1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Variant of atomic_t specialized for reference counts. 4 * 5 * The interface matches the atomic_t interface (to aid in porting) but only 6 * provides the few functions one should use for reference counting. 7 * 8 * Saturation semantics 9 * ==================== 10 * 11 * refcount_t differs from atomic_t in that the counter saturates at 12 * REFCOUNT_SATURATED and will not move once there. This avoids wrapping the 13 * counter and causing 'spurious' use-after-free issues. In order to avoid the 14 * cost associated with introducing cmpxchg() loops into all of the saturating 15 * operations, we temporarily allow the counter to take on an unchecked value 16 * and then explicitly set it to REFCOUNT_SATURATED on detecting that underflow 17 * or overflow has occurred. Although this is racy when multiple threads 18 * access the refcount concurrently, by placing REFCOUNT_SATURATED roughly 19 * equidistant from 0 and INT_MAX we minimise the scope for error: 20 * 21 * INT_MAX REFCOUNT_SATURATED UINT_MAX 22 * 0 (0x7fff_ffff) (0xc000_0000) (0xffff_ffff) 23 * +--------------------------------+----------------+----------------+ 24 * <---------- bad value! ----------> 25 * 26 * (in a signed view of the world, the "bad value" range corresponds to 27 * a negative counter value). 28 * 29 * As an example, consider a refcount_inc() operation that causes the counter 30 * to overflow: 31 * 32 * int old = atomic_fetch_add_relaxed(r); 33 * // old is INT_MAX, refcount now INT_MIN (0x8000_0000) 34 * if (old < 0) 35 * atomic_set(r, REFCOUNT_SATURATED); 36 * 37 * If another thread also performs a refcount_inc() operation between the two 38 * atomic operations, then the count will continue to edge closer to 0. If it 39 * reaches a value of 1 before /any/ of the threads reset it to the saturated 40 * value, then a concurrent refcount_dec_and_test() may erroneously free the 41 * underlying object. 42 * Linux limits the maximum number of tasks to PID_MAX_LIMIT, which is currently 43 * 0x400000 (and can't easily be raised in the future beyond FUTEX_TID_MASK). 44 * With the current PID limit, if no batched refcounting operations are used and 45 * the attacker can't repeatedly trigger kernel oopses in the middle of refcount 46 * operations, this makes it impossible for a saturated refcount to leave the 47 * saturation range, even if it is possible for multiple uses of the same 48 * refcount to nest in the context of a single task: 49 * 50 * (UINT_MAX+1-REFCOUNT_SATURATED) / PID_MAX_LIMIT = 51 * 0x40000000 / 0x400000 = 0x100 = 256 52 * 53 * If hundreds of references are added/removed with a single refcounting 54 * operation, it may potentially be possible to leave the saturation range; but 55 * given the precise timing details involved with the round-robin scheduling of 56 * each thread manipulating the refcount and the need to hit the race multiple 57 * times in succession, there doesn't appear to be a practical avenue of attack 58 * even if using refcount_add() operations with larger increments. 59 * 60 * Memory ordering 61 * =============== 62 * 63 * Memory ordering rules are slightly relaxed wrt regular atomic_t functions 64 * and provide only what is strictly required for refcounts. 65 * 66 * The increments are fully relaxed; these will not provide ordering. The 67 * rationale is that whatever is used to obtain the object we're increasing the 68 * reference count on will provide the ordering. For locked data structures, 69 * its the lock acquire, for RCU/lockless data structures its the dependent 70 * load. 71 * 72 * Do note that inc_not_zero() provides a control dependency which will order 73 * future stores against the inc, this ensures we'll never modify the object 74 * if we did not in fact acquire a reference. 75 * 76 * The decrements will provide release order, such that all the prior loads and 77 * stores will be issued before, it also provides a control dependency, which 78 * will order us against the subsequent free(). 79 * 80 * The control dependency is against the load of the cmpxchg (ll/sc) that 81 * succeeded. This means the stores aren't fully ordered, but this is fine 82 * because the 1->0 transition indicates no concurrency. 83 * 84 * Note that the allocator is responsible for ordering things between free() 85 * and alloc(). 