBiL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaA0KPiA+ID4gPiBpbmRleCBiMWJjNjJi
Li5iZDM2ZTBiIDEwMDY0NA0KPiA+ID4gPiAtLS0gYS9pbmNsdWRlL2xpbnV4L3N1bnJwYy9hdXRo
LmgNCj4gPiA+ID4gKysrIGIvaW5jbHVkZS9saW51eC9zdW5ycGMvYXV0aC5oDQo+ID4gPiA+IEBA
IC0xNSw3ICsxNSw3IEBADQo+ID4gPiA+IMKgI2luY2x1ZGUgPGxpbnV4L3N1bnJwYy9tc2dfcHJv
dC5oPg0KPiA+ID4gPiDCoCNpbmNsdWRlIDxsaW51eC9zdW5ycGMveGRyLmg+DQo+ID4gPiA+DQo+
ID4gPiA+IC0jaW5jbHVkZSA8bGludXgvYXRvbWljLmg+DQo+ID4gPiA+ICsjaW5jbHVkZSA8bGlu
dXgvcmVmY291bnQuaD4NCj4gPiA+ID4gwqAjaW5jbHVkZSA8bGludXgvcmN1cGRhdGUuaD4NCj4g
PiA+ID4gwqAjaW5jbHVkZSA8bGludXgvdWlkZ2lkLmg+DQo+ID4gPiA+IMKgI2luY2x1ZGUgPGxp
bnV4L3V0c25hbWUuaD4NCj4gPiA+ID4gQEAgLTY4LDcgKzY4LDcgQEAgc3RydWN0IHJwY19jcmVk
IHsNCj4gPiA+ID4gwqAjZW5kaWYNCj4gPiA+ID4gwqAJdW5zaWduZWQgbG9uZwkJY3JfZXhwaXJl
OwkvKiB3aGVuDQo+ID4gPiA+IHRvIGdjDQo+ID4gPiA+ICovDQo+ID4gPiA+IMKgCXVuc2lnbmVk
IGxvbmcJCWNyX2ZsYWdzOwkvKiB2YXJpb3VzDQo+ID4gPiA+IGZsYWdzICovDQo+ID4gPiA+IC0J
YXRvbWljX3QJCWNyX2NvdW50OwkvKiByZWYgY291bnQgKi8NCj4gPiA+ID4gKwlyZWZjb3VudF90
CQljcl9jb3VudDsJLyogcmVmIGNvdW50DQo+ID4gPiA+ICovDQo+ID4gPiA+DQo+ID4gPg0KPiA+
ID4gTkFDSy4gVGhhdCdzIGdvaW5nIHRvIGJlIGhpdHRpbmcNCj4gPiA+IFdBUk5fT05DRSghcmVm
Y291bnRfaW5jX25vdF96ZXJvKHIpLA0KPiA+ID4gInJlZmNvdW50X3Q6IGluY3JlbWVudCBvbiAw
OyB1c2UtYWZ0ZXItZnJlZS5cbiIpIGxpa2UgdGhlcmUncyBubw0KPiA+ID4gdG9tb3Jyb3cuLi4N
Cj4gPiA+DQo+ID4gPiBQbGVhc2Ugc3RvcCB3aXRoIHRoZXNlIGF1dG9tYXRlZCBjb252ZXJzaW9u
cy4gVGhleSBhcmUgZ29pbmcgdG8NCj4gPiA+IGNhdXNlIGENCj4gPiA+IGxvdCBtb3JlIGJ1Z3Mg
dGhhbiB0aGV5IGZpeC4NCj4gPiA+DQo+ID4NCj4gPiBBZ3JlZWQuIFRoZXNlIHBhdGNoc2V0cyBh
cmUgdG91Y2hpbmcgcGxhY2VzIHdoZXJlIHdlJ3ZlIGFscmVhZHkNCj4gPiBiYW5nZWQNCj4gPiBv
dXQgbW9zdCBvZiB0aGUgcmVmY291bnRpbmcgYnVncy4gSSdtIGFnYWluc3QgZG9pbmcgbGFyZ2Ug
c2NhbGUNCj4gPiBjb252ZXJzaW9ucyBsaWtlIHRoaXMgd2l0aG91dCBhIGRhbW5lZCBnb29kIHJl
YXNvbi4NCj4gPg0KPiA+IEkgdGhpbmsgaXQgbWF5IGJlIGJlc3QgdG8gZG8gdGhpcyBzb3J0IG9m
IHRoaW5nIGluIGEgbW9yZSBwaWVjZW1lYWwNCj4gPiBmYXNoaW9uLiBQaWNrIGEgc3Vic3lzdGVt
IG9yIHR3byBhbmQgZG8gdGhlIGNvbnZlcnNpb25zIHRoZXJlIHRvDQo+ID4gcHJvdmUNCj4gPiB0
aGF0IHRoZXkncmUgYmV0dGVyIHRoYW4gd2hhdCB3ZSBoYXZlLiBJZiB0aGUgc3Vic3lzdGVtIGFs
cmVhZHkgaGFzDQo+ID4gcHJvYmxlbXMgd2l0aCBpdHMgcmVmY291bnRpbmcsIHRoZW4gc28gbXVj
aCB0aGUgYmV0dGVyLiBQb2ludCB0byBidWdzDQo+ID4gdGhhdCB0aGlzIG5ldyBpbmZyYXN0cnVj
dHVyZSBoZWxwZWQgZmluZC4NCj4gPg0KPiA+IEVuY291cmFnZSBwZW9wbGUgdG8gYWRvcHQgeW91
ciBuZXcgaW5mcmFzdHJ1Y3R1cmUgYXMgbmV3IHJlZmNvdW50ZWQNCj4gPiBvYmplY3RzIGFyZSBp
bnRyb2R1Y2VkIGludG8gdGhlIGtlcm5lbC4gWW91IG1pZ2h0IGV2ZW4gY29uc2lkZXIgYSBMV04N
Cj4gPiBhcnRpY2xlIGFib3V0IHRoaXMuDQo+ID4NCj4gPiBFdmVudHVhbGx5IHdlJ2xsIGdldCBh
cm91bmQgdG8gY2hhbmdpbmcgZXhpc3RpbmcgY29kZSB0byB1c2UgaXQsIG9uY2UNCj4gPiB0aGVy
ZSBpcyBhIHN1ZmZpY2llbnQgYWR2YW50YWdlIHRvIGRvaW5nIHNvLiBNb3N0IGxpa2VseSB3aGVu
IHdlJ3JlDQo+ID4gcmV3b3JraW5nIHRoZSBjb2RlIGZvciBvdGhlciByZWFzb25zLCBvciB3aGVu
IHdlJ3JlIGNoYXNpbmcgc29tZQ0KPiA+IGhvcnJpZA0KPiA+IHJlZmNvdW50aW5nIGJ1ZyBhbmQg
dGhpbmsgdGhhdCB0aGlzIG1pZ2h0IGhlbHAgZmluZCBpdC4NCj4gDQo+IFRoZSBtYWluIGlzc3Vl
IGlzIHRoYXQgdGhpcyAicmVmY291bnRfdCIgaW1wbGVtZW50YXRpb24gYXBwZWFycyB0byBiZQ0K
PiBhc3N1bWluZyB0aGF0IHRoZXJlIGlzIG9uZSBhbmQgb25seSBvbmUgbW9kZWwgZm9yIHJlZmNv
dW50cyAodGhlIG9uZQ0KPiB3aGVyZSBhIHZhbHVlIG9mICIwIiBtZWFucyAiZnJlZSBtZSBpbW1l
ZGlhdGVseSIpLg0KPiANCj4gVGhlIGtlcm5lbCBoYXMgYSBwbGV0aG9yYSBvZiBvYmplY3QgY2Fj
aGluZyBpbXBsZW1lbnRhdGlvbnMgd2hlcmUgdGhpcw0KPiBpcyBzaW1wbHkgbm90IHRoZSBjYXNl
OyB0aGUgZGNhY2hlIGlzIGEgcHJpbWUgZXhhbXBsZSwgYW5kIHRoaXMgY2FjaGUNCj4gaXMgYW5v
dGhlci4gSW4gYm90aCB0aGVzZSBpbXBsZW1lbnRhdGlvbiwgdGhlIGF0b21pY190IHZhcmlhYmxl
IGlzDQo+IGJlaW5nIHVzZWQgbW9yZSBhcyBhIHNlbWFwaG9yZS1zdHlsZSBsb2NrIHRoYXQgcHJl
dmVudHMgZnJlZWluZyBvZiB0aGUNCj4gb2JqZWN0IHdoaWxlIGl0IGlzIGluIGFjdGl2ZSB1c2Ug
YXMgb3Bwb3NlZCB0byBiZWluZyBmcmVlYWJsZSwgYnV0DQo+IGNhY2hlZC4gVGhpcyBpcyB3aHkg
dGhlc2UgYXV0b21hdGVkIGNvbnZlcnNpb25zIGFyZSBhIG51aXNhbmNlIGFuZCBhDQo+IHNvdXJj
ZSBvZiBidWdzLg0KDQpPaywgaW4gdGhpcyBwYXJ0aWN1bGFyIHBhdGNoIEkgYWdyZWUgdGhhdCB3
ZSBtaXNzZWQgdGhhdCBvYmplY3QgaXMgYmVpbmcgcmV1c2VkIA0KKGFuZCB5ZXMgdGhlcmUgYXJl
IG1hbnkgcGFydHMgaW4ga2VybmVsIHdoZXJlIHNpbWlsYXIgdGhpbmcgaGFwcGVucyBhcyB3ZSBs
ZWFybmVkIGZyb20gdGhpcyBleGVyY2lzZSkuIA0KTm90ZSB0aGF0IHJlZmNvdW50X3QgaW1wbGVt
ZW50YXRpb24gaXMgZmluZSB3aXRoIHlvdSAiY29ycmVjdGx5IiByZXVzaW5nIHlvdXIgb2JqZWN0
Og0KaS5lLiB3aGVuIGNvdW50ZXIgcmVhY2hlcyB6ZXJvLCB5b3UgdGFrZSB0aGUgb2JqZWN0IGF3
YXkgZnJvbSBhY3RpdmUgdXNlLCBidXQgaXQgbWlnaHQgc3RpbGwgc3RheSBpbiBjYWNoZS4gDQpC
VVQgd2hlbiB5b3UgZ2V0IGEgbmV3IG9iamVjdCBmcm9tIGNhY2hlIHlvdSBzaG91bGQgaW5pdGlh
bGl6ZSByZWZjb3VudGVyIHByb3Blcmx5OiBzZXQgaXQgdG8gb25lIHZzLiBqdXN0IGRvIGEgImlu
YyIgb24gaXQuIA0KUHJvYmxlbSByZWFsbHkgY29tZXMgZnJvbSB0aGlzICJpbmNyZW1lbnQgbWUg
ZnJvbSB6ZXJvIi4gDQoNCkFuZCB0aGUgZ29hbCB3aXRoIHRoZXNlIGNvbnZlcnNpb25zIGlzIHRv
IHRha2UgYSBsb29rIGJyb2FkbHkgb24gdGhlIGtlcm5lbCBzb3VyY2UgYW5kIGRldGVybWluZSAo
d2l0aCB0aGUgZmVlZGJhY2sgZnJvbSBtYWludGFpbmVycyB3aG8ga25vdyBjb2RlIGJlc3QsIGxp
a2UgeW91ciBmZWVkYmFjayBub3cpIHdoYXQgY2FuIGJlIGNvbnZlcnRlZCBhbHJlYWR5IG5vdy4g
DQpNYWludGFpbmVycyBrbm93IHRoZWlyIGNvZGUgYW5kIHRoZWlyIHVzYWdlIG9mIGNvdW50ZXJz
LCBzbyBpZiBpdCBkb2Vzbid0IG1ha2Ugc2Vuc2UgdG8gZG8gaXQgaW4gYSBwYXJ0aWN1bGFyIHBs
YWNlIChiZWNhdXNlIG9mIGVycm9ycyBvciBvdGhlciByZWFzb25zKSwgdGhlbiBpdCBkb2Vzbid0
LiANCkJ1dCBtb3JlIHdlIGNvdmVyIHdpdGggbmV3IHJlZmNvdW50X3QsIGxlc3MgY2hhbmNlcyB3
ZSBoYXZlIHdpdGggZXZlciBoaXR0aW5nIHJlZmNvdW50ZXIgYnVncyBhbnl3aGVyZSBpbiB0aGUg
ZnV0dXJlLiANCg0KQmVzdCBSZWdhcmRzLA0KRWxlbmEuDQoNCj4gDQo+IC0tDQo+IFRyb25kIE15
a2xlYnVzdA0KPiBMaW51eCBORlMgY2xpZW50IG1haW50YWluZXIsIFByaW1hcnlEYXRhDQo+IHRy
b25kLm15a2xlYnVzdEBwcmltYXJ5ZGF0YS5jb20NCg=

