Re: [PATCH] sparc64: convert mdesc_handle.refcnt from atomic_t to refcount_t

[Shannon Nelson]

On 10/23/2017 12:10 AM, Reshetova, Elena wrote:
> > On 10/20/2017 12:57 AM, Elena Reshetova wrote:
> > > atomic_t variables are currently used to implement reference
> > > counters with the following properties:
> > >    - counter is initialized to 1 using atomic_set()
> > >    - a resource is freed upon counter reaching zero
> > >    - once counter reaches zero, its further
> > >      increments aren't allowed
> > >    - counter schema uses basic atomic operations
> > >      (set, inc, inc_not_zero, dec_and_test, etc.)
> > >
> > > Such atomic variables should be converted to a newly provided
> > > refcount_t type and API that prevents accidental counter overflows
> > > and underflows. This is important since overflows and underflows
> > > can lead to use-after-free situation and be exploitable.
> > >
> > > The variable mdesc_handle.refcnt is used as pure reference counter.
> > > Convert it to refcount_t and fix up the operations.
> > >
> > > Suggested-by: Kees Cook <keescook@xxxxxxxxxxxx>
> > > Reviewed-by: David Windsor <dwindsor@xxxxxxxxx>
> > > Reviewed-by: Hans Liljestrand <ishkamiel@xxxxxxxxx>
> > > Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
> >
> > Acked-by: Shannon Nelson <shannon.nelson@xxxxxxxxxx>
>
> Thank you Shannon! Would you be able to take this patch into the respective tree
> to propagate normally from there?
>
> Best Regards,
> Elena.

Hi Elena,

Dave Miller takes good care of the sparclinux tree, I'm sure this is on 
his ToDo list already.

sln