86 * 87 * The decrements dec_and_test() and sub_and_test() also provide acquire 88 * ordering on success. 89 * 90 * refcount_{add|inc}_not_zero_acquire() and refcount_set_release() provide 91 * acquire and release ordering for cases when the memory occupied by the 92 * object might be reused to store another object. This is important for the 93 * cases where secondary validation is required to detect such reuse, e.g. 94 * SLAB_TYPESAFE_BY_RCU. The secondary validation checks have to happen after 95 * the refcount is taken, hence acquire order is necessary. Similarly, when the 96 * object is initialized, all stores to its attributes should be visible before 97 * the refcount is set, otherwise a stale attribute value might be used by 98 * another task which succeeds in taking a refcount to the new object. 99 */ 100 101 #ifndef _LINUX_REFCOUNT_H 102 #define _LINUX_REFCOUNT_H 103 104 #include <linux/atomic.h> 105 #include <linux/bug.h> 106 #include <linux/compiler.h> 107 #include <linux/limits.h> 108 #include <linux/refcount_types.h> 109 #include <linux/spinlock_types.h> 110 111 struct mutex; 112 113 #define REFCOUNT_INIT(n) { .refs = ATOMIC_INIT(n), } 114 #define REFCOUNT_MAX INT_MAX 115 #define REFCOUNT_SATURATED (INT_MIN / 2) 116 117 enum refcount_saturation_type { 118 REFCOUNT_ADD_NOT_ZERO_OVF, 119 REFCOUNT_ADD_OVF, 120 REFCOUNT_ADD_UAF, 121 REFCOUNT_SUB_UAF, 122 REFCOUNT_DEC_LEAK, 123 }; 124 125 void refcount_warn_saturate(refcount_t *r, enum refcount_saturation_type t); 126 127 /** 128 * refcount_set - set a refcount's value 129 * @r: the refcount 130 * @n: value to which the refcount will be set 131 */ 132 static inline void refcount_set(refcount_t *r, int n) 133 { 134 atomic_set(&r->refs, n); 135 } 136 137 /** 138 * refcount_set_release - set a refcount's value with release ordering 139 * @r: the refcount 140 * @n: value to which the refcount will be set 141 * 142 * This function should be used when memory occupied by the object might be 143 * reused to store another object -- consider SLAB_TYPESAFE_BY_RCU. 144 * 145 * Provides release memory ordering which will order previous memory operations 146 * against this store. This ensures all updates to this object are visible 147 * once the refcount is set and stale values from the object previously 148 * occupying this memory are overwritten with new ones. 149 * 150 * This function should be called only after new object is fully initialized. 151 * After this call the object should be considered visible to other tasks even 152 * if it was not yet added into an object collection normally used to discover 153 * it. This is because other tasks might have discovered the object previously 154 * occupying the same memory and after memory reuse they can succeed in taking 155 * refcount to the new object and start using it. 156 */ 157 static inline void refcount_set_release(refcount_t *r, int n) 158 { 159 atomic_set_release(&r->refs, n); 160 } 161 162 /** 163 * refcount_read - get a refcount's value 164 * @r: the refcount 165 * 166 * Return: the refcount's value 167 */ 168 static inline unsigned int refcount_read(const refcount_t *r) 169 { 170 return atomic_read(&r->refs); 171 } 172 173 static inline __must_check __signed_wrap 174 bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp) 175 { 176 int old = refcount_read(r); 177 178 do { 179 if (!old) 180 break; 181 } while (!atomic_try_cmpxchg_relaxed(&r->refs, &old, old + i)); 182 183 if (oldp) 184 *oldp = old; 185 186 if (unlikely(old < 0 || old + i < 0)) 187 refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF); 188 189 return old; 190 } 191 192 /** 193 * refcount_add_not_zero - add a value to a refcount unless it is 0 194 * @i: the value to add to the refcount 195 * @r: the refcount 196 * 197 * Will saturate at REFCOUNT_SATURATED and WARN. 198 * 199 * Provides no memory ordering, it is assumed the caller has guaranteed the 200 * object memory to be stable (RCU, etc.). It does provide a control dependency 201 * and thereby orders future stores. See the comment on top. 202 * 203 * Use of this function is not recommended for the normal reference counting 204 * use case in which references are taken and released one at a time. In these 205 * cases, refcount_inc(), or one of its variants, should instead be used to 206 * increment a reference count. 