^ permalink raw reply	[flat|nested] 80+ messages in thread

* RE: [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t
@ 2017-03-20 16:15               ` Reshetova, Elena
  0 siblings, 0 replies; 80+ messages in thread
From: Reshetova, Elena @ 2017-03-20 16:15 UTC (permalink / raw)
  To: Trond Myklebust, netdev, jlayton
  Cc: herbert, linux-kernel, peterz, ralf, linux-rdma, ishkamiel,
	bfields, steffen.klassert, nhorman, linux-nfs, jreuter, keescook,
	linux-hams, dwindsor, zyan, sage, davem, linux-sctp, vyasevich,
	linux-x25, santosh.shilimkar, ceph-devel

PiBPbiBGcmksIDIwMTctMDMtMTcgYXQgMDk6MDIgLTA0MDAsIEplZmYgTGF5dG9uIHdyb3RlOg0K
PiA+IE9uIEZyaSwgMjAxNy0wMy0xNyBhdCAxMjo1MCArMDAwMCwgVHJvbmQgTXlrbGVidXN0IHdy
b3RlOg0KPiA+ID4gT24gRnJpLCAyMDE3LTAzLTE3IGF0IDE0OjEwICswMjAwLCBFbGVuYSBSZXNo
ZXRvdmEgd3JvdGU6DQo+ID4gPiA+IHJlZmNvdW50X3QgdHlwZSBhbmQgY29ycmVzcG9uZGluZyBB
UEkgc2hvdWxkIGJlDQo+ID4gPiA+IHVzZWQgaW5zdGVhZCBvZiBhdG9taWNfdCB3aGVuIHRoZSB2
YXJpYWJsZSBpcyB1c2VkIGFzDQo+ID4gPiA+IGEgcmVmZXJlbmNlIGNvdW50ZXIuIFRoaXMgYWxs
b3dzIHRvIGF2b2lkIGFjY2lkZW50YWwNCj4gPiA+ID4gcmVmY291bnRlciBvdmVyZmxvd3MgdGhh
dCBtaWdodCBsZWFkIHRvIHVzZS1hZnRlci1mcmVlDQo+ID4gPiA+IHNpdHVhdGlvbnMuDQo+ID4g
PiA+DQo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IEVsZW5hIFJlc2hldG92YSA8ZWxlbmEucmVzaGV0
b3ZhQGludGVsLmNvbT4NCj4gPiA+ID4gU2lnbmVkLW9mZi1ieTogSGFucyBMaWxqZXN0cmFuZCA8
aXNoa2FtaWVsQGdtYWlsLmNvbT4NCj4gPiA+ID4gU2lnbmVkLW9mZi1ieTogS2VlcyBDb29rIDxr
ZWVzY29va0BjaHJvbWl1bS5vcmc+DQo+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IERhdmlkIFdpbmRz
b3IgPGR3aW5kc29yQGdtYWlsLmNvbT4NCj4gPiA+ID4gLS0tDQo+ID4gPiA+IMKgaW5jbHVkZS9s
aW51eC9zdW5ycGMvYXV0aC5oIHzCoMKgOCArKysrLS0tLQ0KPiA+ID4gPiDCoG5ldC9zdW5ycGMv
YXV0aC5jwqDCoMKgwqDCoMKgwqDCoMKgwqDCoHwgMTIgKysrKysrLS0tLS0tDQo+ID4gPiA+IMKg
MiBmaWxlcyBjaGFuZ2VkLCAxMCBpbnNlcnRpb25zKCspLCAxMCBkZWxldGlvbnMoLSkNCj4gPiA+
ID4NCj4gPiA+ID4gZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaA0KPiA+
ID4gPiBiL2luY2x1ZGUvbGludXgvc3VucnBjL2F1dGguaA0KPiA+ID4gPiBpbmRleCBiMWJjNjJi
Li5iZDM2ZTBiIDEwMDY0NA0KPiA+ID4gPiAtLS0gYS9pbmNsdWRlL2xpbnV4L3N1bnJwYy9hdXRo
LmgNCj4gPiA+ID4gKysrIGIvaW5jbHVkZS9saW51eC9zdW5ycGMvYXV0aC5oDQo+ID4gPiA+IEBA
IC0xNSw3ICsxNSw3IEBADQo+ID4gPiA+IMKgI2luY2x1ZGUgPGxpbnV4L3N1bnJwYy9tc2dfcHJv
dC5oPg0KPiA+ID4gPiDCoCNpbmNsdWRlIDxsaW51eC9zdW5ycGMveGRyLmg+DQo+ID4gPiA+DQo+
ID4gPiA+IC0jaW5jbHVkZSA8bGludXgvYXRvbWljLmg+DQo+ID4gPiA+ICsjaW5jbHVkZSA8bGlu
dXgvcmVmY291bnQuaD4NCj4gPiA+ID4gwqAjaW5jbHVkZSA8bGludXgvcmN1cGRhdGUuaD4NCj4g
PiA+ID4gwqAjaW5jbHVkZSA8bGludXgvdWlkZ2lkLmg+DQo+ID4gPiA+IMKgI2luY2x1ZGUgPGxp
bnV4L3V0c25hbWUuaD4NCj4gPiA+ID4gQEAgLTY4LDcgKzY4LDcgQEAgc3RydWN0IHJwY19jcmVk
IHsNCj4gPiA+ID4gwqAjZW5kaWYNCj4gPiA+ID4gwqAJdW5zaWduZWQgbG9uZwkJY3JfZXhwaXJl
OwkvKiB3aGVuDQo+ID4gPiA+IHRvIGdjDQo+ID4gPiA+ICovDQo+ID4gPiA+IMKgCXVuc2lnbmVk
IGxvbmcJCWNyX2ZsYWdzOwkvKiB2YXJpb3VzDQo+ID4gPiA+IGZsYWdzICovDQo+ID4gPiA+IC0J
YXRvbWljX3QJCWNyX2NvdW50OwkvKiByZWYgY291bnQgKi8NCj4gPiA+ID4gKwlyZWZjb3VudF90
CQljcl9jb3VudDsJLyogcmVmIGNvdW50DQo+ID4gPiA+ICovDQo+ID4gPiA+DQo+ID4gPg0KPiA+
ID4gTkFDSy4gVGhhdCdzIGdvaW5nIHRvIGJlIGhpdHRpbmcNCj4gPiA+IFdBUk5fT05DRSghcmVm
Y291bnRfaW5jX25vdF96ZXJvKHIpLA0KPiA+ID4gInJlZmNvdW50X3Q6IGluY3JlbWVudCBvbiAw
OyB1c2UtYWZ0ZXItZnJlZS5cbiIpIGxpa2UgdGhlcmUncyBubw0KPiA+ID4gdG9tb3Jyb3cuLi4N
Cj4gPiA+DQo+ID4gPiBQbGVhc2Ugc3RvcCB3aXRoIHRoZXNlIGF1dG9tYXRlZCBjb252ZXJzaW9u
cy4gVGhleSBhcmUgZ29pbmcgdG8NCj4gPiA+IGNhdXNlIGENCj4gPiA+IGxvdCBtb3JlIGJ1Z3Mg
dGhhbiB0aGV5IGZpeC4NCj4gPiA+DQo+ID4NCj4gPiBBZ3JlZWQuIFRoZXNlIHBhdGNoc2V0cyBh
cmUgdG91Y2hpbmcgcGxhY2VzIHdoZXJlIHdlJ3ZlIGFscmVhZHkNCj4gPiBiYW5nZWQNCj4gPiBv
dXQgbW9zdCBvZiB0aGUgcmVmY291bnRpbmcgYnVncy4gSSdtIGFnYWluc3QgZG9pbmcgbGFyZ2Ug
c2NhbGUNCj4gPiBjb252ZXJzaW9ucyBsaWtlIHRoaXMgd2l0aG91dCBhIGRhbW5lZCBnb29kIHJl
