Revert "mm/secretmem: use refcount_t instead of atomic_t"
authorLinus Torvalds <torvalds@linux-foundation.org>
Sun, 24 Oct 2021 19:48:33 +0000 (09:48 -1000)
committerLinus Torvalds <torvalds@linux-foundation.org>
Sun, 24 Oct 2021 19:48:33 +0000 (09:48 -1000)
This reverts commit 110860541f443f950c1274f217a1a3e298670a33.

Converting the "secretmem_users" counter to a refcount is incorrect,
because a refcount is special in zero and can't just be incremented (but
a count of users is not, and "no users" is actually perfectly valid and
not a sign of a free'd resource).

Reported-by: syzbot+75639e6a0331cd61d3e2@syzkaller.appspotmail.com
Cc: Jordy Zomer <jordy@pwning.systems>
Cc: Kees Cook <keescook@chromium.org>,
Cc: Jordy Zomer <jordy@jordyzomer.github.io>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Mike Rapoport <rppt@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
mm/secretmem.c

index 1fea68b..030f02d 100644 (file)
@@ -18,7 +18,6 @@
 #include <linux/secretmem.h>
 #include <linux/set_memory.h>
 #include <linux/sched/signal.h>
-#include <linux/refcount.h>
 
 #include <uapi/linux/magic.h>
 
@@ -41,11 +40,11 @@ module_param_named(enable, secretmem_enable, bool, 0400);
 MODULE_PARM_DESC(secretmem_enable,
                 "Enable secretmem and memfd_secret(2) system call");
 
-static refcount_t secretmem_users;
+static atomic_t secretmem_users;
 
 bool secretmem_active(void)
 {
-       return !!refcount_read(&secretmem_users);
+       return !!atomic_read(&secretmem_users);
 }
 
 static vm_fault_t secretmem_fault(struct vm_fault *vmf)
@@ -104,7 +103,7 @@ static const struct vm_operations_struct secretmem_vm_ops = {
 
 static int secretmem_release(struct inode *inode, struct file *file)
 {
-       refcount_dec(&secretmem_users);
+       atomic_dec(&secretmem_users);
        return 0;
 }
 
@@ -218,7 +217,7 @@ SYSCALL_DEFINE1(memfd_secret, unsigned int, flags)
        file->f_flags |= O_LARGEFILE;
 
        fd_install(fd, file);
-       refcount_inc(&secretmem_users);
+       atomic_inc(&secretmem_users);
        return fd;
 
 err_put_fd: