OSCL-LXR |
|
|
|
|||
0001 /* SPDX-License-Identifier: GPL-2.0 */ 0002 /* 0003 * Variant of atomic_t specialized for reference counts. 0004 * 0005 * The interface matches the atomic_t interface (to aid in porting) but only 0006 * provides the few functions one should use for reference counting. 0007 * 0008 * Saturation semantics 0009 * ==================== 0010 * 0011 * refcount_t differs from atomic_t in that the counter saturates at 0012 * REFCOUNT_SATURATED and will not move once there. This avoids wrapping the 0013 * counter and causing 'spurious' use-after-free issues. In order to avoid the 0014 * cost associated with introducing cmpxchg() loops into all of the saturating 0015 * operations, we temporarily allow the counter to take on an unchecked value 0016 * and then explicitly set it to REFCOUNT_SATURATED on detecting that underflow 0017 * or overflow has occurred. Although this is racy when multiple threads 0018 * access the refcount concurrently, by placing REFCOUNT_SATURATED roughly 0019 * equidistant from 0 and INT_MAX we minimise the scope for error: 0020 * 0021 * INT_MAX REFCOUNT_SATURATED UINT_MAX 0022 * 0 (0x7fff_ffff) (0xc000_0000) (0xffff_ffff) 0023 * +--------------------------------+----------------+----------------+ 0024 * <---------- bad value! ----------> 0025 * 0026 * (in a signed view of the world, the "bad value" range corresponds to 0027 * a negative counter value). 0028 * 0029 * As an example, consider a refcount_inc() operation that causes the counter 0030 * to overflow: 0031 * 0032 * int old = atomic_fetch_add_relaxed(r); 0033 * // old is INT_MAX, refcount now INT_MIN (0x8000_0000) 0034 * if (old < 0) 0035 * atomic_set(r, REFCOUNT_SATURATED); 0036 * 0037 * If another thread also performs a refcount_inc() operation between the two 0038 * atomic operations, then the count will continue to edge closer to 0. If it 0039 * reaches a value of 1 before /any/ of the threads reset it to the saturated 0040 * value, then a concurrent refcount_dec_and_test() may erroneously free the 0041 * underlying object. 0042 * Linux limits the maximum number of tasks to PID_MAX_LIMIT, which is currently 0043 * 0x400000 (and can't easily be raised in the future beyond FUTEX_TID_MASK). 0044 * With the current PID limit, if no batched refcounting operations are used and 0045 * the attacker can't repeatedly trigger kernel oopses in the middle of refcount 0046 * operations, this makes it impossible for a saturated refcount to leave the 0047 * saturation range, even if it is possible for multiple uses of the same 0048 * refcount to nest in the context of a single task: 0049 * 0050 * (UINT_MAX+1-REFCOUNT_SATURATED) / PID_MAX_LIMIT = 0051 * 0x40000000 / 0x400000 = 0x100 = 256 0052 * 0053 * If hundreds of references are added/removed with a single refcounting 0054 * operation, it may potentially be possible to leave the saturation range; but 0055 * given the precise timing details involved with the round-robin scheduling of 0056 * each thread manipulating the refcount and the need to hit the race multiple 0057 * times in succession, there doesn't appear to be a practical avenue of attack 0058 * even if using refcount_add() operations with larger increments. 0059 * 0060 * Memory ordering 0061 * =============== 0062 * 0063 * Memory ordering rules are slightly relaxed wrt regular atomic_t functions 0064 * and provide only what is strictly required for refcounts. 0065 * 0066 * The increments are fully relaxed; these will not provide ordering. The 0067 * rationale is that whatever is used to obtain the object we're increasing the 0068 * reference count on will provide the ordering. For locked data structures, 0069 * its the lock acquire, for RCU/lockless data structures its the dependent 0070 * load. 0071 * 0072 * Do note that inc_not_zero() provides a control dependency which will order 0073 * future stores against the inc, this ensures we'll never modify the object 0074 * if we did not in fact acquire a reference. 0075 * 0076 * The decrements will provide release order, such that all the prior loads and 0077 * stores will be issued before, it also provides a control dependency, which 0078 * will order us against the subsequent free(). 0079 * 0080 * The control dependency is against the load of the cmpxchg (ll/sc) that 0081 * succeeded. This means the stores aren't fully ordered, but this is fine 0082 * because the 1->0 transition indicates no concurrency. 0083 * 0084 * Note that the allocator is responsible for ordering things between free() 0085 * and alloc(). 