YXNvbi4NCj4gPg0KPiA+IEkgdGhpbmsgaXQgbWF5IGJlIGJlc3QgdG8gZG8gdGhpcyBzb3J0IG9m
IHRoaW5nIGluIGEgbW9yZSBwaWVjZW1lYWwNCj4gPiBmYXNoaW9uLiBQaWNrIGEgc3Vic3lzdGVt
IG9yIHR3byBhbmQgZG8gdGhlIGNvbnZlcnNpb25zIHRoZXJlIHRvDQo+ID4gcHJvdmUNCj4gPiB0
aGF0IHRoZXkncmUgYmV0dGVyIHRoYW4gd2hhdCB3ZSBoYXZlLiBJZiB0aGUgc3Vic3lzdGVtIGFs
cmVhZHkgaGFzDQo+ID4gcHJvYmxlbXMgd2l0aCBpdHMgcmVmY291bnRpbmcsIHRoZW4gc28gbXVj
aCB0aGUgYmV0dGVyLiBQb2ludCB0byBidWdzDQo+ID4gdGhhdCB0aGlzIG5ldyBpbmZyYXN0cnVj
dHVyZSBoZWxwZWQgZmluZC4NCj4gPg0KPiA+IEVuY291cmFnZSBwZW9wbGUgdG8gYWRvcHQgeW91
ciBuZXcgaW5mcmFzdHJ1Y3R1cmUgYXMgbmV3IHJlZmNvdW50ZWQNCj4gPiBvYmplY3RzIGFyZSBp
bnRyb2R1Y2VkIGludG8gdGhlIGtlcm5lbC4gWW91IG1pZ2h0IGV2ZW4gY29uc2lkZXIgYSBMV04N
Cj4gPiBhcnRpY2xlIGFib3V0IHRoaXMuDQo+ID4NCj4gPiBFdmVudHVhbGx5IHdlJ2xsIGdldCBh
cm91bmQgdG8gY2hhbmdpbmcgZXhpc3RpbmcgY29kZSB0byB1c2UgaXQsIG9uY2UNCj4gPiB0aGVy
ZSBpcyBhIHN1ZmZpY2llbnQgYWR2YW50YWdlIHRvIGRvaW5nIHNvLiBNb3N0IGxpa2VseSB3aGVu
IHdlJ3JlDQo+ID4gcmV3b3JraW5nIHRoZSBjb2RlIGZvciBvdGhlciByZWFzb25zLCBvciB3aGVu
IHdlJ3JlIGNoYXNpbmcgc29tZQ0KPiA+IGhvcnJpZA0KPiA+IHJlZmNvdW50aW5nIGJ1ZyBhbmQg
dGhpbmsgdGhhdCB0aGlzIG1pZ2h0IGhlbHAgZmluZCBpdC4NCj4gDQo+IFRoZSBtYWluIGlzc3Vl
IGlzIHRoYXQgdGhpcyAicmVmY291bnRfdCIgaW1wbGVtZW50YXRpb24gYXBwZWFycyB0byBiZQ0K
PiBhc3N1bWluZyB0aGF0IHRoZXJlIGlzIG9uZSBhbmQgb25seSBvbmUgbW9kZWwgZm9yIHJlZmNv
dW50cyAodGhlIG9uZQ0KPiB3aGVyZSBhIHZhbHVlIG9mICIwIiBtZWFucyAiZnJlZSBtZSBpbW1l
ZGlhdGVseSIpLg0KPiANCj4gVGhlIGtlcm5lbCBoYXMgYSBwbGV0aG9yYSBvZiBvYmplY3QgY2Fj
aGluZyBpbXBsZW1lbnRhdGlvbnMgd2hlcmUgdGhpcw0KPiBpcyBzaW1wbHkgbm90IHRoZSBjYXNl
OyB0aGUgZGNhY2hlIGlzIGEgcHJpbWUgZXhhbXBsZSwgYW5kIHRoaXMgY2FjaGUNCj4gaXMgYW5v
dGhlci4gSW4gYm90aCB0aGVzZSBpbXBsZW1lbnRhdGlvbiwgdGhlIGF0b21pY190IHZhcmlhYmxl
IGlzDQo+IGJlaW5nIHVzZWQgbW9yZSBhcyBhIHNlbWFwaG9yZS1zdHlsZSBsb2NrIHRoYXQgcHJl
dmVudHMgZnJlZWluZyBvZiB0aGUNCj4gb2JqZWN0IHdoaWxlIGl0IGlzIGluIGFjdGl2ZSB1c2Ug
YXMgb3Bwb3NlZCB0byBiZWluZyBmcmVlYWJsZSwgYnV0DQo+IGNhY2hlZC4gVGhpcyBpcyB3aHkg
dGhlc2UgYXV0b21hdGVkIGNvbnZlcnNpb25zIGFyZSBhIG51aXNhbmNlIGFuZCBhDQo+IHNvdXJj
ZSBvZiBidWdzLg0KDQpPaywgaW4gdGhpcyBwYXJ0aWN1bGFyIHBhdGNoIEkgYWdyZWUgdGhhdCB3
ZSBtaXNzZWQgdGhhdCBvYmplY3QgaXMgYmVpbmcgcmV1c2VkIA0KKGFuZCB5ZXMgdGhlcmUgYXJl
IG1hbnkgcGFydHMgaW4ga2VybmVsIHdoZXJlIHNpbWlsYXIgdGhpbmcgaGFwcGVucyBhcyB3ZSBs
ZWFybmVkIGZyb20gdGhpcyBleGVyY2lzZSkuIA0KTm90ZSB0aGF0IHJlZmNvdW50X3QgaW1wbGVt
ZW50YXRpb24gaXMgZmluZSB3aXRoIHlvdSAiY29ycmVjdGx5IiByZXVzaW5nIHlvdXIgb2JqZWN0
Og0KaS5lLiB3aGVuIGNvdW50ZXIgcmVhY2hlcyB6ZXJvLCB5b3UgdGFrZSB0aGUgb2JqZWN0IGF3
YXkgZnJvbSBhY3RpdmUgdXNlLCBidXQgaXQgbWlnaHQgc3RpbGwgc3RheSBpbiBjYWNoZS4gDQpC
VVQgd2hlbiB5b3UgZ2V0IGEgbmV3IG9iamVjdCBmcm9tIGNhY2hlIHlvdSBzaG91bGQgaW5pdGlh
bGl6ZSByZWZjb3VudGVyIHByb3Blcmx5OiBzZXQgaXQgdG8gb25lIHZzLiBqdXN0IGRvIGEgImlu
YyIgb24gaXQuIA0KUHJvYmxlbSByZWFsbHkgY29tZXMgZnJvbSB0aGlzICJpbmNyZW1lbnQgbWUg
ZnJvbSB6ZXJvIi4gDQoNCkFuZCB0aGUgZ29hbCB3aXRoIHRoZXNlIGNvbnZlcnNpb25zIGlzIHRv
IHRha2UgYSBsb29rIGJyb2FkbHkgb24gdGhlIGtlcm5lbCBzb3VyY2UgYW5kIGRldGVybWluZSAo
d2l0aCB0aGUgZmVlZGJhY2sgZnJvbSBtYWludGFpbmVycyB3aG8ga25vdyBjb2RlIGJlc3QsIGxp
a2UgeW91ciBmZWVkYmFjayBub3cpIHdoYXQgY2FuIGJlIGNvbnZlcnRlZCBhbHJlYWR5IG5vdy4g
DQpNYWludGFpbmVycyBrbm93IHRoZWlyIGNvZGUgYW5kIHRoZWlyIHVzYWdlIG9mIGNvdW50ZXJz
LCBzbyBpZiBpdCBkb2Vzbid0IG1ha2Ugc2Vuc2UgdG8gZG8gaXQgaW4gYSBwYXJ0aWN1bGFyIHBs
YWNlIChiZWNhdXNlIG9mIGVycm9ycyBvciBvdGhlciByZWFzb25zKSwgdGhlbiBpdCBkb2Vzbid0
LiANCkJ1dCBtb3JlIHdlIGNvdmVyIHdpdGggbmV3IHJlZmNvdW50X3QsIGxlc3MgY2hhbmNlcyB3
ZSBoYXZlIHdpdGggZXZlciBoaXR0aW5nIHJlZmNvdW50ZXIgYnVncyBhbnl3aGVyZSBpbiB0aGUg
ZnV0dXJlLiANCg0KQmVzdCBSZWdhcmRzLA0KRWxlbmEuDQoNCj4gDQo+IC0tDQo+IFRyb25kIE15
a2xlYnVzdA0KPiBMaW51eCBORlMgY2xpZW50IG1haW50YWluZXIsIFByaW1hcnlEYXRhDQo+IHRy
b25kLm15a2xlYnVzdEBwcmltYXJ5ZGF0YS5jb20NCg==

