* [PATCH 00/15] networking drivers refcount_t conversions
@ 2017-10-20  7:23 Elena Reshetova
  2017-10-20  7:23 ` [PATCH 01/15] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
                   ` (15 more replies)
  0 siblings, 16 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
Note: these are the last patches related to networking that perform
conversion of refcounters from atomic_t to refcount_t.
In contrast to the core network refcounter conversions that
were merged earlier, these are much more straightforward ones.
This series, for various networking drivers, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.
The patches are fully independent and can be cherry-picked separately.
Patches are based on top of net-next.
If there are no objections to the patches, please merge them via respective trees
Elena Reshetova (15):
  drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to
    refcount_t
  drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to
    refcount_t
  drivers, net, mlx4: convert mlx4_cq.refcount from atomic_t to
    refcount_t
  drivers, net, mlx4: convert mlx4_qp.refcount from atomic_t to
    refcount_t
  drivers, net, mlx4: convert mlx4_srq.refcount from atomic_t to
    refcount_t
  drivers, net, mlx5: convert mlx5_cq.refcount from atomic_t to
    refcount_t
  drivers, net, mlx5: convert fs_node.refcount from atomic_t to
    refcount_t
  drivers, net, hamradio: convert sixpack.refcnt from atomic_t to
    refcount_t
  drivers, net: convert masces_rx_sa.refcnt from atomic_t to refcount_t
  drivers, net: convert masces_rx_sc.refcnt from atomic_t to refcount_t
  drivers, net: convert masces_tx_sa.refcnt from atomic_t to refcount_t
  drivers, net, ppp: convert asyncppp.refcnt from atomic_t to refcount_t
  drivers, net, ppp: convert ppp_file.refcnt from atomic_t to refcount_t
  drivers, net, ppp: convert syncppp.refcnt from atomic_t to refcount_t
  drivers, connector: convert cn_callback_entry.refcnt from atomic_t to
    refcount_t
 drivers/connector/cn_queue.c                      |  4 ++--
 drivers/connector/connector.c                     |  2 +-
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c     | 13 +++++------
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h     |  4 +++-
 drivers/net/ethernet/mediatek/mtk_eth_soc.c       |  8 ++++---
 drivers/net/ethernet/mediatek/mtk_eth_soc.h       |  4 +++-
 drivers/net/ethernet/mellanox/mlx4/cq.c           |  8 +++----
 drivers/net/ethernet/mellanox/mlx4/qp.c           |  8 +++----
 drivers/net/ethernet/mellanox/mlx4/srq.c          |  8 +++----
 drivers/net/ethernet/mellanox/mlx5/core/cq.c      | 16 ++++++-------
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 28 +++++++++++------------
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.h |  3 ++-
 drivers/net/hamradio/6pack.c                      | 12 +++++-----
 drivers/net/macsec.c                              | 25 ++++++++++----------
 drivers/net/ppp/ppp_async.c                       | 10 ++++----
 drivers/net/ppp/ppp_generic.c                     | 21 +++++++++--------
 drivers/net/ppp/ppp_synctty.c                     | 11 +++++----
 include/linux/connector.h                         |  4 ++--
 include/linux/mlx4/device.h                       |  8 +++----
 include/linux/mlx5/cq.h                           |  4 ++--
 20 files changed, 105 insertions(+), 96 deletions(-)
-- 
2.7.4
^ permalink raw reply	[flat|nested] 22+ messages in thread
* [PATCH 01/15] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt " Elena Reshetova
                   ` (14 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable clip_entry.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c | 13 ++++++-------
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h |  4 +++-
 2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
index 3103ef9..2900390 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
@@ -96,7 +96,8 @@ int cxgb4_clip_get(const struct net_device *dev, const u32 *lip, u8 v6)
 		if (!ret) {
 			ce = cte;
 			read_unlock_bh(&ctbl->lock);
-			goto found;
+			refcount_inc(&ce->refcnt);
+			return 0;
 		}
 	}
 	read_unlock_bh(&ctbl->lock);
@@ -108,7 +109,7 @@ int cxgb4_clip_get(const struct net_device *dev, const u32 *lip, u8 v6)
 		list_del(&ce->list);
 		INIT_LIST_HEAD(&ce->list);
 		spin_lock_init(&ce->lock);
-		atomic_set(&ce->refcnt, 0);
+		refcount_set(&ce->refcnt, 0);
 		atomic_dec(&ctbl->nfree);
 		list_add_tail(&ce->list, &ctbl->hash_list[hash]);
 		if (v6) {
@@ -138,9 +139,7 @@ int cxgb4_clip_get(const struct net_device *dev, const u32 *lip, u8 v6)
 		return -ENOMEM;
 	}
 	write_unlock_bh(&ctbl->lock);
-found:
-	atomic_inc(&ce->refcnt);
-
+	refcount_set(&ce->refcnt, 1);
 	return 0;
 }
 EXPORT_SYMBOL(cxgb4_clip_get);
@@ -179,7 +178,7 @@ void cxgb4_clip_release(const struct net_device *dev, const u32 *lip, u8 v6)
 found:
 	write_lock_bh(&ctbl->lock);
 	spin_lock_bh(&ce->lock);
-	if (atomic_dec_and_test(&ce->refcnt)) {
+	if (refcount_dec_and_test(&ce->refcnt)) {
 		list_del(&ce->list);
 		INIT_LIST_HEAD(&ce->list);
 		list_add_tail(&ce->list, &ctbl->ce_free_head);
@@ -266,7 +265,7 @@ int clip_tbl_show(struct seq_file *seq, void *v)
 			ip[0] = '\0';
 			sprintf(ip, "%pISc", &ce->addr);
 			seq_printf(seq, "%-25s   %u\n", ip,
-				   atomic_read(&ce->refcnt));
+				   refcount_read(&ce->refcnt));
 		}
 	}
 	seq_printf(seq, "Free clip entries : %d\n", atomic_read(&ctbl->nfree));
diff --git a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h
index 35eb43c..a0e0ae1 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h
@@ -10,9 +10,11 @@
  *  release for licensing terms and conditions.
  */
 
+#include <linux/refcount.h>
+
 struct clip_entry {
 	spinlock_t lock;	/* Hold while modifying clip reference */
-	atomic_t refcnt;
+	refcount_t refcnt;
 	struct list_head list;
 	union {
 		struct sockaddr_in addr;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
  2017-10-20  7:23 ` [PATCH 01/15] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
       [not found]   ` <1508484229-19706-3-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
  2017-10-20  7:23 ` [PATCH 03/15] drivers, net, mlx4: convert mlx4_cq.refcount " Elena Reshetova
                   ` (13 subsequent siblings)
  15 siblings, 1 reply; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable mtk_eth.dma_refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 +++++---
 drivers/net/ethernet/mediatek/mtk_eth_soc.h | 4 +++-
 2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 5e81a72..54adfd9 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -1817,7 +1817,7 @@ static int mtk_open(struct net_device *dev)
 	struct mtk_eth *eth = mac->hw;
 
 	/* we run 2 netdevs on the same dma ring so we only bring it up once */
-	if (!atomic_read(ð->dma_refcnt)) {
+	if (!refcount_read(ð->dma_refcnt)) {
 		int err = mtk_start_dma(eth);
 
 		if (err)
@@ -1827,8 +1827,10 @@ static int mtk_open(struct net_device *dev)
 		napi_enable(ð->rx_napi);
 		mtk_tx_irq_enable(eth, MTK_TX_DONE_INT);
 		mtk_rx_irq_enable(eth, MTK_RX_DONE_INT);
+		refcount_set(ð->dma_refcnt, 1);
 	}
-	atomic_inc(ð->dma_refcnt);
+	else
+		refcount_inc(ð->dma_refcnt);
 
 	phy_start(dev->phydev);
 	netif_start_queue(dev);
@@ -1868,7 +1870,7 @@ static int mtk_stop(struct net_device *dev)
 	phy_stop(dev->phydev);
 
 	/* only shutdown DMA if this is the last user */
-	if (!atomic_dec_and_test(ð->dma_refcnt))
+	if (!refcount_dec_and_test(ð->dma_refcnt))
 		return 0;
 
 	mtk_tx_irq_disable(eth, MTK_TX_DONE_INT);
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
index 3d3c24a..a3af466 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
@@ -15,6 +15,8 @@
 #ifndef MTK_ETH_H
 #define MTK_ETH_H
 