0086 * 0087 * The decrements dec_and_test() and sub_and_test() also provide acquire 0088 * ordering on success. 0089 * 0090 */ 0091 0092 #ifndef _LINUX_REFCOUNT_H 0093 #define _LINUX_REFCOUNT_H 0094 0095 #include <linux/atomic.h> 0096 #include <linux/bug.h> 0097 #include <linux/compiler.h> 0098 #include <linux/limits.h> 0099 #include <linux/spinlock_types.h> 0100 0101 struct mutex; 0102 0103 /** 0104 * typedef refcount_t - variant of atomic_t specialized for reference counts 0105 * @refs: atomic_t counter field 0106 * 0107 * The counter saturates at REFCOUNT_SATURATED and will not move once 0108 * there. This avoids wrapping the counter and causing 'spurious' 0109 * use-after-free bugs. 0110 */ 0111 typedef struct refcount_struct { 0112 atomic_t refs; 0113 } refcount_t; 0114 0115 #define REFCOUNT_INIT(n) { .refs = ATOMIC_INIT(n), } 0116 #define REFCOUNT_MAX INT_MAX 0117 #define REFCOUNT_SATURATED (INT_MIN / 2) 0118 0119 enum refcount_saturation_type { 0120 REFCOUNT_ADD_NOT_ZERO_OVF, 0121 REFCOUNT_ADD_OVF, 0122 REFCOUNT_ADD_UAF, 0123 REFCOUNT_SUB_UAF, 0124 REFCOUNT_DEC_LEAK, 0125 }; 0126 0127 void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t); 0128 0129 /** 0130 * refcount_set - set a refcount's value 0131 * @r: the refcount 0132 * @n: value to which the refcount will be set 0133 */ 0134 static inline void refcount_set(refcount_t *r, int n) 0135 { 0136 atomic_set(&r->refs, n); 0137 } 0138 0139 /** 0140 * refcount_read - get a refcount's value 0141 * @r: the refcount 0142 * 0143 * Return: the refcount's value 0144 */ 0145 static inline unsigned int refcount_read(const refcount_t *r) 0146 { 0147 return atomic_read(&r->refs); 0148 } 0149 0150 static inline __must_check bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp) 0151 { 0152 int old = refcount_read(r); 0153 0154 do { 0155 if (!old) 0156 break; 0157 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i)); 0158 0159 if (oldp) 0160 *oldp = old; 0161 0162 if (unlikely(old < 0 || old + i < 0)) 0163 refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF); 0164 0165 return old; 0166 } 0167 0168 /** 0169 * refcount_add_not_zero - add a value to a refcount unless it is 0 0170 * @i: the value to add to the refcount 0171 * @r: the refcount 0172 * 0173 * Will saturate at REFCOUNT_SATURATED and WARN. 0174 * 0175 * Provides no memory ordering, it is assumed the caller has guaranteed the 0176 * object memory to be stable (RCU, etc.). It does provide a control dependency 0177 * and thereby orders future stores. See the comment on top. 0178 * 0179 * Use of this function is not recommended for the normal reference counting 0180 * use case in which references are taken and released one at a time. In these 0181 * cases, refcount_inc(), or one of its variants, should instead be used to 0182 * increment a reference count. 0183 * 0184 * Return: false if the passed refcount is 0, true otherwise 0185 */ 0186 static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) 0187 { 0188 return __refcount_add_not_zero(i, r, NULL); 0189 } 0190 0191 static inline void __refcount_add(int i, refcount_t *r, int *oldp) 0192 { 0193 int old = atomic_fetch_add_relaxed(i, &r->refs); 0194 0195 if (oldp) 0196 *oldp = old; 0197 0198 if (unlikely(!old)) 0199 refcount_warn_saturate(r, REFCOUNT_ADD_UAF); 0200 else if (unlikely(old < 0 || old + i < 0)) 0201 refcount_warn_saturate(r, REFCOUNT_ADD_OVF); 0202 } 0203 0204 /** 0205 * refcount_add - add a value to a refcount 0206 * @i: the value to add to the refcount 0207 * @r: the refcount 0208 * 0209 * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WARN. 0210 * 0211 * Provides no memory ordering, it is assumed the caller has guaranteed the 0212 * object memory to be stable (RCU, etc.). It does provide a control dependency 0213 * and thereby orders future stores. See the comment on top. 0214 * 0215 * Use of this function is not recommended for the normal reference counting 0216 * use case in which references are taken and released one at a time. In these 0217 * cases, refcount_inc(), or one of its variants, should instead be used to 0218 * increment a reference count. 