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 04/23] net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
  2017-03-17 12:10   ` Elena Reshetova
@ 2017-03-24 13:20     ` Ilya Dryomov
  -1 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:20 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-rdma, David S. Miller, linux-x25,
	linux-sctp, vyasevich, nhorman, linux-hams, linux-nfs,
	Ceph Development, Yan, Zheng, Sage Weil, bfields, Jeff Layton,
	steffen.klassert, Herbert Xu, santosh.shilimkar, jreuter, ralf,
	peterz, Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/ceph/libceph.h | 3 ++-
>  net/ceph/snapshot.c          | 6 +++---
>  2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
> index 1816c5e..26dc674 100644
> --- a/include/linux/ceph/libceph.h
> +++ b/include/linux/ceph/libceph.h
> @@ -14,6 +14,7 @@
>  #include <linux/wait.h>
>  #include <linux/writeback.h>
>  #include <linux/slab.h>
> +#include <linux/refcount.h>
>
>  #include <linux/ceph/types.h>
>  #include <linux/ceph/messenger.h>
> @@ -159,7 +160,7 @@ struct ceph_client {
>   * dirtied.
>   */
>  struct ceph_snap_context {
> -       atomic_t nref;
> +       refcount_t nref;
>         u64 seq;
>         u32 num_snaps;
>         u64 snaps[];
> diff --git a/net/ceph/snapshot.c b/net/ceph/snapshot.c
> index 705414e..e14a5d0 100644
> --- a/net/ceph/snapshot.c
> +++ b/net/ceph/snapshot.c
> @@ -49,7 +49,7 @@ struct ceph_snap_context *ceph_create_snap_context(u32 snap_count,
>         if (!snapc)
>                 return NULL;
>
> -       atomic_set(&snapc->nref, 1);
> +       refcount_set(&snapc->nref, 1);
>         snapc->num_snaps = snap_count;
>
>         return snapc;
> @@ -59,7 +59,7 @@ EXPORT_SYMBOL(ceph_create_snap_context);
>  struct ceph_snap_context *ceph_get_snap_context(struct ceph_snap_context *sc)
>  {
>         if (sc)
> -               atomic_inc(&sc->nref);
> +               refcount_inc(&sc->nref);
>         return sc;
>  }
>  EXPORT_SYMBOL(ceph_get_snap_context);
> @@ -68,7 +68,7 @@ void ceph_put_snap_context(struct ceph_snap_context *sc)
>  {
>         if (!sc)
>                 return;
> -       if (atomic_dec_and_test(&sc->nref)) {
> +       if (refcount_dec_and_test(&sc->nref)) {
>                 /*printk(" deleting snap_context %p\n", sc);*/
>                 kfree(sc);
>         }