+#include <linux/refcount.h>
+
 #define MTK_QDMA_PAGE_SIZE	2048
 #define	MTK_MAX_RX_LENGTH	1536
 #define MTK_TX_DMA_BUF_LEN	0x3fff
@@ -632,7 +634,7 @@ struct mtk_eth {
 	struct regmap			*pctl;
 	u32				chip_id;
 	bool				hwlro;
-	atomic_t			dma_refcnt;
+	refcount_t			dma_refcnt;
 	struct mtk_tx_ring		tx_ring;
 	struct mtk_rx_ring		rx_ring[MTK_MAX_RX_RING_NUM];
 	struct mtk_rx_ring		rx_ring_qdma;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 03/15] drivers, net, mlx4: convert mlx4_cq.refcount from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
  2017-10-20  7:23 ` [PATCH 01/15] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
  2017-10-20  7:23 ` [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
       [not found] ` <1508484229-19706-1-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
                   ` (12 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable mlx4_cq.refcount is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ethernet/mellanox/mlx4/cq.c | 8 ++++----
 include/linux/mlx4/device.h             | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index 72eb50c..d8e9a32 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -69,7 +69,7 @@ void mlx4_cq_tasklet_cb(unsigned long data)
 	list_for_each_entry_safe(mcq, temp, &ctx->process_list, tasklet_ctx.list) {
 		list_del_init(&mcq->tasklet_ctx.list);
 		mcq->tasklet_ctx.comp(mcq);
-		if (atomic_dec_and_test(&mcq->refcount))
+		if (refcount_dec_and_test(&mcq->refcount))
 			complete(&mcq->free);
 		if (time_after(jiffies, end))
 			break;
@@ -92,7 +92,7 @@ static void mlx4_add_cq_to_tasklet(struct mlx4_cq *cq)
 	 * still arrive.
 	 */
 	if (list_empty_careful(&cq->tasklet_ctx.list)) {
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 		kick = list_empty(&tasklet_ctx->list);
 		list_add_tail(&cq->tasklet_ctx.list, &tasklet_ctx->list);
 		if (kick)
@@ -344,7 +344,7 @@ int mlx4_cq_alloc(struct mlx4_dev *dev, int nent,
 	cq->cons_index = 0;
 	cq->arm_sn     = 1;
 	cq->uar        = uar;
-	atomic_set(&cq->refcount, 1);
+	refcount_set(&cq->refcount, 1);
 	init_completion(&cq->free);
 	cq->comp = mlx4_add_cq_to_tasklet;
 	cq->tasklet_ctx.priv =
@@ -386,7 +386,7 @@ void mlx4_cq_free(struct mlx4_dev *dev, struct mlx4_cq *cq)
 	    priv->eq_table.eq[MLX4_EQ_ASYNC].irq)
 		synchronize_irq(priv->eq_table.eq[MLX4_EQ_ASYNC].irq);
 
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 	wait_for_completion(&cq->free);
 
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index b0a57e0..daac2e3 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -40,7 +40,7 @@
 #include <linux/cpu_rmap.h>
 #include <linux/crash_dump.h>
 
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #include <linux/timecounter.h>
 
@@ -751,7 +751,7 @@ struct mlx4_cq {
 	int			cqn;
 	unsigned		vector;
 
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 	struct {
 		struct list_head list;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 04/15] drivers, net, mlx4: convert mlx4_qp.refcount from atomic_t to refcount_t
       [not found] ` <1508484229-19706-1-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
@ 2017-10-20  7:23   ` Elena Reshetova
  0 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem-fT/PcQaiUtIeIZ0/mPfg9Q
  Cc: peterz-wEGCiKHe2LqWVfeAwA7xHQ, matanb-VPRAkNaXOzVWk0Htik3J/w,
	paulus-eUNUBHrolfbYtjvyW6yDsg, zbr-i6C2adt8DTjR7s880joybQ,
	Elena Reshetova, nbd-p3rKhJxN3npAfugRpC6u6w,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA, saeedm-VPRAkNaXOzVWk0Htik3J/w,
	ganeshgr-ut6Up61K2wZBDgjK7y7TUQ,
	ajk-iz34hMvxm2Hmj42eshorlhS11BummzK+,
	keescook-F7+t8E8rja9g9hUCZPvPmw, sean.wang-NuS5LvNUpcJWk0Htik3J/w,
	leonro-VPRAkNaXOzVWk0Htik3J/w,
	linux-mediatek-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r,
	john-Pj+rj9U5foFAfugRpC6u6w, matthias.bgg-Re5JQEeQqe8AvxtiuMwx3w,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r,
	netdev-u79uwXL29TY76Z2rM5mHXA, yishaih-VPRAkNaXOzVWk0Htik3J/w,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-ppp-u79uwXL29TY76Z2rM5mHXA, tariqt-VPRAkNaXOzVWk0Htik3J/w
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable mlx4_qp.refcount is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
Reviewed-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Reviewed-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
---
 drivers/net/ethernet/mellanox/mlx4/qp.c | 8 ++++----
 include/linux/mlx4/device.h             | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
index 2033209..769598f 100644
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
@@ -55,7 +55,7 @@ void mlx4_qp_event(struct mlx4_dev *dev, u32 qpn, int event_type)
 
 	qp = __mlx4_qp_lookup(dev, qpn);
 	if (qp)
-		atomic_inc(&qp->refcount);
+		refcount_inc(&qp->refcount);
 
 	spin_unlock(&qp_table->lock);
 
@@ -66,7 +66,7 @@ void mlx4_qp_event(struct mlx4_dev *dev, u32 qpn, int event_type)
 
 	qp->event(qp, event_type);
 
-	if (atomic_dec_and_test(&qp->refcount))
+	if (refcount_dec_and_test(&qp->refcount))
 		complete(&qp->free);
 }
 
@@ -420,7 +420,7 @@ int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp)
 	if (err)
 		goto err_icm;
 
-	atomic_set(&qp->refcount, 1);
+	refcount_set(&qp->refcount, 1);
 	init_completion(&qp->free);
 
 	return 0;
@@ -520,7 +520,7 @@ EXPORT_SYMBOL_GPL(mlx4_qp_remove);
 
 void mlx4_qp_free(struct mlx4_dev *dev, struct mlx4_qp *qp)
 {
-	if (atomic_dec_and_test(&qp->refcount))
+	if (refcount_dec_and_test(&qp->refcount))
 		complete(&qp->free);
 	wait_for_completion(&qp->free);
 
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index daac2e3..b8e19c4 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -768,7 +768,7 @@ struct mlx4_qp {
 
 	int			qpn;
 
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 	u8			usage;
 };
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 05/15] drivers, net, mlx4: convert mlx4_srq.refcount from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (3 preceding siblings ...)
       [not found] ` <1508484229-19706-1-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 06/15] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
                   ` (10 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable mlx4_srq.refcount is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ethernet/mellanox/mlx4/srq.c | 8 ++++----
 include/linux/mlx4/device.h              | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/srq.c b/drivers/net/ethernet/mellanox/mlx4/srq.c
index bedf521..cbe4d97 100644
--- a/drivers/net/ethernet/mellanox/mlx4/srq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/srq.c
@@ -49,7 +49,7 @@ void mlx4_srq_event(struct mlx4_dev *dev, u32 srqn, int event_type)
 	srq = radix_tree_lookup(&srq_table->tree, srqn & (dev->caps.num_srqs - 1));
 	rcu_read_unlock();
 	if (srq)
-		atomic_inc(&srq->refcount);
+		refcount_inc(&srq->refcount);
 	else {
 		mlx4_warn(dev, "Async event for bogus SRQ %08x\n", srqn);
 		return;
@@ -57,7 +57,7 @@ void mlx4_srq_event(struct mlx4_dev *dev, u32 srqn, int event_type)
 
 	srq->event(srq, event_type);
 
-	if (atomic_dec_and_test(&srq->refcount))
+	if (refcount_dec_and_test(&srq->refcount))
 		complete(&srq->free);
 }
 
@@ -203,7 +203,7 @@ int mlx4_srq_alloc(struct mlx4_dev *dev, u32 pdn, u32 cqn, u16 xrcd,
 	if (err)
 		goto err_radix;
 
-	atomic_set(&srq->refcount, 1);
+	refcount_set(&srq->refcount, 1);
 	init_completion(&srq->free);
 
 	return 0;
@@ -232,7 +232,7 @@ void mlx4_srq_free(struct mlx4_dev *dev, struct mlx4_srq *srq)
 	radix_tree_delete(&srq_table->tree, srq->srqn);
 	spin_unlock_irq(&srq_table->lock);
 
-	if (atomic_dec_and_test(&srq->refcount))
+	if (refcount_dec_and_test(&srq->refcount))
 		complete(&srq->free);
 	wait_for_completion(&srq->free);
 
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index b8e19c4..a9b5fed 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -781,7 +781,7 @@ struct mlx4_srq {
 	int			max_gs;
 	int			wqe_shift;
 
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 };
 
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 06/15] drivers, net, mlx5: convert mlx5_cq.refcount from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (4 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 05/15] drivers, net, mlx4: convert mlx4_srq.refcount " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 07/15] drivers, net, mlx5: convert fs_node.refcount " Elena Reshetova
                   ` (9 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable mlx5_cq.refcount is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/cq.c | 16 ++++++++--------
 include/linux/mlx5/cq.h                      |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cq.c b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
index 336d473..1016e05 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
@@ -58,7 +58,7 @@ void mlx5_cq_tasklet_cb(unsigned long data)
 				 tasklet_ctx.list) {
 		list_del_init(&mcq->tasklet_ctx.list);
 		mcq->tasklet_ctx.comp(mcq);
-		if (atomic_dec_and_test(&mcq->refcount))
+		if (refcount_dec_and_test(&mcq->refcount))
 			complete(&mcq->free);
 		if (time_after(jiffies, end))
 			break;
@@ -80,7 +80,7 @@ static void mlx5_add_cq_to_tasklet(struct mlx5_core_cq *cq)
 	 * still arrive.
 	 */
 	if (list_empty_careful(&cq->tasklet_ctx.list)) {
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 		list_add_tail(&cq->tasklet_ctx.list, &tasklet_ctx->list);
 	}
 	spin_unlock_irqrestore(&tasklet_ctx->lock, flags);
@@ -94,7 +94,7 @@ void mlx5_cq_completion(struct mlx5_core_dev *dev, u32 cqn)
 	spin_lock(&table->lock);
 	cq = radix_tree_lookup(&table->tree, cqn);
 	if (likely(cq))
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 	spin_unlock(&table->lock);
 
 	if (!cq) {
@@ -106,7 +106,7 @@ void mlx5_cq_completion(struct mlx5_core_dev *dev, u32 cqn)
 
 	cq->comp(cq);
 