207 * 208 * Return: false if the passed refcount is 0, true otherwise 209 */ 210 static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) 211 { 212 return __refcount_add_not_zero(i, r, NULL); 213 } 214 215 static inline __must_check __signed_wrap 216 bool __refcount_add_not_zero_acquire(int i, refcount_t *r, int *oldp) 217 { 218 int old = refcount_read(r); 219 220 do { 221 if (!old) 222 break; 223 } while (!atomic_try_cmpxchg_acquire(&r->refs, &old, old + i)); 224 225 if (oldp) 226 *oldp = old; 227 228 if (unlikely(old < 0 || old + i < 0)) 229 refcount_warn_saturate(r, REFCOUNT_ADD_NOT_ZERO_OVF); 230 231 return old; 232 } 233 234 /** 235 * refcount_add_not_zero_acquire - add a value to a refcount with acquire ordering unless it is 0 236 * 237 * @i: the value to add to the refcount 238 * @r: the refcount 239 * 240 * Will saturate at REFCOUNT_SATURATED and WARN. 241 * 242 * This function should be used when memory occupied by the object might be 243 * reused to store another object -- consider SLAB_TYPESAFE_BY_RCU. 244 * 245 * Provides acquire memory ordering on success, it is assumed the caller has 246 * guaranteed the object memory to be stable (RCU, etc.). It does provide a 247 * control dependency and thereby orders future stores. See the comment on top. 248 * 249 * Use of this function is not recommended for the normal reference counting 250 * use case in which references are taken and released one at a time. In these 251 * cases, refcount_inc_not_zero_acquire() should instead be used to increment a 252 * reference count. 253 * 254 * Return: false if the passed refcount is 0, true otherwise 255 */ 256 static inline __must_check bool refcount_add_not_zero_acquire(int i, refcount_t *r) 257 { 258 return __refcount_add_not_zero_acquire(i, r, NULL); 259 } 260 261 static inline __signed_wrap 262 void __refcount_add(int i, refcount_t *r, int *oldp) 263 { 264 int old = atomic_fetch_add_relaxed(i, &r->refs); 265 266 if (oldp) 267 *oldp = old; 268 269 if (unlikely(!old)) 270 refcount_warn_saturate(r, REFCOUNT_ADD_UAF); 271 else if (unlikely(old < 0 || old + i < 0)) 272 refcount_warn_saturate(r, REFCOUNT_ADD_OVF); 273 } 274 275 /** 276 * refcount_add - add a value to a refcount 277 * @i: the value to add to the refcount 278 * @r: the refcount 279 * 280 * Similar to atomic_add(), but will saturate at REFCOUNT_SATURATED and WARN. 281 * 282 * Provides no memory ordering, it is assumed the caller has guaranteed the 283 * object memory to be stable (RCU, etc.). It does provide a control dependency 284 * and thereby orders future stores. See the comment on top. 285 * 286 * Use of this function is not recommended for the normal reference counting 287 * use case in which references are taken and released one at a time. In these 288 * cases, refcount_inc(), or one of its variants, should instead be used to 289 * increment a reference count. 290 */ 291 static inline void refcount_add(int i, refcount_t *r) 292 { 293 __refcount_add(i, r, NULL); 294 } 295 296 static inline __must_check bool __refcount_inc_not_zero(refcount_t *r, int *oldp) 297 { 298 return __refcount_add_not_zero(1, r, oldp); 299 } 300 301 /** 302 * refcount_inc_not_zero - increment a refcount unless it is 0 303 * @r: the refcount to increment 304 * 305 * Similar to atomic_inc_not_zero(), but will saturate at REFCOUNT_SATURATED 306 * and WARN. 307 * 308 * Provides no memory ordering, it is assumed the caller has guaranteed the 309 * object memory to be stable (RCU, etc.). It does provide a control dependency 310 * and thereby orders future stores. See the comment on top. 311 * 312 * Return: true if the increment was successful, false otherwise 313 */ 314 static inline __must_check bool refcount_inc_not_zero(refcount_t *r) 315 { 316 return __refcount_inc_not_zero(r, NULL); 317 } 318 319 static inline __must_check bool __refcount_inc_not_zero_acquire(refcount_t *r, int *oldp) 320 { 321 return __refcount_add_not_zero_acquire(1, r, oldp); 322 } 323 324 /** 325 * refcount_inc_not_zero_acquire - increment a refcount with acquire ordering unless it is 0 326 * @r: the refcount to increment 327 * 328 * Similar to refcount_inc_not_zero(), but provides acquire memory ordering on 329 * success. 