Applied.

Thanks,

                Ilya

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 04/23] net, ceph: convert ceph_snap_context.nref from atomic_t to refcount_t
@ 2017-03-24 13:20     ` Ilya Dryomov
  0 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:20 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-rdma, David S. Miller, linux-x25,
	linux-sctp, vyasevich, nhorman, linux-hams, linux-nfs,
	Ceph Development, Yan, Zheng, Sage Weil, bfields, Jeff Layton,
	steffen.klassert, Herbert Xu, santosh.shilimkar, jreuter, ralf,
	peterz, Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/ceph/libceph.h | 3 ++-
>  net/ceph/snapshot.c          | 6 +++---
>  2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/include/linux/ceph/libceph.h b/include/linux/ceph/libceph.h
> index 1816c5e..26dc674 100644
> --- a/include/linux/ceph/libceph.h
> +++ b/include/linux/ceph/libceph.h
> @@ -14,6 +14,7 @@
>  #include <linux/wait.h>
>  #include <linux/writeback.h>
>  #include <linux/slab.h>
> +#include <linux/refcount.h>
>
>  #include <linux/ceph/types.h>
>  #include <linux/ceph/messenger.h>
> @@ -159,7 +160,7 @@ struct ceph_client {
>   * dirtied.
>   */
>  struct ceph_snap_context {
> -       atomic_t nref;
> +       refcount_t nref;
>         u64 seq;
>         u32 num_snaps;
>         u64 snaps[];
> diff --git a/net/ceph/snapshot.c b/net/ceph/snapshot.c
> index 705414e..e14a5d0 100644
> --- a/net/ceph/snapshot.c
> +++ b/net/ceph/snapshot.c
> @@ -49,7 +49,7 @@ struct ceph_snap_context *ceph_create_snap_context(u32 snap_count,
>         if (!snapc)
>                 return NULL;
>
> -       atomic_set(&snapc->nref, 1);
> +       refcount_set(&snapc->nref, 1);
>         snapc->num_snaps = snap_count;
>
>         return snapc;
> @@ -59,7 +59,7 @@ EXPORT_SYMBOL(ceph_create_snap_context);
>  struct ceph_snap_context *ceph_get_snap_context(struct ceph_snap_context *sc)
>  {
>         if (sc)
> -               atomic_inc(&sc->nref);
> +               refcount_inc(&sc->nref);
>         return sc;
>  }
>  EXPORT_SYMBOL(ceph_get_snap_context);
> @@ -68,7 +68,7 @@ void ceph_put_snap_context(struct ceph_snap_context *sc)
>  {
>         if (!sc)
>                 return;
> -       if (atomic_dec_and_test(&sc->nref)) {
> +       if (refcount_dec_and_test(&sc->nref)) {
>                 /*printk(" deleting snap_context %p\n", sc);*/
>                 kfree(sc);
>         }

Applied.

Thanks,

                Ilya

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 05/23] net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
  2017-03-17 12:10   ` Elena Reshetova
  (?)
@ 2017-03-24 13:49       ` Ilya Dryomov
  -1 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:49 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, David S. Miller,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, Ceph Development, Yan, Zheng,
	Sage Weil, bfields-uC3wQj2KruNg9hUCZPvPmw, Jeff Layton,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ, Herbert Xu,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  include/linux/ceph/osd_client.h |  3 ++-
>  net/ceph/osd_client.c           | 16 ++++++++--------
>  2 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h
> index 2ea0c28..5ce0cd6 100644
> --- a/include/linux/ceph/osd_client.h
> +++ b/include/linux/ceph/osd_client.h
> @@ -5,6 +5,7 @@
>  #include <linux/kref.h>
>  #include <linux/mempool.h>
>  #include <linux/rbtree.h>
> +#include <linux/refcount.h>
>
>  #include <linux/ceph/types.h>
>  #include <linux/ceph/osdmap.h>
> @@ -27,7 +28,7 @@ typedef void (*ceph_osdc_callback_t)(struct ceph_osd_request *);
>
>  /* a given osd we're communicating with */
>  struct ceph_osd {
> -       atomic_t o_ref;
> +       refcount_t o_ref;
>         struct ceph_osd_client *o_osdc;
>         int o_osd;
>         int o_incarnation;
> diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
> index b65bbf9..99a51f0 100644
> --- a/net/ceph/osd_client.c
> +++ b/net/ceph/osd_client.c
> @@ -1005,7 +1005,7 @@ static bool osd_registered(struct ceph_osd *osd)
>   */
>  static void osd_init(struct ceph_osd *osd)
>  {
> -       atomic_set(&osd->o_ref, 1);
> +       refcount_set(&osd->o_ref, 1);
>         RB_CLEAR_NODE(&osd->o_node);
>         osd->o_requests = RB_ROOT;
>         osd->o_linger_requests = RB_ROOT;
> @@ -1050,9 +1050,9 @@ static struct ceph_osd *create_osd(struct ceph_osd_client *osdc, int onum)
>
>  static struct ceph_osd *get_osd(struct ceph_osd *osd)
>  {
> -       if (atomic_inc_not_zero(&osd->o_ref)) {
> -               dout("get_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref)-1,
> -                    atomic_read(&osd->o_ref));
> +       if (refcount_inc_not_zero(&osd->o_ref)) {
> +               dout("get_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref)-1,
> +                    refcount_read(&osd->o_ref));
>                 return osd;
>         } else {
>                 dout("get_osd %p FAIL\n", osd);
> @@ -1062,9 +1062,9 @@ static struct ceph_osd *get_osd(struct ceph_osd *osd)
>
>  static void put_osd(struct ceph_osd *osd)
>  {
> -       dout("put_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref),
> -            atomic_read(&osd->o_ref) - 1);
> -       if (atomic_dec_and_test(&osd->o_ref)) {
> +       dout("put_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref),
> +            refcount_read(&osd->o_ref) - 1);
> +       if (refcount_dec_and_test(&osd->o_ref)) {
>                 osd_cleanup(osd);
>                 kfree(osd);
>         }
> @@ -4092,7 +4092,7 @@ void ceph_osdc_stop(struct ceph_osd_client *osdc)
>                 close_osd(osd);
>         }
>         up_write(&osdc->lock);
> -       WARN_ON(atomic_read(&osdc->homeless_osd.o_ref) != 1);
> +       WARN_ON(refcount_read(&osdc->homeless_osd.o_ref) != 1);
>         osd_cleanup(&osdc->homeless_osd);
>
>         WARN_ON(!list_empty(&osdc->osd_lru));

Applied.