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 }
 
@@ -119,7 +119,7 @@ void mlx5_cq_event(struct mlx5_core_dev *dev, u32 cqn, int event_type)
 
 	cq = radix_tree_lookup(&table->tree, cqn);
 	if (cq)
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 
 	spin_unlock(&table->lock);
 
@@ -130,7 +130,7 @@ void mlx5_cq_event(struct mlx5_core_dev *dev, u32 cqn, int event_type)
 
 	cq->event(cq, event_type);
 
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 }
 
@@ -159,7 +159,7 @@ int mlx5_core_create_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq,
 	cq->cqn = MLX5_GET(create_cq_out, out, cqn);
 	cq->cons_index = 0;
 	cq->arm_sn     = 0;
-	atomic_set(&cq->refcount, 1);
+	refcount_set(&cq->refcount, 1);
 	init_completion(&cq->free);
 	if (!cq->comp)
 		cq->comp = mlx5_add_cq_to_tasklet;
@@ -222,7 +222,7 @@ int mlx5_core_destroy_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq)
 	synchronize_irq(cq->irqn);
 
 	mlx5_debug_cq_remove(dev, cq);
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 	wait_for_completion(&cq->free);
 
diff --git a/include/linux/mlx5/cq.h b/include/linux/mlx5/cq.h
index 9589884..6a57ec2 100644
--- a/include/linux/mlx5/cq.h
+++ b/include/linux/mlx5/cq.h
@@ -35,7 +35,7 @@
 
 #include <rdma/ib_verbs.h>
 #include <linux/mlx5/driver.h>
-
+#include <linux/refcount.h>
 
 struct mlx5_core_cq {
 	u32			cqn;
@@ -43,7 +43,7 @@ struct mlx5_core_cq {
 	__be32		       *set_ci_db;
 	__be32		       *arm_db;
 	struct mlx5_uars_page  *uar;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 	unsigned		vector;
 	unsigned int		irqn;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 07/15] drivers, net, mlx5: convert fs_node.refcount from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (5 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 06/15] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 08/15] drivers, net, hamradio: convert sixpack.refcnt " Elena Reshetova
                   ` (8 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable fs_node.refcount is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 28 +++++++++++------------
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.h |  3 ++-
 2 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index f77e496..c7fa1389 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -188,7 +188,7 @@ static void tree_init_node(struct fs_node *node,
 			   void (*del_hw_func)(struct fs_node *),
 			   void (*del_sw_func)(struct fs_node *))
 {
-	atomic_set(&node->refcount, 1);
+	refcount_set(&node->refcount, 1);
 	INIT_LIST_HEAD(&node->list);
 	INIT_LIST_HEAD(&node->children);
 	init_rwsem(&node->lock);
@@ -200,7 +200,7 @@ static void tree_init_node(struct fs_node *node,
 static void tree_add_node(struct fs_node *node, struct fs_node *parent)
 {
 	if (parent)
-		atomic_inc(&parent->refcount);
+		refcount_inc(&parent->refcount);
 	node->parent = parent;
 
 	/* Parent is the root */
@@ -212,7 +212,7 @@ static void tree_add_node(struct fs_node *node, struct fs_node *parent)
 
 static int tree_get_node(struct fs_node *node)
 {
-	return atomic_add_unless(&node->refcount, 1, 0);
+	return refcount_inc_not_zero(&node->refcount);
 }
 
 static void nested_down_read_ref_node(struct fs_node *node,
@@ -220,7 +220,7 @@ static void nested_down_read_ref_node(struct fs_node *node,
 {
 	if (node) {
 		down_read_nested(&node->lock, class);
-		atomic_inc(&node->refcount);
+		refcount_inc(&node->refcount);
 	}
 }
 
@@ -229,7 +229,7 @@ static void nested_down_write_ref_node(struct fs_node *node,
 {
 	if (node) {
 		down_write_nested(&node->lock, class);
-		atomic_inc(&node->refcount);
+		refcount_inc(&node->refcount);
 	}
 }
 
@@ -237,19 +237,19 @@ static void down_write_ref_node(struct fs_node *node)
 {
 	if (node) {
 		down_write(&node->lock);
-		atomic_inc(&node->refcount);
+		refcount_inc(&node->refcount);
 	}
 }
 
 static void up_read_ref_node(struct fs_node *node)
 {
-	atomic_dec(&node->refcount);
+	refcount_dec(&node->refcount);
 	up_read(&node->lock);
 }
 
 static void up_write_ref_node(struct fs_node *node)
 {
-	atomic_dec(&node->refcount);
+	refcount_dec(&node->refcount);
 	up_write(&node->lock);
 }
 
@@ -257,7 +257,7 @@ static void tree_put_node(struct fs_node *node)
 {
 	struct fs_node *parent_node = node->parent;
 
-	if (atomic_dec_and_test(&node->refcount)) {
+	if (refcount_dec_and_test(&node->refcount)) {
 		if (node->del_hw_func)
 			node->del_hw_func(node);
 		if (parent_node) {
@@ -280,8 +280,8 @@ static void tree_put_node(struct fs_node *node)
 
 static int tree_remove_node(struct fs_node *node)
 {
-	if (atomic_read(&node->refcount) > 1) {
-		atomic_dec(&node->refcount);
+	if (refcount_read(&node->refcount) > 1) {
+		refcount_dec(&node->refcount);
 		return -EEXIST;
 	}
 	tree_put_node(node);
@@ -1184,7 +1184,7 @@ static void destroy_flow_handle(struct fs_fte *fte,
 				int i)
 {
 	for (; --i >= 0;) {
-		if (atomic_dec_and_test(&handle->rule[i]->node.refcount)) {
+		if (refcount_dec_and_test(&handle->rule[i]->node.refcount)) {
 			fte->dests_size--;
 			list_del(&handle->rule[i]->node.list);
 			kfree(handle->rule[i]);
@@ -1215,7 +1215,7 @@ create_flow_handle(struct fs_fte *fte,
 		if (dest) {
 			rule = find_flow_rule(fte, dest + i);
 			if (rule) {
-				atomic_inc(&rule->node.refcount);
+				refcount_inc(&rule->node.refcount);
 				goto rule_found;
 			}
 		}
@@ -1466,7 +1466,7 @@ static struct mlx5_flow_handle *add_rule_fg(struct mlx5_flow_group *fg,
 	trace_mlx5_fs_set_fte(fte, false);
 
 	for (i = 0; i < handle->num_rules; i++) {
-		if (atomic_read(&handle->rule[i]->node.refcount) == 1) {
+		if (refcount_read(&handle->rule[i]->node.refcount) == 1) {
 			tree_add_node(&handle->rule[i]->node, &fte->node);
 			trace_mlx5_fs_add_rule(handle->rule[i]);
 		}
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
index 80f6f3c7..397d24a 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
@@ -33,6 +33,7 @@
 #ifndef _MLX5_FS_CORE_
 #define _MLX5_FS_CORE_
 
+#include <linux/refcount.h>
 #include <linux/mlx5/fs.h>
 #include <linux/rhashtable.h>
 
@@ -84,7 +85,7 @@ struct fs_node {
 	struct fs_node		*root;
 	/* lock the node for writing and traversing */
 	struct rw_semaphore	lock;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	bool			active;
 	void			(*del_hw_func)(struct fs_node *);
 	void			(*del_sw_func)(struct fs_node *);
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 08/15] drivers, net, hamradio: convert sixpack.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (6 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 07/15] drivers, net, mlx5: convert fs_node.refcount " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 09/15] drivers, net: convert masces_rx_sa.refcnt " Elena Reshetova
                   ` (7 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable sixpack.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/hamradio/6pack.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index bbc7b78..32f49c4 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -35,7 +35,7 @@
 #include <linux/tcp.h>
 #include <linux/semaphore.h>
 #include <linux/compat.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #define SIXPACK_VERSION    "Revision: 0.3.0"
 
@@ -120,7 +120,7 @@ struct sixpack {
 
 	struct timer_list	tx_t;
 	struct timer_list	resync_t;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	struct semaphore	dead_sem;
 	spinlock_t		lock;
 };
@@ -381,7 +381,7 @@ static struct sixpack *sp_get(struct tty_struct *tty)
 	read_lock(&disc_data_lock);
 	sp = tty->disc_data;
 	if (sp)
-		atomic_inc(&sp->refcnt);
+		refcount_inc(&sp->refcnt);
 	read_unlock(&disc_data_lock);
 
 	return sp;
@@ -389,7 +389,7 @@ static struct sixpack *sp_get(struct tty_struct *tty)
 
 static void sp_put(struct sixpack *sp)
 {
-	if (atomic_dec_and_test(&sp->refcnt))
+	if (refcount_dec_and_test(&sp->refcnt))
 		up(&sp->dead_sem);
 }
 
