Hi, Failure with f_count reference counting are better contained by an actual reference counting type, like refcount_t. The first step is for get_file() to use inc_not_zero to avoid resurrection. I also found a couple open-coded modifications of f_count that should be using get_file(). Since long ago, f_count was switched to atomic_long_t, so to get proper reference count checking, I've added a refcount_long_t API, and then converted f_count to refcount_long_t. Now if there are underflows (or somehow an overflow), we'll see them reported. -Kees Kees Cook (5): fs: Do not allow get_file() to resurrect 0 f_count drm/vmwgfx: Do not directly manipulate file->f_count drm/i915: Do not directly manipulate file->f_count refcount: Introduce refcount_long_t and APIs fs: Convert struct file::f_count to refcount_long_t MAINTAINERS | 2 +- Makefile | 11 +- drivers/gpu/drm/i915/gt/shmem_utils.c | 5 +- drivers/gpu/drm/vmwgfx/ttm_object.c | 2 +- fs/file.c | 4 +- fs/file_table.c | 6 +- include/linux/fs.h | 7 +- include/linux/refcount-impl.h | 344 ++++++++++++++++++++++++++ include/linux/refcount.h | 341 +------------------------ include/linux/refcount_types.h | 12 + lib/refcount.c | 17 +- 11 files changed, 398 insertions(+), 353 deletions(-) create mode 100644 include/linux/refcount-impl.h -- 2.34.1