0219 */ 0220 static inline void refcount_add(int i, refcount_t *r) 0221 { 0222 __refcount_add(i, r, NULL); 0223 } 0224 0225 static inline __must_check bool __refcount_inc_not_zero(refcount_t *r, int *oldp) 0226 { 0227 return __refcount_add_not_zero(1, r, oldp); 0228 } 0229 0230 /** 0231 * refcount_inc_not_zero - increment a refcount unless it is 0 0232 * @r: the refcount to increment 0233 * 0234 * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURATED 0235 * and WARN. 0236 * 0237 * Provides no memory ordering, it is assumed the caller has guaranteed the 0238 * object memory to be stable (RCU, etc.). It does provide a control dependency 0239 * and thereby orders future stores. See the comment on top. 0240 * 0241 * Return: true if the increment was successful, false otherwise 0242 */ 0243 static inline __must_check bool refcount_inc_not_zero(refcount_t *r) 0244 { 0245 return __refcount_inc_not_zero(r, NULL); 0246 } 0247 0248 static inline void __refcount_inc(refcount_t *r, int *oldp) 0249 { 0250 __refcount_add(1, r, oldp); 0251 } 0252 0253 /** 0254 * refcount_inc - increment a refcount 0255 * @r: the refcount to increment 0256 * 0257 * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WARN. 0258 * 0259 * Provides no memory ordering, it is assumed the caller already has a 0260 * reference on the object. 0261 * 0262 * Will WARN if the refcount is 0, as this represents a possible use-after-free 0263 * condition. 0264 */ 0265 static inline void refcount_inc(refcount_t *r) 0266 { 0267 __refcount_inc(r, NULL); 0268 } 0269 0270 static inline __must_check bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp) 0271 { 0272 int old = atomic_fetch_sub_release(i, &r->refs); 0273 0274 if (oldp) 0275 *oldp = old; 0276 0277 if (old == i) { 0278 smp_acquire__after_ctrl_dep(); 0279 return true; 0280 } 0281 0282 if (unlikely(old < 0 || old - i < 0)) 0283 refcount_warn_saturate(r, REFCOUNT_SUB_UAF); 0284 0285 return false; 0286 } 0287 0288 /** 0289 * refcount_sub_and_test - subtract from a refcount and test if it is 0 0290 * @i: amount to subtract from the refcount 0291 * @r: the refcount 0292 * 0293 * Similar to atomic_dec_and_test(), but it will WARN, return false and 0294 * ultimately leak on underflow and will fail to decrement when saturated 0295 * at REFCOUNT_SATURATED. 0296 * 0297 * Provides release memory ordering, such that prior loads and stores are done 0298 * before, and provides an acquire ordering on success such that free() 0299 * must come after. 0300 * 0301 * Use of this function is not recommended for the normal reference counting 0302 * use case in which references are taken and released one at a time. In these 0303 * cases, refcount_dec(), or one of its variants, should instead be used to 0304 * decrement a reference count. 0305 * 0306 * Return: true if the resulting refcount is 0, false otherwise 0307 */ 0308 static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) 0309 { 0310 return __refcount_sub_and_test(i, r, NULL); 0311 } 0312 0313 static inline __must_check bool __refcount_dec_and_test(refcount_t *r, int *oldp) 0314 { 0315 return __refcount_sub_and_test(1, r, oldp); 0316 } 0317 0318 /** 0319 * refcount_dec_and_test - decrement a refcount and test if it is 0 0320 * @r: the refcount 0321 * 0322 * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to 0323 * decrement when saturated at REFCOUNT_SATURATED. 0324 * 0325 * Provides release memory ordering, such that prior loads and stores are done 0326 * before, and provides an acquire ordering on success such that free() 0327 * must come after. 0328 * 0329 * Return: true if the resulting refcount is 0, false otherwise 0330 */ 0331 static inline __must_check bool refcount_dec_and_test(refcount_t *r) 0332 { 0333 return __refcount_dec_and_test(r, NULL); 0334 } 0335 0336 static inline void __refcount_dec(refcount_t *r, int *oldp) 0337 { 0338 int old = atomic_fetch_sub_release(1, &r->refs); 0339 0340 if (oldp) 0341 *oldp = old; 0342 0343 if (unlikely(old <= 1)) 0344 refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); 0345 } 0346 0347 /** 0348 * refcount_dec - decrement a refcount 0349 * @r: the refcount 0350 * 0351 * Similar to atomic_dec(), it will WARN on underflow and fail to decrement 0352 * when saturated at REFCOUNT_SATURATED. 0353 * 0354 * Provides release memory ordering, such that prior loads and stores are done 0355 * before. 0356 */ 0357 static inline void refcount_dec(refcount_t *r) 0358 { 0359 __refcount_dec(r, NULL); 0360 } 0361 0362 extern __must_check bool refcount_dec_if_one(refcount_t *r); 0363 extern __must_check bool refcount_dec_not_one(refcount_t *r); 0364 extern __must_check bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock) __cond_acquires(lock); 0365 extern __must_check bool refcount_dec_and_lock(refcount_t *r, spinlock_t *lock) __cond_acquires(lock); 0366 extern __must_check bool refcount_dec_and_lock_irqsave(refcount_t *r, 0367 spinlock_t *lock, 0368 unsigned long *flags) __cond_acquires(lock); 0369 #endif /* _LINUX_REFCOUNT_H */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.1.0 LXR engine. The LXR team |
|