@@ -576,7 +576,7 @@ static int sixpack_open(struct tty_struct *tty)
 	sp->dev = dev;
 
 	spin_lock_init(&sp->lock);
-	atomic_set(&sp->refcnt, 1);
+	refcount_set(&sp->refcnt, 1);
 	sema_init(&sp->dead_sem, 0);
 
 	/* !!! length of the buffers. MTU is IP MTU, not PACLEN!  */
@@ -670,7 +670,7 @@ static void sixpack_close(struct tty_struct *tty)
 	 * We have now ensured that nobody can start using ap from now on, but
 	 * we have to wait for all existing users to finish.
 	 */
-	if (!atomic_dec_and_test(&sp->refcnt))
+	if (!refcount_dec_and_test(&sp->refcnt))
 		down(&sp->dead_sem);
 
 	/* We must stop the queue to avoid potentially scribbling
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 09/15] drivers, net: convert masces_rx_sa.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (7 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 08/15] drivers, net, hamradio: convert sixpack.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 10/15] drivers, net: convert masces_rx_sc.refcnt " Elena Reshetova
                   ` (6 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable masces_rx_sa.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/macsec.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index ccbe4eaf..733e1c2 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -16,6 +16,7 @@
 #include <crypto/aead.h>
 #include <linux/etherdevice.h>
 #include <linux/rtnetlink.h>
+#include <linux/refcount.h>
 #include <net/genetlink.h>
 #include <net/sock.h>
 #include <net/gro_cells.h>
@@ -146,7 +147,7 @@ struct macsec_rx_sa {
 	struct macsec_key key;
 	spinlock_t lock;
 	u32 next_pn;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	bool active;
 	struct macsec_rx_sa_stats __percpu *stats;
 	struct macsec_rx_sc *sc;
@@ -314,7 +315,7 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
 	if (!sa || !sa->active)
 		return NULL;
 
-	if (!atomic_inc_not_zero(&sa->refcnt))
+	if (!refcount_inc_not_zero(&sa->refcnt))
 		return NULL;
 
 	return sa;
@@ -350,7 +351,7 @@ static void free_rxsa(struct rcu_head *head)
 
 static void macsec_rxsa_put(struct macsec_rx_sa *sa)
 {
-	if (atomic_dec_and_test(&sa->refcnt))
+	if (refcount_dec_and_test(&sa->refcnt))
 		call_rcu(&sa->rcu, free_rxsa);
 }
 
@@ -1339,7 +1340,7 @@ static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
 
 	rx_sa->active = false;
 	rx_sa->next_pn = 1;
-	atomic_set(&rx_sa->refcnt, 1);
+	refcount_set(&rx_sa->refcnt, 1);
 	spin_lock_init(&rx_sa->lock);
 
 	return 0;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 10/15] drivers, net: convert masces_rx_sc.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (8 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 09/15] drivers, net: convert masces_rx_sa.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 11/15] drivers, net: convert masces_tx_sa.refcnt " Elena Reshetova
                   ` (5 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable masces_rx_sc.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/macsec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 733e1c2..e0aeb51 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -172,7 +172,7 @@ struct macsec_rx_sc {
 	bool active;
 	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
 	struct pcpu_rx_sc_stats __percpu *stats;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	struct rcu_head rcu_head;
 };
 
@@ -331,12 +331,12 @@ static void free_rx_sc_rcu(struct rcu_head *head)
 
 static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
 {
-	return atomic_inc_not_zero(&sc->refcnt) ? sc : NULL;
+	return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL;
 }
 
 static void macsec_rxsc_put(struct macsec_rx_sc *sc)
 {
-	if (atomic_dec_and_test(&sc->refcnt))
+	if (refcount_dec_and_test(&sc->refcnt))
 		call_rcu(&sc->rcu_head, free_rx_sc_rcu);
 }
 
@@ -1411,7 +1411,7 @@ static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
 
 	rx_sc->sci = sci;
 	rx_sc->active = true;
-	atomic_set(&rx_sc->refcnt, 1);
+	refcount_set(&rx_sc->refcnt, 1);
 
 	secy = &macsec_priv(dev)->secy;
 	rcu_assign_pointer(rx_sc->next, secy->rx_sc);
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 11/15] drivers, net: convert masces_tx_sa.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (9 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 10/15] drivers, net: convert masces_rx_sc.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 12/15] drivers, net, ppp: convert asyncppp.refcnt " Elena Reshetova
                   ` (4 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable masces_tx_sa.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/macsec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index e0aeb51..8948b6a 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -188,7 +188,7 @@ struct macsec_tx_sa {
 	struct macsec_key key;
 	spinlock_t lock;
 	u32 next_pn;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	bool active;
 	struct macsec_tx_sa_stats __percpu *stats;
 	struct rcu_head rcu;
@@ -362,7 +362,7 @@ static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
 	if (!sa || !sa->active)
 		return NULL;
 
-	if (!atomic_inc_not_zero(&sa->refcnt))
+	if (!refcount_inc_not_zero(&sa->refcnt))
 		return NULL;
 
 	return sa;
@@ -379,7 +379,7 @@ static void free_txsa(struct rcu_head *head)
 
 static void macsec_txsa_put(struct macsec_tx_sa *sa)
 {
-	if (atomic_dec_and_test(&sa->refcnt))
+	if (refcount_dec_and_test(&sa->refcnt))
 		call_rcu(&sa->rcu, free_txsa);
 }
 
@@ -1437,7 +1437,7 @@ static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
 	}
 
 	tx_sa->active = false;
-	atomic_set(&tx_sa->refcnt, 1);
+	refcount_set(&tx_sa->refcnt, 1);
 	spin_lock_init(&tx_sa->lock);
 
 	return 0;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 12/15] drivers, net, ppp: convert asyncppp.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (10 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 11/15] drivers, net: convert masces_tx_sa.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 13/15] drivers, net, ppp: convert ppp_file.refcnt " Elena Reshetova
                   ` (3 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable asyncppp.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ppp/ppp_async.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
index 814fd8f..1b28e6e 100644
--- a/drivers/net/ppp/ppp_async.c
+++ b/drivers/net/ppp/ppp_async.c
@@ -69,7 +69,7 @@ struct asyncppp {
 
 	struct tasklet_struct tsk;
 
-	atomic_t	refcnt;
+	refcount_t	refcnt;
 	struct semaphore dead_sem;
 	struct ppp_channel chan;	/* interface to generic ppp layer */
 	unsigned char	obuf[OBUFSIZE];
@@ -140,14 +140,14 @@ static struct asyncppp *ap_get(struct tty_struct *tty)
 	read_lock(&disc_data_lock);
 	ap = tty->disc_data;
 	if (ap != NULL)
-		atomic_inc(&ap->refcnt);
+		refcount_inc(&ap->refcnt);
 	read_unlock(&disc_data_lock);
 	return ap;
 }
 
 static void ap_put(struct asyncppp *ap)
 {
-	if (atomic_dec_and_test(&ap->refcnt))
+	if (refcount_dec_and_test(&ap->refcnt))
 		up(&ap->dead_sem);
 }
 
@@ -185,7 +185,7 @@ ppp_asynctty_open(struct tty_struct *tty)
 	skb_queue_head_init(&ap->rqueue);
 	tasklet_init(&ap->tsk, ppp_async_process, (unsigned long) ap);
 
-	atomic_set(&ap->refcnt, 1);
+	refcount_set(&ap->refcnt, 1);
 	sema_init(&ap->dead_sem, 0);
 
 	ap->chan.private = ap;
@@ -234,7 +234,7 @@ ppp_asynctty_close(struct tty_struct *tty)
 	 * our channel ops (i.e. ppp_async_send/ioctl) are in progress
 	 * by the time it returns.
 	 */
-	if (!atomic_dec_and_test(&ap->refcnt))
+	if (!refcount_dec_and_test(&ap->refcnt))
 		down(&ap->dead_sem);
 	tasklet_kill(&ap->tsk);
 