330 * 331 * This function should be used when memory occupied by the object might be 332 * reused to store another object -- consider SLAB_TYPESAFE_BY_RCU. 333 * 334 * Provides acquire memory ordering on success, it is assumed the caller has 335 * guaranteed the object memory to be stable (RCU, etc.). It does provide a 336 * control dependency and thereby orders future stores. See the comment on top. 337 * 338 * Return: true if the increment was successful, false otherwise 339 */ 340 static inline __must_check bool refcount_inc_not_zero_acquire(refcount_t *r) 341 { 342 return __refcount_inc_not_zero_acquire(r, NULL); 343 } 344 345 static inline void __refcount_inc(refcount_t *r, int *oldp) 346 { 347 __refcount_add(1, r, oldp); 348 } 349 350 /** 351 * refcount_inc - increment a refcount 352 * @r: the refcount to increment 353 * 354 * Similar to atomic_inc(), but will saturate at REFCOUNT_SATURATED and WARN. 355 * 356 * Provides no memory ordering, it is assumed the caller already has a 357 * reference on the object. 358 * 359 * Will WARN if the refcount is 0, as this represents a possible use-after-free 360 * condition. 361 */ 362 static inline void refcount_inc(refcount_t *r) 363 { 364 __refcount_inc(r, NULL); 365 } 366 367 static inline __must_check __signed_wrap 368 bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp) 369 { 370 int old = atomic_fetch_sub_release(i, &r->refs); 371 372 if (oldp) 373 *oldp = old; 374 375 if (old > 0 && old == i) { 376 smp_acquire__after_ctrl_dep(); 377 return true; 378 } 379 380 if (unlikely(old <= 0 || old - i < 0)) 381 refcount_warn_saturate(r, REFCOUNT_SUB_UAF); 382 383 return false; 384 } 385 386 /** 387 * refcount_sub_and_test - subtract from a refcount and test if it is 0 388 * @i: amount to subtract from the refcount 389 * @r: the refcount 390 * 391 * Similar to atomic_dec_and_test(), but it will WARN, return false and 392 * ultimately leak on underflow and will fail to decrement when saturated 393 * at REFCOUNT_SATURATED. 394 * 395 * Provides release memory ordering, such that prior loads and stores are done 396 * before, and provides an acquire ordering on success such that free() 397 * must come after. 398 * 399 * Use of this function is not recommended for the normal reference counting 400 * use case in which references are taken and released one at a time. In these 401 * cases, refcount_dec(), or one of its variants, should instead be used to 402 * decrement a reference count. 403 * 404 * Return: true if the resulting refcount is 0, false otherwise 405 */ 406 static inline __must_check bool refcount_sub_and_test(int i, refcount_t *r) 407 { 408 return __refcount_sub_and_test(i, r, NULL); 409 } 410 411 static inline __must_check bool __refcount_dec_and_test(refcount_t *r, int *oldp) 412 { 413 return __refcount_sub_and_test(1, r, oldp); 414 } 415 416 /** 417 * refcount_dec_and_test - decrement a refcount and test if it is 0 418 * @r: the refcount 419 * 420 * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to 421 * decrement when saturated at REFCOUNT_SATURATED. 422 * 423 * Provides release memory ordering, such that prior loads and stores are done 424 * before, and provides an acquire ordering on success such that free() 425 * must come after. 426 * 427 * Return: true if the resulting refcount is 0, false otherwise 428 */ 429 static inline __must_check bool refcount_dec_and_test(refcount_t *r) 430 { 431 return __refcount_dec_and_test(r, NULL); 432 } 433 434 static inline void __refcount_dec(refcount_t *r, int *oldp) 435 { 436 int old = atomic_fetch_sub_release(1, &r->refs); 437 438 if (oldp) 439 *oldp = old; 440 441 if (unlikely(old <= 1)) 442 refcount_warn_saturate(r, REFCOUNT_DEC_LEAK); 443 } 444 445 /** 446 * refcount_dec - decrement a refcount 447 * @r: the refcount 448 * 449 * Similar to atomic_dec(), it will WARN on underflow and fail to decrement 450 * when saturated at REFCOUNT_SATURATED. 451 * 452 * Provides release memory ordering, such that prior loads and stores are done 453 * before. 454 */ 455 static inline void refcount_dec(refcount_t *r) 456 { 457 __refcount_dec(r, NULL); 458 } 459 460 extern __must_check bool refcount_dec_if_one(refcount_t *r); 461 extern __must_check bool refcount_dec_not_one(refcount_t *r); 462 extern __must_check bool refcount_dec_and_mutex_lock(refcount_t *r, struct mutex *lock) __cond_acquires(lock); 463 extern __must_check bool refcount_dec_and_lock(refcount_t *r, spinlock_t *lock) __cond_acquires(lock); 464 extern __must_check bool refcount_dec_and_lock_irqsave(refcount_t *r, 465 spinlock_t *lock, 466 unsigned long *flags) __cond_acquires(lock); 467 #endif /* _LINUX_REFCOUNT_H */ 468