Thanks,

                Ilya
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 05/23] net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
@ 2017-03-24 13:49       ` Ilya Dryomov
  0 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:49 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-rdma, David S. Miller, linux-x25,
	linux-sctp, vyasevich, nhorman, linux-hams, linux-nfs,
	Ceph Development, Yan, Zheng, Sage Weil, bfields, Jeff Layton,
	steffen.klassert, Herbert Xu, santosh.shilimkar, jreuter, ralf,
	peterz, Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/ceph/osd_client.h |  3 ++-
>  net/ceph/osd_client.c           | 16 ++++++++--------
>  2 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h
> index 2ea0c28..5ce0cd6 100644
> --- a/include/linux/ceph/osd_client.h
> +++ b/include/linux/ceph/osd_client.h
> @@ -5,6 +5,7 @@
>  #include <linux/kref.h>
>  #include <linux/mempool.h>
>  #include <linux/rbtree.h>
> +#include <linux/refcount.h>
>
>  #include <linux/ceph/types.h>
>  #include <linux/ceph/osdmap.h>
> @@ -27,7 +28,7 @@ typedef void (*ceph_osdc_callback_t)(struct ceph_osd_request *);
>
>  /* a given osd we're communicating with */
>  struct ceph_osd {
> -       atomic_t o_ref;
> +       refcount_t o_ref;
>         struct ceph_osd_client *o_osdc;
>         int o_osd;
>         int o_incarnation;
> diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
> index b65bbf9..99a51f0 100644
> --- a/net/ceph/osd_client.c
> +++ b/net/ceph/osd_client.c
> @@ -1005,7 +1005,7 @@ static bool osd_registered(struct ceph_osd *osd)
>   */
>  static void osd_init(struct ceph_osd *osd)
>  {
> -       atomic_set(&osd->o_ref, 1);
> +       refcount_set(&osd->o_ref, 1);
>         RB_CLEAR_NODE(&osd->o_node);
>         osd->o_requests = RB_ROOT;
>         osd->o_linger_requests = RB_ROOT;
> @@ -1050,9 +1050,9 @@ static struct ceph_osd *create_osd(struct ceph_osd_client *osdc, int onum)
>
>  static struct ceph_osd *get_osd(struct ceph_osd *osd)
>  {
> -       if (atomic_inc_not_zero(&osd->o_ref)) {
> -               dout("get_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref)-1,
> -                    atomic_read(&osd->o_ref));
> +       if (refcount_inc_not_zero(&osd->o_ref)) {
> +               dout("get_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref)-1,
> +                    refcount_read(&osd->o_ref));
>                 return osd;
>         } else {
>                 dout("get_osd %p FAIL\n", osd);
> @@ -1062,9 +1062,9 @@ static struct ceph_osd *get_osd(struct ceph_osd *osd)
>
>  static void put_osd(struct ceph_osd *osd)
>  {
> -       dout("put_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref),
> -            atomic_read(&osd->o_ref) - 1);
> -       if (atomic_dec_and_test(&osd->o_ref)) {
> +       dout("put_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref),
> +            refcount_read(&osd->o_ref) - 1);
> +       if (refcount_dec_and_test(&osd->o_ref)) {
>                 osd_cleanup(osd);
>                 kfree(osd);
>         }
> @@ -4092,7 +4092,7 @@ void ceph_osdc_stop(struct ceph_osd_client *osdc)
>                 close_osd(osd);
>         }
>         up_write(&osdc->lock);
> -       WARN_ON(atomic_read(&osdc->homeless_osd.o_ref) != 1);
> +       WARN_ON(refcount_read(&osdc->homeless_osd.o_ref) != 1);
>         osd_cleanup(&osdc->homeless_osd);
>
>         WARN_ON(!list_empty(&osdc->osd_lru));

Applied.

Thanks,

                Ilya

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 05/23] net, ceph: convert ceph_osd.o_ref from atomic_t to refcount_t
@ 2017-03-24 13:49       ` Ilya Dryomov
  0 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:49 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, David S. Miller,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, Ceph Development, Yan, Zheng,
	Sage Weil, bfields-uC3wQj2KruNg9hUCZPvPmw, Jeff Layton,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ, Herbert Xu,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  include/linux/ceph/osd_client.h |  3 ++-
>  net/ceph/osd_client.c           | 16 ++++++++--------
>  2 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h
> index 2ea0c28..5ce0cd6 100644
> --- a/include/linux/ceph/osd_client.h
> +++ b/include/linux/ceph/osd_client.h
> @@ -5,6 +5,7 @@
>  #include <linux/kref.h>
>  #include <linux/mempool.h>
>  #include <linux/rbtree.h>
> +#include <linux/refcount.h>
>
>  #include <linux/ceph/types.h>
>  #include <linux/ceph/osdmap.h>
> @@ -27,7 +28,7 @@ typedef void (*ceph_osdc_callback_t)(struct ceph_osd_request *);
>
>  /* a given osd we're communicating with */
>  struct ceph_osd {
> -       atomic_t o_ref;
> +       refcount_t o_ref;
>         struct ceph_osd_client *o_osdc;
>         int o_osd;
>         int o_incarnation;
> diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c
> index b65bbf9..99a51f0 100644
> --- a/net/ceph/osd_client.c
> +++ b/net/ceph/osd_client.c
> @@ -1005,7 +1005,7 @@ static bool osd_registered(struct ceph_osd *osd)
>   */
>  static void osd_init(struct ceph_osd *osd)
>  {
> -       atomic_set(&osd->o_ref, 1);
> +       refcount_set(&osd->o_ref, 1);
>         RB_CLEAR_NODE(&osd->o_node);
>         osd->o_requests = RB_ROOT;
>         osd->o_linger_requests = RB_ROOT;
> @@ -1050,9 +1050,9 @@ static struct ceph_osd *create_osd(struct ceph_osd_client *osdc, int onum)
>
>  static struct ceph_osd *get_osd(struct ceph_osd *osd)
>  {
> -       if (atomic_inc_not_zero(&osd->o_ref)) {
> -               dout("get_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref)-1,
> -                    atomic_read(&osd->o_ref));
> +       if (refcount_inc_not_zero(&osd->o_ref)) {
> +               dout("get_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref)-1,
> +                    refcount_read(&osd->o_ref));
>                 return osd;
>         } else {
>                 dout("get_osd %p FAIL\n", osd);
> @@ -1062,9 +1062,9 @@ static struct ceph_osd *get_osd(struct ceph_osd *osd)
>
>  static void put_osd(struct ceph_osd *osd)
>  {
> -       dout("put_osd %p %d -> %d\n", osd, atomic_read(&osd->o_ref),
> -            atomic_read(&osd->o_ref) - 1);
> -       if (atomic_dec_and_test(&osd->o_ref)) {
> +       dout("put_osd %p %d -> %d\n", osd, refcount_read(&osd->o_ref),
> +            refcount_read(&osd->o_ref) - 1);
> +       if (refcount_dec_and_test(&osd->o_ref)) {
>                 osd_cleanup(osd);
>                 kfree(osd);
>         }
> @@ -4092,7 +4092,7 @@ void ceph_osdc_stop(struct ceph_osd_client *osdc)
>                 close_osd(osd);
>         }
>         up_write(&osdc->lock);
> -       WARN_ON(atomic_read(&osdc->homeless_osd.o_ref) != 1);
> +       WARN_ON(refcount_read(&osdc->homeless_osd.o_ref) != 1);
>         osd_cleanup(&osdc->homeless_osd);
>
>         WARN_ON(!list_empty(&osdc->osd_lru));

Applied.