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 13/15] drivers, net, ppp: convert ppp_file.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (11 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 12/15] drivers, net, ppp: convert asyncppp.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 14/15] drivers, net, ppp: convert syncppp.refcnt " Elena Reshetova
                   ` (2 subsequent siblings)
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable ppp_file.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ppp/ppp_generic.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index e365866..6566107 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -51,6 +51,7 @@
 #include <asm/unaligned.h>
 #include <net/slhc_vj.h>
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #include <linux/nsproxy.h>
 #include <net/net_namespace.h>
@@ -84,7 +85,7 @@ struct ppp_file {
 	struct sk_buff_head xq;		/* pppd transmit queue */
 	struct sk_buff_head rq;		/* receive queue for pppd */
 	wait_queue_head_t rwait;	/* for poll on reading /dev/ppp */
-	atomic_t	refcnt;		/* # refs (incl /dev/ppp attached) */
+	refcount_t	refcnt;		/* # refs (incl /dev/ppp attached) */
 	int		hdrlen;		/* space to leave for headers */
 	int		index;		/* interface unit / channel number */
 	int		dead;		/* unit/channel has been shut down */
@@ -408,7 +409,7 @@ static int ppp_release(struct inode *unused, struct file *file)
 				unregister_netdevice(ppp->dev);
 			rtnl_unlock();
 		}
-		if (atomic_dec_and_test(&pf->refcnt)) {
+		if (refcount_dec_and_test(&pf->refcnt)) {
 			switch (pf->kind) {
 			case INTERFACE:
 				ppp_destroy_interface(PF_TO_PPP(pf));
@@ -881,7 +882,7 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
 		mutex_lock(&pn->all_ppp_mutex);
 		ppp = ppp_find_unit(pn, unit);
 		if (ppp) {
-			atomic_inc(&ppp->file.refcnt);
+			refcount_inc(&ppp->file.refcnt);
 			file->private_data = &ppp->file;
 			err = 0;
 		}
@@ -896,7 +897,7 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
 		spin_lock_bh(&pn->all_channels_lock);
 		chan = ppp_find_channel(pn, unit);
 		if (chan) {
-			atomic_inc(&chan->file.refcnt);
+			refcount_inc(&chan->file.refcnt);
 			file->private_data = &chan->file;
 			err = 0;
 		}
@@ -1348,7 +1349,7 @@ static int ppp_dev_init(struct net_device *dev)
 	 * that ppp_destroy_interface() won't run before the device gets
 	 * unregistered.
 	 */
-	atomic_inc(&ppp->file.refcnt);
+	refcount_inc(&ppp->file.refcnt);
 
 	return 0;
 }
@@ -1377,7 +1378,7 @@ static void ppp_dev_priv_destructor(struct net_device *dev)
 	struct ppp *ppp;
 
 	ppp = netdev_priv(dev);
-	if (atomic_dec_and_test(&ppp->file.refcnt))
+	if (refcount_dec_and_test(&ppp->file.refcnt))
 		ppp_destroy_interface(ppp);
 }
 
@@ -2676,7 +2677,7 @@ ppp_unregister_channel(struct ppp_channel *chan)
 
 	pch->file.dead = 1;
 	wake_up_interruptible(&pch->file.rwait);
-	if (atomic_dec_and_test(&pch->file.refcnt))
+	if (refcount_dec_and_test(&pch->file.refcnt))
 		ppp_destroy_channel(pch);
 }
 
@@ -3046,7 +3047,7 @@ init_ppp_file(struct ppp_file *pf, int kind)
 	pf->kind = kind;
 	skb_queue_head_init(&pf->xq);
 	skb_queue_head_init(&pf->rq);
-	atomic_set(&pf->refcnt, 1);
+	refcount_set(&pf->refcnt, 1);
 	init_waitqueue_head(&pf->rwait);
 }
 
@@ -3164,7 +3165,7 @@ ppp_connect_channel(struct channel *pch, int unit)
 	list_add_tail(&pch->clist, &ppp->channels);
 	++ppp->n_channels;
 	pch->ppp = ppp;
-	atomic_inc(&ppp->file.refcnt);
+	refcount_inc(&ppp->file.refcnt);
 	ppp_unlock(ppp);
 	ret = 0;
 
@@ -3195,7 +3196,7 @@ ppp_disconnect_channel(struct channel *pch)
 		if (--ppp->n_channels == 0)
 			wake_up_interruptible(&ppp->file.rwait);
 		ppp_unlock(ppp);
-		if (atomic_dec_and_test(&ppp->file.refcnt))
+		if (refcount_dec_and_test(&ppp->file.refcnt))
 			ppp_destroy_interface(ppp);
 		err = 0;
 	}
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 14/15] drivers, net, ppp: convert syncppp.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (12 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 13/15] drivers, net, ppp: convert ppp_file.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-20  7:23 ` [PATCH 15/15] drivers, connector: convert cn_callback_entry.refcnt " Elena Reshetova
  2017-10-22  1:31 ` [PATCH 00/15] networking drivers refcount_t conversions David Miller
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable syncppp.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/net/ppp/ppp_synctty.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 7868c29..7196f00 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -46,6 +46,7 @@
 #include <linux/init.h>
 #include <linux/interrupt.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 #include <asm/unaligned.h>
 #include <linux/uaccess.h>
 
@@ -72,7 +73,7 @@ struct syncppp {
 
 	struct tasklet_struct tsk;
 
-	atomic_t	refcnt;
+	refcount_t	refcnt;
 	struct completion dead_cmp;
 	struct ppp_channel chan;	/* interface to generic ppp layer */
 };
@@ -141,14 +142,14 @@ static struct syncppp *sp_get(struct tty_struct *tty)
 	read_lock(&disc_data_lock);
 	ap = tty->disc_data;
 	if (ap != NULL)
-		atomic_inc(&ap->refcnt);
+		refcount_inc(&ap->refcnt);
 	read_unlock(&disc_data_lock);
 	return ap;
 }
 
 static void sp_put(struct syncppp *ap)
 {
-	if (atomic_dec_and_test(&ap->refcnt))
+	if (refcount_dec_and_test(&ap->refcnt))
 		complete(&ap->dead_cmp);
 }
 
@@ -182,7 +183,7 @@ ppp_sync_open(struct tty_struct *tty)
 	skb_queue_head_init(&ap->rqueue);
 	tasklet_init(&ap->tsk, ppp_sync_process, (unsigned long) ap);
 
-	atomic_set(&ap->refcnt, 1);
+	refcount_set(&ap->refcnt, 1);
 	init_completion(&ap->dead_cmp);
 
 	ap->chan.private = ap;
@@ -232,7 +233,7 @@ ppp_sync_close(struct tty_struct *tty)
 	 * our channel ops (i.e. ppp_sync_send/ioctl) are in progress
 	 * by the time it returns.
 	 */
-	if (!atomic_dec_and_test(&ap->refcnt))
+	if (!refcount_dec_and_test(&ap->refcnt))
 		wait_for_completion(&ap->dead_cmp);
 	tasklet_kill(&ap->tsk);
 
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* [PATCH 15/15] drivers, connector: convert cn_callback_entry.refcnt from atomic_t to refcount_t
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (13 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 14/15] drivers, net, ppp: convert syncppp.refcnt " Elena Reshetova
@ 2017-10-20  7:23 ` Elena Reshetova
  2017-10-22  1:31 ` [PATCH 00/15] networking drivers refcount_t conversions David Miller
  15 siblings, 0 replies; 22+ messages in thread
From: Elena Reshetova @ 2017-10-20  7:23 UTC (permalink / raw)
  To: davem
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook, Elena Reshetova
atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)
Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.
The variable cn_callback_entry.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.
Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
---
 drivers/connector/cn_queue.c  | 4 ++--
 drivers/connector/connector.c | 2 +-
 include/linux/connector.h     | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/connector/cn_queue.c b/drivers/connector/cn_queue.c
index 1f8bf05..9c54fdf 100644
--- a/drivers/connector/cn_queue.c
+++ b/drivers/connector/cn_queue.c
@@ -45,7 +45,7 @@ cn_queue_alloc_callback_entry(struct cn_queue_dev *dev, const char *name,
 		return NULL;
 	}
 
-	atomic_set(&cbq->refcnt, 1);
+	refcount_set(&cbq->refcnt, 1);
 
 	atomic_inc(&dev->refcnt);
 	cbq->pdev = dev;
@@ -58,7 +58,7 @@ cn_queue_alloc_callback_entry(struct cn_queue_dev *dev, const char *name,
 
 void cn_queue_release_callback(struct cn_callback_entry *cbq)
 {
-	if (!atomic_dec_and_test(&cbq->refcnt))
+	if (!refcount_dec_and_test(&cbq->refcnt))
 		return;
 
 	atomic_dec(&cbq->pdev->refcnt);
diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c
index 25693b0..8615594b 100644
--- a/drivers/connector/connector.c
+++ b/drivers/connector/connector.c
@@ -157,7 +157,7 @@ static int cn_call_callback(struct sk_buff *skb)
 	spin_lock_bh(&dev->cbdev->queue_lock);
 	list_for_each_entry(i, &dev->cbdev->queue_list, callback_entry) {
 		if (cn_cb_equal(&i->id.id, &msg->id)) {
-			atomic_inc(&i->refcnt);
+			refcount_inc(&i->refcnt);
 			cbq = i;
 			break;
 		}
diff --git a/include/linux/connector.h b/include/linux/connector.h
index f8fe863..032102b 100644
--- a/include/linux/connector.h
+++ b/include/linux/connector.h
@@ -22,7 +22,7 @@
 #define __CONNECTOR_H
 
