mm/mempolicy: convert from atomic_t to refcount_t on mempolicy->refcnt

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Link: https://lkml.kernel.org/r/1626683671-64407-1-git-send-email-xiyuyang19@fudan.edu.cn
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Acked-by: Ben Widawsky <ben.widawsky@intel.com>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Cc: Feng Tang <feng.tang@intel.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>

diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
index 4ca025e2a77ef3eff185d9d216868ff137970d70..0117e1ec7b1e1c73edb2e9bd91d32c41e11cebb8 100644 (file)
--- a/include/linux/mempolicy.h
+++ b/include/linux/mempolicy.h
@@ -6,6 +6,7 @@
 #ifndef _LINUX_MEMPOLICY_H
 #define _LINUX_MEMPOLICY_H 1
 
+#include <linux/refcount.h>
 #include <linux/sched.h>
 #include <linux/mmzone.h>
 #include <linux/dax.h>
@@ -43,7 +44,7 @@ struct mm_struct;
  * to 1, representing the caller of mpol_dup().
  */
 struct mempolicy {
-       atomic_t refcnt;
+       refcount_t refcnt;
        unsigned short mode;    /* See MPOL_* above */
        unsigned short flags;   /* See set_mempolicy() MPOL_F_* above */
        nodemask_t nodes;       /* interleave/bind/perfer */
@@ -94,7 +95,7 @@ static inline struct mempolicy *mpol_dup(struct mempolicy *pol)
 static inline void mpol_get(struct mempolicy *pol)
 {
        if (pol)
-               atomic_inc(&pol->refcnt);
+               refcount_inc(&pol->refcnt);
 }
 
 extern bool __mpol_equal(struct mempolicy *a, struct mempolicy *b);

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index e675bfb856da7e12d122e3f2000505fb7a24c782..1dd82b8172349518b88ead19793d112240c6975c 100644 (file)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -298,7 +298,7 @@ static struct mempolicy *mpol_new(unsigned short mode, unsigned short flags,
        policy = kmem_cache_alloc(policy_cache, GFP_KERNEL);
        if (!policy)
                return ERR_PTR(-ENOMEM);
-       atomic_set(&policy->refcnt, 1);
+       refcount_set(&policy->refcnt, 1);
        policy->mode = mode;
        policy->flags = flags;
 
@@ -308,7 +308,7 @@ static struct mempolicy *mpol_new(unsigned short mode, unsigned short flags,
 /* Slow path of a mpol destructor. */
 void __mpol_put(struct mempolicy *p)
 {
-       if (!atomic_dec_and_test(&p->refcnt))
+       if (!refcount_dec_and_test(&p->refcnt))
                return;
        kmem_cache_free(policy_cache, p);
 }
@@ -2290,7 +2290,7 @@ struct mempolicy *__mpol_dup(struct mempolicy *old)
                nodemask_t mems = cpuset_mems_allowed(current);
                mpol_rebind_policy(new, &mems);
        }
-       atomic_set(&new->refcnt, 1);
+       refcount_set(&new->refcnt, 1);
        return new;
 }
 
@@ -2581,7 +2581,7 @@ restart:
                                        goto alloc_new;
 
                                *mpol_new = *n->policy;
-                               atomic_set(&mpol_new->refcnt, 1);
+                               refcount_set(&mpol_new->refcnt, 1);
                                sp_node_init(n_new, end, n->end, mpol_new);
                                n->end = start;
                                sp_insert(sp, n_new);