Thanks,

                Ilya

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 06/23] net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
  2017-03-17 12:10   ` Elena Reshetova
  (?)
@ 2017-03-24 13:49       ` Ilya Dryomov
  -1 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:49 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, David S. Miller,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, Ceph Development, Yan, Zheng,
	Sage Weil, bfields-uC3wQj2KruNg9hUCZPvPmw, Jeff Layton,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ, Herbert Xu,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> Signed-off-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> ---
>  fs/ceph/mds_client.c          | 2 +-
>  include/linux/ceph/pagelist.h | 6 +++---
>  net/ceph/pagelist.c           | 2 +-
>  3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index c681762..7b38e6c 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -1991,7 +1991,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
>
>         if (req->r_pagelist) {
>                 struct ceph_pagelist *pagelist = req->r_pagelist;
> -               atomic_inc(&pagelist->refcnt);
> +               refcount_inc(&pagelist->refcnt);
>                 ceph_msg_data_add_pagelist(msg, pagelist);
>                 msg->hdr.data_len = cpu_to_le32(pagelist->length);
>         } else {
> diff --git a/include/linux/ceph/pagelist.h b/include/linux/ceph/pagelist.h
> index 13d71fe..75a7db2 100644
> --- a/include/linux/ceph/pagelist.h
> +++ b/include/linux/ceph/pagelist.h
> @@ -2,7 +2,7 @@
>  #define __FS_CEPH_PAGELIST_H
>
>  #include <asm/byteorder.h>
> -#include <linux/atomic.h>
> +#include <linux/refcount.h>
>  #include <linux/list.h>
>  #include <linux/types.h>
>
> @@ -13,7 +13,7 @@ struct ceph_pagelist {
>         size_t room;
>         struct list_head free_list;
>         size_t num_pages_free;
> -       atomic_t refcnt;
> +       refcount_t refcnt;
>  };
>
>  struct ceph_pagelist_cursor {
> @@ -30,7 +30,7 @@ static inline void ceph_pagelist_init(struct ceph_pagelist *pl)
>         pl->room = 0;
>         INIT_LIST_HEAD(&pl->free_list);
>         pl->num_pages_free = 0;
> -       atomic_set(&pl->refcnt, 1);
> +       refcount_set(&pl->refcnt, 1);
>  }
>
>  extern void ceph_pagelist_release(struct ceph_pagelist *pl);
> diff --git a/net/ceph/pagelist.c b/net/ceph/pagelist.c
> index 6864007..ce09f73 100644
> --- a/net/ceph/pagelist.c
> +++ b/net/ceph/pagelist.c
> @@ -16,7 +16,7 @@ static void ceph_pagelist_unmap_tail(struct ceph_pagelist *pl)
>
>  void ceph_pagelist_release(struct ceph_pagelist *pl)
>  {
> -       if (!atomic_dec_and_test(&pl->refcnt))
> +       if (!refcount_dec_and_test(&pl->refcnt))
>                 return;
>         ceph_pagelist_unmap_tail(pl);
>         while (!list_empty(&pl->head)) {

Applied.

Thanks,

                Ilya
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 06/23] net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
@ 2017-03-24 13:49       ` Ilya Dryomov
  0 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:49 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-rdma, David S. Miller, linux-x25,
	linux-sctp, vyasevich, nhorman, linux-hams, linux-nfs,
	Ceph Development, Yan, Zheng, Sage Weil, bfields, Jeff Layton,
	steffen.klassert, Herbert Xu, santosh.shilimkar, jreuter, ralf,
	peterz, Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  fs/ceph/mds_client.c          | 2 +-
>  include/linux/ceph/pagelist.h | 6 +++---
>  net/ceph/pagelist.c           | 2 +-
>  3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index c681762..7b38e6c 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -1991,7 +1991,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
>
>         if (req->r_pagelist) {
>                 struct ceph_pagelist *pagelist = req->r_pagelist;
> -               atomic_inc(&pagelist->refcnt);
> +               refcount_inc(&pagelist->refcnt);
>                 ceph_msg_data_add_pagelist(msg, pagelist);
>                 msg->hdr.data_len = cpu_to_le32(pagelist->length);
>         } else {
> diff --git a/include/linux/ceph/pagelist.h b/include/linux/ceph/pagelist.h
> index 13d71fe..75a7db2 100644
> --- a/include/linux/ceph/pagelist.h
> +++ b/include/linux/ceph/pagelist.h
> @@ -2,7 +2,7 @@
>  #define __FS_CEPH_PAGELIST_H
>
>  #include <asm/byteorder.h>
> -#include <linux/atomic.h>
> +#include <linux/refcount.h>
>  #include <linux/list.h>
>  #include <linux/types.h>
>
> @@ -13,7 +13,7 @@ struct ceph_pagelist {
>         size_t room;
>         struct list_head free_list;
>         size_t num_pages_free;
> -       atomic_t refcnt;
> +       refcount_t refcnt;
>  };
>
>  struct ceph_pagelist_cursor {
> @@ -30,7 +30,7 @@ static inline void ceph_pagelist_init(struct ceph_pagelist *pl)
>         pl->room = 0;
>         INIT_LIST_HEAD(&pl->free_list);
>         pl->num_pages_free = 0;
> -       atomic_set(&pl->refcnt, 1);
> +       refcount_set(&pl->refcnt, 1);
>  }
>
>  extern void ceph_pagelist_release(struct ceph_pagelist *pl);
> diff --git a/net/ceph/pagelist.c b/net/ceph/pagelist.c
> index 6864007..ce09f73 100644
> --- a/net/ceph/pagelist.c
> +++ b/net/ceph/pagelist.c
> @@ -16,7 +16,7 @@ static void ceph_pagelist_unmap_tail(struct ceph_pagelist *pl)
>
>  void ceph_pagelist_release(struct ceph_pagelist *pl)
>  {
> -       if (!atomic_dec_and_test(&pl->refcnt))
> +       if (!refcount_dec_and_test(&pl->refcnt))
>                 return;
>         ceph_pagelist_unmap_tail(pl);
>         while (!list_empty(&pl->head)) {

Applied.