 
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #include <linux/list.h>
 #include <linux/workqueue.h>
@@ -49,7 +49,7 @@ struct cn_callback_id {
 
 struct cn_callback_entry {
 	struct list_head callback_entry;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	struct cn_queue_dev *pdev;
 
 	struct cn_callback_id id;
-- 
2.7.4
^ permalink raw reply related	[flat|nested] 22+ messages in thread
* Re: [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to refcount_t
       [not found]   ` <1508484229-19706-3-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
@ 2017-10-20  8:08     ` Sean Wang
  2017-10-20 10:37       ` Reshetova, Elena
  0 siblings, 1 reply; 22+ messages in thread
From: Sean Wang @ 2017-10-20  8:08 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: peterz-wEGCiKHe2LqWVfeAwA7xHQ, matanb-VPRAkNaXOzVWk0Htik3J/w,
	paulus-eUNUBHrolfbYtjvyW6yDsg, zbr-i6C2adt8DTjR7s880joybQ,
	nbd-p3rKhJxN3npAfugRpC6u6w, linux-rdma-u79uwXL29TY76Z2rM5mHXA,
	saeedm-VPRAkNaXOzVWk0Htik3J/w, ganeshgr-ut6Up61K2wZBDgjK7y7TUQ,
	keescook-F7+t8E8rja9g9hUCZPvPmw,
	ajk-iz34hMvxm2Hmj42eshorlhS11BummzK+,
	leonro-VPRAkNaXOzVWk0Htik3J/w,
	linux-mediatek-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r,
	john-Pj+rj9U5foFAfugRpC6u6w, matthias.bgg-Re5JQEeQqe8AvxtiuMwx3w,
	linux-hams-u79uwXL29TY76Z2rM5mHXA,
	linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r,
	netdev-u79uwXL29TY76Z2rM5mHXA, yishaih-VPRAkNaXOzVWk0Htik3J/w,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA,
	linux-ppp-u79uwXL29TY76Z2rM5mHXA, davem-fT/PcQaiUtIeIZ0/mPfg9Q,
	tariqt-VPRAkNaXOzVWk0Htik3J/w
On Fri, 2017-10-20 at 10:23 +0300, Elena Reshetova wrote:
> atomic_t variables are currently used to implement reference
> counters with the following properties:
>  - counter is initialized to 1 using atomic_set()
>  - a resource is freed upon counter reaching zero
>  - once counter reaches zero, its further
>    increments aren't allowed
>  - counter schema uses basic atomic operations
>    (set, inc, inc_not_zero, dec_and_test, etc.)
> 
> Such atomic variables should be converted to a newly provided
> refcount_t type and API that prevents accidental counter overflows
> and underflows. This is important since overflows and underflows
> can lead to use-after-free situation and be exploitable.
> 
> The variable mtk_eth.dma_refcnt is used as pure reference counter.
> Convert it to refcount_t and fix up the operations.
> 
> Suggested-by: Kees Cook <keescook-F7+t8E8rja9g9hUCZPvPmw@public.gmane.org>
> Reviewed-by: David Windsor <dwindsor-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Reviewed-by: Hans Liljestrand <ishkamiel-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Signed-off-by: Elena Reshetova <elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> ---
>  drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 +++++---
>  drivers/net/ethernet/mediatek/mtk_eth_soc.h | 4 +++-
>  2 files changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> index 5e81a72..54adfd9 100644
> --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> @@ -1817,7 +1817,7 @@ static int mtk_open(struct net_device *dev)
>  	struct mtk_eth *eth = mac->hw;
>  
>  	/* we run 2 netdevs on the same dma ring so we only bring it up once */
> -	if (!atomic_read(ð->dma_refcnt)) {
> +	if (!refcount_read(ð->dma_refcnt)) {
>  		int err = mtk_start_dma(eth);
>  
>  		if (err)
> @@ -1827,8 +1827,10 @@ static int mtk_open(struct net_device *dev)
>  		napi_enable(ð->rx_napi);
>  		mtk_tx_irq_enable(eth, MTK_TX_DONE_INT);
>  		mtk_rx_irq_enable(eth, MTK_RX_DONE_INT);
> +		refcount_set(ð->dma_refcnt, 1);
the existing driver seems to have a missing initial atomic_set for the
eth->dma_refcnt. 
>  	}
> -	atomic_inc(ð->dma_refcnt);
> +	else
> +		refcount_inc(ð->dma_refcnt);
>  
how about add the initial refcount_set into probe handler, and keep
logic else unchanged ? 
>  	phy_start(dev->phydev);
>  	netif_start_queue(dev);
> @@ -1868,7 +1870,7 @@ static int mtk_stop(struct net_device *dev)
>  	phy_stop(dev->phydev);
>  
>  	/* only shutdown DMA if this is the last user */
> -	if (!atomic_dec_and_test(ð->dma_refcnt))
> +	if (!refcount_dec_and_test(ð->dma_refcnt))
>  		return 0;
>  
>  	mtk_tx_irq_disable(eth, MTK_TX_DONE_INT);
> diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> index 3d3c24a..a3af466 100644
> --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> @@ -15,6 +15,8 @@
>  #ifndef MTK_ETH_H
>  #define MTK_ETH_H
>  
> +#include <linux/refcount.h>
> +
>  #define MTK_QDMA_PAGE_SIZE	2048
>  #define	MTK_MAX_RX_LENGTH	1536
>  #define MTK_TX_DMA_BUF_LEN	0x3fff
> @@ -632,7 +634,7 @@ struct mtk_eth {
>  	struct regmap			*pctl;
>  	u32				chip_id;
>  	bool				hwlro;
> -	atomic_t			dma_refcnt;
> +	refcount_t			dma_refcnt;
>  	struct mtk_tx_ring		tx_ring;
>  	struct mtk_rx_ring		rx_ring[MTK_MAX_RX_RING_NUM];
>  	struct mtk_rx_ring		rx_ring_qdma;
^ permalink raw reply	[flat|nested] 22+ messages in thread
* RE: [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to refcount_t
  2017-10-20  8:08     ` Sean Wang
@ 2017-10-20 10:37       ` Reshetova, Elena
  2017-10-22  4:06         ` Sean Wang
  0 siblings, 1 reply; 22+ messages in thread
From: Reshetova, Elena @ 2017-10-20 10:37 UTC (permalink / raw)
  To: Sean Wang
  Cc: davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org,
	netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
	linux-mediatek-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-hams-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	linux-ppp-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
	ganeshgr-ut6Up61K2wZBDgjK7y7TUQ@public.gmane.org,
	nbd-p3rKhJxN3npAfugRpC6u6w@public.gmane.org,
	john-Pj+rj9U5foFAfugRpC6u6w@public.gmane.org,
	matthias.bgg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org,
	yishaih-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org,
	saeedm-VPRAkNaXOzVWk0Htik3J/w@public.gmane.org, matanb
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1254", Size: 4033 bytes --]
> On Fri, 2017-10-20 at 10:23 +0300, Elena Reshetova wrote:
> > atomic_t variables are currently used to implement reference
> > counters with the following properties:
> >  - counter is initialized to 1 using atomic_set()
> >  - a resource is freed upon counter reaching zero
> >  - once counter reaches zero, its further
> >    increments aren't allowed
> >  - counter schema uses basic atomic operations
> >    (set, inc, inc_not_zero, dec_and_test, etc.)
> >
> > Such atomic variables should be converted to a newly provided
> > refcount_t type and API that prevents accidental counter overflows
> > and underflows. This is important since overflows and underflows
> > can lead to use-after-free situation and be exploitable.
> >
> > The variable mtk_eth.dma_refcnt is used as pure reference counter.
> > Convert it to refcount_t and fix up the operations.
> >
> > Suggested-by: Kees Cook <keescook@chromium.org>
> > Reviewed-by: David Windsor <dwindsor@gmail.com>
> > Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > ---
> >  drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 +++++---
> >  drivers/net/ethernet/mediatek/mtk_eth_soc.h | 4 +++-
> >  2 files changed, 8 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > index 5e81a72..54adfd9 100644
> > --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > @@ -1817,7 +1817,7 @@ static int mtk_open(struct net_device *dev)
