Underflow of f_count needs to be more carefully detected than it
currently is. The results of get_file() should be checked, but the
first step is detection. Redefine f_count from atomic_long_t to
refcount_long_t.
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
---
Cc: Christian Brauner <brauner@xxxxxxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Jan Kara <jack@xxxxxxx>
Cc: linux-fsdevel@xxxxxxxxxxxxxxx
---
fs/file.c | 4 ++--
fs/file_table.c | 6 +++---
include/linux/fs.h | 6 +++---
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/fs/file.c b/fs/file.c
index 3b683b9101d8..570424dd634b 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -865,7 +865,7 @@ static struct file *__get_file_rcu(struct file __rcu **f)
if (!file)
return NULL;
- if (unlikely(!atomic_long_inc_not_zero(&file->f_count)))
+ if (unlikely(!refcount_long_inc_not_zero(&file->f_count)))
return ERR_PTR(-EAGAIN);
file_reloaded = rcu_dereference_raw(*f);
@@ -987,7 +987,7 @@ static inline struct file *__fget_files_rcu(struct files_struct *files,
* barrier. We only really need an 'acquire' one to
* protect the loads below, but we don't have that.
*/
- if (unlikely(!atomic_long_inc_not_zero(&file->f_count)))
+ if (unlikely(!refcount_long_inc_not_zero(&file->f_count)))
continue;
/*
diff --git a/fs/file_table.c b/fs/file_table.c
index 4f03beed4737..f29e7b94bca1 100644
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -167,7 +167,7 @@ static int init_file(struct file *f, int flags, const struct cred *cred)
* fget-rcu pattern users need to be able to handle spurious
* refcount bumps we should reinitialize the reused file first.
*/
- atomic_long_set(&f->f_count, 1);
+ refcount_long_set(&f->f_count, 1);
return 0;
}
@@ -470,7 +470,7 @@ static DECLARE_DELAYED_WORK(delayed_fput_work, delayed_fput);
void fput(struct file *file)
{
- if (atomic_long_dec_and_test(&file->f_count)) {
+ if (refcount_long_dec_and_test(&file->f_count)) {
struct task_struct *task = current;
if (unlikely(!(file->f_mode & (FMODE_BACKING | FMODE_OPENED)))) {
@@ -503,7 +503,7 @@ void fput(struct file *file)
*/
void __fput_sync(struct file *file)
{
- if (atomic_long_dec_and_test(&file->f_count))
+ if (refcount_long_dec_and_test(&file->f_count))
__fput(file);
}
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 210bbbfe9b83..b8f6cce7c39d 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1001,7 +1001,7 @@ struct file {
*/
spinlock_t f_lock;
fmode_t f_mode;
- atomic_long_t f_count;
+ refcount_long_t f_count;
struct mutex f_pos_lock;
loff_t f_pos;
unsigned int f_flags;
@@ -1038,7 +1038,7 @@ struct file_handle {
static inline struct file *get_file(struct file *f)
{
- if (unlikely(!atomic_long_inc_not_zero(&f->f_count)))
+ if (unlikely(!refcount_long_inc_not_zero(&f->f_count)))
return NULL;
return f;
}
@@ -1046,7 +1046,7 @@ static inline struct file *get_file(struct file *f)
struct file *get_file_rcu(struct file __rcu **f);
struct file *get_file_active(struct file **f);
-#define file_count(x) atomic_long_read(&(x)->f_count)
+#define file_count(x) refcount_long_read(&(x)->f_count)
#define MAX_NON_LFS ((1UL<<31) - 1)
--
2.34.1