Thanks,

                Ilya

^ permalink raw reply	[flat|nested] 80+ messages in thread

* Re: [PATCH 06/23] net, ceph: convert ceph_pagelist.refcnt from atomic_t to refcount_t
@ 2017-03-24 13:49       ` Ilya Dryomov
  0 siblings, 0 replies; 80+ messages in thread
From: Ilya Dryomov @ 2017-03-24 13:49 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, David S. Miller,
	linux-x25-u79uwXL29TY76Z2rM5mHXA,
	linux-sctp-u79uwXL29TY76Z2rM5mHXA,
	vyasevich-Re5JQEeQqe8AvxtiuMwx3w, nhorman-2XuSBdqkA4R54TAoqtyWWQ,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-nfs-u79uwXL29TY76Z2rM5mHXA, Ceph Development, Yan, Zheng,
	Sage Weil, bfields-uC3wQj2KruNg9hUCZPvPmw, Jeff Layton,
	steffen.klassert-opNxpl+3fjRBDgjK7y7TUQ, Herbert Xu,
	santosh.shilimkar-QHcLZuEGTsvQT0dZR+AlfA, jreuter-K7Hl1MveuGQ,
	ralf-6z/3iImG2C8G8FEW9MqTrA, peterz-wEGCiKHe2LqWVfeAwA7xHQ,
	Kees Cook, Hans Liljestrand, David Windsor

On Fri, Mar 17, 2017 at 1:10 PM, Elena Reshetova
<elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  fs/ceph/mds_client.c          | 2 +-
>  include/linux/ceph/pagelist.h | 6 +++---
>  net/ceph/pagelist.c           | 2 +-
>  3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index c681762..7b38e6c 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -1991,7 +1991,7 @@ static struct ceph_msg *create_request_message(struct ceph_mds_client *mdsc,
>
>         if (req->r_pagelist) {
>                 struct ceph_pagelist *pagelist = req->r_pagelist;
> -               atomic_inc(&pagelist->refcnt);
> +               refcount_inc(&pagelist->refcnt);
>                 ceph_msg_data_add_pagelist(msg, pagelist);
>                 msg->hdr.data_len = cpu_to_le32(pagelist->length);
>         } else {
> diff --git a/include/linux/ceph/pagelist.h b/include/linux/ceph/pagelist.h
> index 13d71fe..75a7db2 100644
> --- a/include/linux/ceph/pagelist.h
> +++ b/include/linux/ceph/pagelist.h
> @@ -2,7 +2,7 @@
>  #define __FS_CEPH_PAGELIST_H
>
>  #include <asm/byteorder.h>
> -#include <linux/atomic.h>
> +#include <linux/refcount.h>
>  #include <linux/list.h>
>  #include <linux/types.h>
>
> @@ -13,7 +13,7 @@ struct ceph_pagelist {
>         size_t room;
>         struct list_head free_list;
>         size_t num_pages_free;
> -       atomic_t refcnt;
> +       refcount_t refcnt;
>  };
>
>  struct ceph_pagelist_cursor {
> @@ -30,7 +30,7 @@ static inline void ceph_pagelist_init(struct ceph_pagelist *pl)
>         pl->room = 0;
>         INIT_LIST_HEAD(&pl->free_list);
>         pl->num_pages_free = 0;
> -       atomic_set(&pl->refcnt, 1);
> +       refcount_set(&pl->refcnt, 1);
>  }
>
>  extern void ceph_pagelist_release(struct ceph_pagelist *pl);
> diff --git a/net/ceph/pagelist.c b/net/ceph/pagelist.c
> index 6864007..ce09f73 100644
> --- a/net/ceph/pagelist.c
> +++ b/net/ceph/pagelist.c
> @@ -16,7 +16,7 @@ static void ceph_pagelist_unmap_tail(struct ceph_pagelist *pl)
>
>  void ceph_pagelist_release(struct ceph_pagelist *pl)
>  {
> -       if (!atomic_dec_and_test(&pl->refcnt))
> +       if (!refcount_dec_and_test(&pl->refcnt))
>                 return;
>         ceph_pagelist_unmap_tail(pl);
>         while (!list_empty(&pl->head)) {

Applied.

Thanks,

                Ilya

^ permalink raw reply	[flat|nested] 80+ messages in thread

end of thread, other threads:[~2017-03-24 13:50 UTC | newest]

Thread overview: 80+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-17 12:10 [PATCH 00/23] various networking refcount conversions, part 2 Elena Reshetova
2017-03-17 12:10 ` Elena Reshetova
2017-03-17 12:10 ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 01/23] net, sunrpc: convert rpc_cred.cr_count from atomic_t to refcount_t Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
     [not found]   ` <1489752646-8749-2-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-03-17 12:50     ` Trond Myklebust
2017-03-17 12:50       ` Trond Myklebust
2017-03-17 12:50       ` Trond Myklebust
2017-03-17 12:50       ` Trond Myklebust
2017-03-17 12:50       ` Trond Myklebust
2017-03-17 13:02       ` Jeff Layton
2017-03-17 13:02         ` Jeff Layton
2017-03-17 13:02         ` Jeff Layton
     [not found]         ` <1489755736.2810.10.camel-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>
2017-03-17 14:28           ` Trond Myklebust
2017-03-17 14:28             ` Trond Myklebust
2017-03-17 14:28             ` Trond Myklebust
2017-03-17 14:28             ` Trond Myklebust
2017-03-20 16:15             ` Reshetova, Elena
2017-03-20 16:15               ` Reshetova, Elena
2017-03-20 16:15               ` Reshetova, Elena
2017-03-20 16:15               ` Reshetova, Elena
2017-03-17 12:10 ` [PATCH 02/23] net, sunrpc: convert gss_cl_ctx.count " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 03/23] net, sunrpc: convert gss_upcall_msg.count " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 04/23] net, ceph: convert ceph_snap_context.nref " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-24 13:20   ` Ilya Dryomov
2017-03-24 13:20     ` Ilya Dryomov
2017-03-17 12:10 ` [PATCH 05/23] net, ceph: convert ceph_osd.o_ref " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
     [not found]   ` <1489752646-8749-6-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-03-24 13:49     ` Ilya Dryomov
2017-03-24 13:49       ` Ilya Dryomov
2017-03-24 13:49       ` Ilya Dryomov
2017-03-17 12:10 ` [PATCH 06/23] net, ceph: convert ceph_pagelist.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
     [not found]   ` <1489752646-8749-7-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-03-24 13:49     ` Ilya Dryomov
2017-03-24 13:49       ` Ilya Dryomov
2017-03-24 13:49       ` Ilya Dryomov
2017-03-17 12:10 ` [PATCH 07/23] net, rds: convert rds_ib_device.refcount " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 08/23] net, rds: convert rds_incoming.i_refcount " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 09/23] net, rds: convert rds_mr.r_refcount " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 11/23] net, x25: convert x25_route.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 12/23] net, x25: convert x25_neigh.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 15/23] net, xfrm: convert sec_path.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 16/23] net, sctp: convert sctp_auth_bytes.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 17/23] net, sctp: convert sctp_datamsg.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 20/23] net, sctp: convert sctp_ep_common.refcnt " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova
     [not found] ` <1489752646-8749-1-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-03-17 12:10   ` [PATCH 10/23] net, rds: convert rds_message.m_refcount " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10   ` [PATCH 13/23] net, xfrm: convert xfrm_state.refcnt " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10   ` [PATCH 14/23] net, xfrm: convert xfrm_policy.refcnt " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10   ` [PATCH 18/23] net, sctp: convert sctp_chunk.refcnt " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10   ` [PATCH 19/23] net, sctp: convert sctp_transport.refcnt " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10   ` [PATCH 21/23] net, ax25: convert ax25_uid_assoc.refcount " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10   ` [PATCH 22/23] net, ax25: convert ax25_route.refcount " Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10     ` Elena Reshetova
2017-03-17 12:10 ` [PATCH 23/23] net, ax25: convert ax25_cb.refcount " Elena Reshetova
2017-03-17 12:10   ` Elena Reshetova

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.