> >  	struct mtk_eth *eth = mac->hw;
> >
> >  	/* we run 2 netdevs on the same dma ring so we only bring it up once
> */
> > -	if (!atomic_read(ð->dma_refcnt)) {
> > +	if (!refcount_read(ð->dma_refcnt)) {
> >  		int err = mtk_start_dma(eth);
> >
> >  		if (err)
> > @@ -1827,8 +1827,10 @@ static int mtk_open(struct net_device *dev)
> >  		napi_enable(ð->rx_napi);
> >  		mtk_tx_irq_enable(eth, MTK_TX_DONE_INT);
> >  		mtk_rx_irq_enable(eth, MTK_RX_DONE_INT);
> > +		refcount_set(ð->dma_refcnt, 1);
> 
> the existing driver seems to have a missing initial atomic_set for the
> eth->dma_refcnt.
> 
> >  	}
> > -	atomic_inc(ð->dma_refcnt);
> > +	else
> > +		refcount_inc(ð->dma_refcnt);
> >
> 
> how about add the initial refcount_set into probe handler, and keep
> logic else unchanged ?
Sure, I guess you mean mtk_probe() function? I can move the refcount_set to be there
and remove this change. 
Should I resend the modified patch to you (maybe then two of the ethernet patches)?
Best Regards,
Elena.
> 
> >  	phy_start(dev->phydev);
> >  	netif_start_queue(dev);
> > @@ -1868,7 +1870,7 @@ static int mtk_stop(struct net_device *dev)
> >  	phy_stop(dev->phydev);
> >
> >  	/* only shutdown DMA if this is the last user */
> > -	if (!atomic_dec_and_test(ð->dma_refcnt))
> > +	if (!refcount_dec_and_test(ð->dma_refcnt))
> >  		return 0;
> >
> >  	mtk_tx_irq_disable(eth, MTK_TX_DONE_INT);
> > diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > index 3d3c24a..a3af466 100644
> > --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > @@ -15,6 +15,8 @@
> >  #ifndef MTK_ETH_H
> >  #define MTK_ETH_H
> >
> > +#include <linux/refcount.h>
> > +
> >  #define MTK_QDMA_PAGE_SIZE	2048
> >  #define	MTK_MAX_RX_LENGTH	1536
> >  #define MTK_TX_DMA_BUF_LEN	0x3fff
> > @@ -632,7 +634,7 @@ struct mtk_eth {
> >  	struct regmap			*pctl;
> >  	u32				chip_id;
> >  	bool				hwlro;
> > -	atomic_t			dma_refcnt;
> > +	refcount_t			dma_refcnt;
> >  	struct mtk_tx_ring		tx_ring;
> >  	struct mtk_rx_ring
> 	rx_ring[MTK_MAX_RX_RING_NUM];
> >  	struct mtk_rx_ring		rx_ring_qdma;
> 
N§²æìr¸yúèØb²X¬¶Ç§vØ^)Þº{.nÇ+·¥{±Ù{ayº\x1dÊÚë,j\a¢f£¢·h»öì\x17/oSc¾Ú³9uÀ¦æåÈ&jw¨®\x03(éÝ¢j"ú\x1a¶^[m§ÿïêäz¹Þàþf£¢·h§~m
^ permalink raw reply	[flat|nested] 22+ messages in thread
* Re: [PATCH 00/15] networking drivers refcount_t conversions
  2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
                   ` (14 preceding siblings ...)
  2017-10-20  7:23 ` [PATCH 15/15] drivers, connector: convert cn_callback_entry.refcnt " Elena Reshetova
@ 2017-10-22  1:31 ` David Miller
  2017-10-23  6:34   ` Reshetova, Elena
  15 siblings, 1 reply; 22+ messages in thread
From: David Miller @ 2017-10-22  1:31 UTC (permalink / raw)
  To: elena.reshetova
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-mediatek,
	linux-rdma, linux-hams, linux-ppp, ganeshgr, nbd, john, sean.wang,
	matthias.bgg, yishaih, saeedm, matanb, tariqt, leonro, ajk,
	paulus, zbr, peterz, keescook
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Fri, 20 Oct 2017 10:23:34 +0300
> Note: these are the last patches related to networking that perform
> conversion of refcounters from atomic_t to refcount_t.
> In contrast to the core network refcounter conversions that
> were merged earlier, these are much more straightforward ones.
> 
> This series, for various networking drivers, replaces atomic_t reference
> counters with the new refcount_t type and API (see include/linux/refcount.h).
> By doing this we prevent intentional or accidental
> underflows or overflows that can led to use-after-free vulnerabilities.
> 
> The patches are fully independent and can be cherry-picked separately.
> Patches are based on top of net-next.
> If there are no objections to the patches, please merge them via respective trees
I've applied this entire series to net-next.  If there are any fixups or
follow-ups please send them as relative patches.
Thank you.
^ permalink raw reply	[flat|nested] 22+ messages in thread
* RE: [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to refcount_t
  2017-10-20 10:37       ` Reshetova, Elena
@ 2017-10-22  4:06         ` Sean Wang
  2017-10-23  6:37           ` Reshetova, Elena
  0 siblings, 1 reply; 22+ messages in thread
From: Sean Wang @ 2017-10-22  4:06 UTC (permalink / raw)
  To: Reshetova, Elena
  Cc: davem@davemloft.net, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-mediatek@lists.infradead.org, linux-rdma@vger.kernel.org,
	linux-hams@vger.kernel.org, linux-ppp@vger.kernel.org,
	ganeshgr@chelsio.com, nbd@openwrt.org, john@phrozen.org,
	matthias.bgg@gmail.com, yishaih@mellanox.com, saeedm@mellanox.com,
	matanb
On Fri, 2017-10-20 at 10:37 +0000, Reshetova, Elena wrote:
> > On Fri, 2017-10-20 at 10:23 +0300, Elena Reshetova wrote:
> > > atomic_t variables are currently used to implement reference
> > > counters with the following properties:
> > >  - counter is initialized to 1 using atomic_set()
> > >  - a resource is freed upon counter reaching zero
> > >  - once counter reaches zero, its further
> > >    increments aren't allowed
> > >  - counter schema uses basic atomic operations
> > >    (set, inc, inc_not_zero, dec_and_test, etc.)
> > >
> > > Such atomic variables should be converted to a newly provided
> > > refcount_t type and API that prevents accidental counter overflows
> > > and underflows. This is important since overflows and underflows
> > > can lead to use-after-free situation and be exploitable.
> > >
> > > The variable mtk_eth.dma_refcnt is used as pure reference counter.
> > > Convert it to refcount_t and fix up the operations.
> > >
> > > Suggested-by: Kees Cook <keescook@chromium.org>
> > > Reviewed-by: David Windsor <dwindsor@gmail.com>
> > > Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
> > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > > ---
> > >  drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 +++++---
> > >  drivers/net/ethernet/mediatek/mtk_eth_soc.h | 4 +++-
> > >  2 files changed, 8 insertions(+), 4 deletions(-)
> > >
> > > diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > index 5e81a72..54adfd9 100644
> > > --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > @@ -1817,7 +1817,7 @@ static int mtk_open(struct net_device *dev)
> > >  	struct mtk_eth *eth = mac->hw;
> > >
> > >  	/* we run 2 netdevs on the same dma ring so we only bring it up once
> > */
> > > -	if (!atomic_read(ð->dma_refcnt)) {
> > > +	if (!refcount_read(ð->dma_refcnt)) {
> > >  		int err = mtk_start_dma(eth);
> > >
> > >  		if (err)
> > > @@ -1827,8 +1827,10 @@ static int mtk_open(struct net_device *dev)
> > >  		napi_enable(ð->rx_napi);
> > >  		mtk_tx_irq_enable(eth, MTK_TX_DONE_INT);
> > >  		mtk_rx_irq_enable(eth, MTK_RX_DONE_INT);
> > > +		refcount_set(ð->dma_refcnt, 1);
> > 
> > the existing driver seems to have a missing initial atomic_set for the
> > eth->dma_refcnt.
> > 
> > >  	}
> > > -	atomic_inc(ð->dma_refcnt);
> > > +	else
> > > +		refcount_inc(ð->dma_refcnt);
> > >
> > 
> > how about add the initial refcount_set into probe handler, and keep
> > logic else unchanged ?
> 
> Sure, I guess you mean mtk_probe() function? I can move the refcount_set to be there
> and remove this change. 
> 
> Should I resend the modified patch to you (maybe then two of the ethernet patches)?
> 
> Best Regards,
> Elena.
The entire series has been applies to net-next, I think I can make the
follow-ups patches relative to your work. 
	
	Sean
> > 
> > >  	phy_start(dev->phydev);
> > >  	netif_start_queue(dev);
> > > @@ -1868,7 +1870,7 @@ static int mtk_stop(struct net_device *dev)
> > >  	phy_stop(dev->phydev);
> > >
> > >  	/* only shutdown DMA if this is the last user */
> > > -	if (!atomic_dec_and_test(ð->dma_refcnt))
> > > +	if (!refcount_dec_and_test(ð->dma_refcnt))
> > >  		return 0;
> > >
> > >  	mtk_tx_irq_disable(eth, MTK_TX_DONE_INT);
> > > diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > index 3d3c24a..a3af466 100644
> > > --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > @@ -15,6 +15,8 @@
> > >  #ifndef MTK_ETH_H
> > >  #define MTK_ETH_H
> > >
> > > +#include <linux/refcount.h>
> > > +
> > >  #define MTK_QDMA_PAGE_SIZE	2048
> > >  #define	MTK_MAX_RX_LENGTH	1536
> > >  #define MTK_TX_DMA_BUF_LEN	0x3fff
> > > @@ -632,7 +634,7 @@ struct mtk_eth {
> > >  	struct regmap			*pctl;
> > >  	u32				chip_id;
> > >  	bool				hwlro;
> > > -	atomic_t			dma_refcnt;
> > > +	refcount_t			dma_refcnt;
> > >  	struct mtk_tx_ring		tx_ring;
> > >  	struct mtk_rx_ring
> > 	rx_ring[MTK_MAX_RX_RING_NUM];
> > >  	struct mtk_rx_ring		rx_ring_qdma;
> > 
> 
^ permalink raw reply	[flat|nested] 22+ messages in thread
* RE: [PATCH 00/15] networking drivers refcount_t conversions
  2017-10-22  1:31 ` [PATCH 00/15] networking drivers refcount_t conversions David Miller
@ 2017-10-23  6:34   ` Reshetova, Elena
  0 siblings, 0 replies; 22+ messages in thread
From: Reshetova, Elena @ 2017-10-23  6:34 UTC (permalink / raw)
  To: David Miller
  Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-mediatek@lists.infradead.org, linux-rdma@vger.kernel.org,
	linux-hams@vger.kernel.org, linux-ppp@vger.kernel.org,
	ganeshgr@chelsio.com, nbd@openwrt.org, john@phrozen.org,
	sean.wang@mediatek.com, matthias.bgg@gmail.com,
	yishaih@mellanox.com, saeedm@mellanox.com, matan
> From: Elena Reshetova <elena.reshetova@intel.com>
> Date: Fri, 20 Oct 2017 10:23:34 +0300
> 
> > Note: these are the last patches related to networking that perform
> > conversion of refcounters from atomic_t to refcount_t.
> > In contrast to the core network refcounter conversions that
> > were merged earlier, these are much more straightforward ones.
> >
> > This series, for various networking drivers, replaces atomic_t reference
> > counters with the new refcount_t type and API (see include/linux/refcount.h).
> > By doing this we prevent intentional or accidental
> > underflows or overflows that can led to use-after-free vulnerabilities.
> >
> > The patches are fully independent and can be cherry-picked separately.
> > Patches are based on top of net-next.
> > If there are no objections to the patches, please merge them via respective trees
> 
> I've applied this entire series to net-next.  If there are any fixups or
> follow-ups please send them as relative patches.
> 
> Thank you.
Thank you very much David! Will send fixups separately.
Best Regards,
Elena.
^ permalink raw reply	[flat|nested] 22+ messages in thread
* RE: [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to refcount_t
  2017-10-22  4:06         ` Sean Wang
@ 2017-10-23  6:37           ` Reshetova, Elena
  0 siblings, 0 replies; 22+ messages in thread
From: Reshetova, Elena @ 2017-10-23  6:37 UTC (permalink / raw)
  To: Sean Wang
  Cc: davem@davemloft.net, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-mediatek@lists.infradead.org, linux-rdma@vger.kernel.org,
	linux-hams@vger.kernel.org, linux-ppp@vger.kernel.org,
	ganeshgr@chelsio.com, nbd@openwrt.org, john@phrozen.org,
	matthias.bgg@gmail.com, yishaih@mellanox.com, saeedm@mellanox.com,
	matanb
> On Fri, 2017-10-20 at 10:37 +0000, Reshetova, Elena wrote:
> > > On Fri, 2017-10-20 at 10:23 +0300, Elena Reshetova wrote:
> > > > atomic_t variables are currently used to implement reference
> > > > counters with the following properties:
> > > >  - counter is initialized to 1 using atomic_set()
> > > >  - a resource is freed upon counter reaching zero
> > > >  - once counter reaches zero, its further
> > > >    increments aren't allowed
> > > >  - counter schema uses basic atomic operations
> > > >    (set, inc, inc_not_zero, dec_and_test, etc.)
> > > >
> > > > Such atomic variables should be converted to a newly provided
> > > > refcount_t type and API that prevents accidental counter overflows
> > > > and underflows. This is important since overflows and underflows
> > > > can lead to use-after-free situation and be exploitable.
> > > >
> > > > The variable mtk_eth.dma_refcnt is used as pure reference counter.
> > > > Convert it to refcount_t and fix up the operations.
> > > >
> > > > Suggested-by: Kees Cook <keescook@chromium.org>
> > > > Reviewed-by: David Windsor <dwindsor@gmail.com>
> > > > Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
> > > > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > > > ---
> > > >  drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 +++++---
> > > >  drivers/net/ethernet/mediatek/mtk_eth_soc.h | 4 +++-
> > > >  2 files changed, 8 insertions(+), 4 deletions(-)
> > > >
> > > > diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > > index 5e81a72..54adfd9 100644
> > > > --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > > +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
> > > > @@ -1817,7 +1817,7 @@ static int mtk_open(struct net_device *dev)
> > > >  	struct mtk_eth *eth = mac->hw;
> > > >
> > > >  	/* we run 2 netdevs on the same dma ring so we only bring it up once
> > > */
> > > > -	if (!atomic_read(ð->dma_refcnt)) {
> > > > +	if (!refcount_read(ð->dma_refcnt)) {
> > > >  		int err = mtk_start_dma(eth);
> > > >
> > > >  		if (err)
> > > > @@ -1827,8 +1827,10 @@ static int mtk_open(struct net_device *dev)
> > > >  		napi_enable(ð->rx_napi);
> > > >  		mtk_tx_irq_enable(eth, MTK_TX_DONE_INT);
> > > >  		mtk_rx_irq_enable(eth, MTK_RX_DONE_INT);
> > > > +		refcount_set(ð->dma_refcnt, 1);
> > >
> > > the existing driver seems to have a missing initial atomic_set for the
> > > eth->dma_refcnt.
> > >
> > > >  	}
> > > > -	atomic_inc(ð->dma_refcnt);
> > > > +	else
> > > > +		refcount_inc(ð->dma_refcnt);
> > > >
> > >
> > > how about add the initial refcount_set into probe handler, and keep
> > > logic else unchanged ?
> >
> > Sure, I guess you mean mtk_probe() function? I can move the refcount_set to be
> there
> > and remove this change.
> >
> > Should I resend the modified patch to you (maybe then two of the ethernet
> patches)?
> >
> > Best Regards,
> > Elena.
> 
> The entire series has been applies to net-next, I think I can make the
> follow-ups patches relative to your work.
> 
> 	Sean
Yes, I just noticed that David took them all. 
Sure, if you want to send the follow up yourself, I certainly would not mind, 
I still have many of these recount patches for different parts of kernel :)
Thank you!
Best Regards,
Elena.
> 
> > >
> > > >  	phy_start(dev->phydev);
> > > >  	netif_start_queue(dev);
> > > > @@ -1868,7 +1870,7 @@ static int mtk_stop(struct net_device *dev)
> > > >  	phy_stop(dev->phydev);
> > > >
> > > >  	/* only shutdown DMA if this is the last user */
> > > > -	if (!atomic_dec_and_test(ð->dma_refcnt))
> > > > +	if (!refcount_dec_and_test(ð->dma_refcnt))
> > > >  		return 0;
> > > >
> > > >  	mtk_tx_irq_disable(eth, MTK_TX_DONE_INT);
> > > > diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > > index 3d3c24a..a3af466 100644
> > > > --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > > +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
> > > > @@ -15,6 +15,8 @@
> > > >  #ifndef MTK_ETH_H
> > > >  #define MTK_ETH_H
> > > >
> > > > +#include <linux/refcount.h>
> > > > +
> > > >  #define MTK_QDMA_PAGE_SIZE	2048
> > > >  #define	MTK_MAX_RX_LENGTH	1536
> > > >  #define MTK_TX_DMA_BUF_LEN	0x3fff
> > > > @@ -632,7 +634,7 @@ struct mtk_eth {
> > > >  	struct regmap			*pctl;
> > > >  	u32				chip_id;
> > > >  	bool				hwlro;
> > > > -	atomic_t			dma_refcnt;
> > > > +	refcount_t			dma_refcnt;
> > > >  	struct mtk_tx_ring		tx_ring;
> > > >  	struct mtk_rx_ring
> > > 	rx_ring[MTK_MAX_RX_RING_NUM];
> > > >  	struct mtk_rx_ring		rx_ring_qdma;
> > >
> >
> 
^ permalink raw reply	[flat|nested] 22+ messages in thread
end of thread, other threads:[~2017-10-23  6:37 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-10-20  7:23 [PATCH 00/15] networking drivers refcount_t conversions Elena Reshetova
2017-10-20  7:23 ` [PATCH 01/15] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
2017-10-20  7:23 ` [PATCH 02/15] drivers, net, ethernet: convert mtk_eth.dma_refcnt " Elena Reshetova
     [not found]   ` <1508484229-19706-3-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-10-20  8:08     ` Sean Wang
2017-10-20 10:37       ` Reshetova, Elena
2017-10-22  4:06         ` Sean Wang
2017-10-23  6:37           ` Reshetova, Elena
2017-10-20  7:23 ` [PATCH 03/15] drivers, net, mlx4: convert mlx4_cq.refcount " Elena Reshetova
     [not found] ` <1508484229-19706-1-git-send-email-elena.reshetova-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-10-20  7:23   ` [PATCH 04/15] drivers, net, mlx4: convert mlx4_qp.refcount " Elena Reshetova
2017-10-20  7:23 ` [PATCH 05/15] drivers, net, mlx4: convert mlx4_srq.refcount " Elena Reshetova
2017-10-20  7:23 ` [PATCH 06/15] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
2017-10-20  7:23 ` [PATCH 07/15] drivers, net, mlx5: convert fs_node.refcount " Elena Reshetova
2017-10-20  7:23 ` [PATCH 08/15] drivers, net, hamradio: convert sixpack.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 09/15] drivers, net: convert masces_rx_sa.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 10/15] drivers, net: convert masces_rx_sc.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 11/15] drivers, net: convert masces_tx_sa.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 12/15] drivers, net, ppp: convert asyncppp.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 13/15] drivers, net, ppp: convert ppp_file.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 14/15] drivers, net, ppp: convert syncppp.refcnt " Elena Reshetova
2017-10-20  7:23 ` [PATCH 15/15] drivers, connector: convert cn_callback_entry.refcnt " Elena Reshetova
2017-10-22  1:31 ` [PATCH 00/15] networking drivers refcount_t conversions David Miller
2017-10-23  6:34   ` Reshetova, Elena
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).