AK: Switch RefCounted to atomic refcounting

bugaevc · awesomekling · commit c80e657dda37 · 2020-06-12T16:08:45.000+02:00
This fixes all sorts of race conditions, primarily in the kernel, where till
now it's been possible to obtain either double free or use-after-free by
exploiting refcounting races.
diff --git a/AK/RefCounted.h b/AK/RefCounted.h
@@ -27,6 +27,7 @@
 #pragma once
 
 #include <AK/Assertions.h>
+#include <AK/Atomic.h>
 #include <AK/Platform.h>
 #include <AK/StdLibExtras.h>
 
@@ -62,8 +63,8 @@ class RefCountedBase {
 
     ALWAYS_INLINE void ref() const
     {
-        ASSERT(m_ref_count);
-        ++m_ref_count;
+        auto old_ref_count = m_ref_count++;
+        ASSERT(old_ref_count > 0);
     }
 
     ALWAYS_INLINE RefCountType ref_count() const
@@ -78,25 +79,26 @@ class RefCountedBase {
         ASSERT(m_ref_count == 0);
     }
 
-    ALWAYS_INLINE void deref_base() const
+    ALWAYS_INLINE RefCountType deref_base() const
     {
-        ASSERT(m_ref_count);
-        --m_ref_count;
+        auto old_ref_count = m_ref_count--;
+        ASSERT(old_ref_count > 0);
+        return old_ref_count - 1;
     }
 
-    mutable RefCountType m_ref_count { 1 };
+    mutable Atomic<RefCountType> m_ref_count { 1 };
 };
 
 template<typename T>
 class RefCounted : public RefCountedBase {
 public:
     void unref() const
     {
-        deref_base();
-        if (m_ref_count == 0) {
+        auto new_ref_count = deref_base();
+        if (new_ref_count == 0) {
             call_will_be_destroyed_if_present(static_cast<const T*>(this));
             delete static_cast<const T*>(this);
-        } else if (m_ref_count == 1) {
+        } else if (new_ref_count == 1) {
             call_one_ref_left_if_present(static_cast<const T*>(this));
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,7 @@`
`27`	`27`	`#pragma once`
`28`	`28`
`29`	`29`	`#include <AK/Assertions.h>`
	`30`	`+#include <AK/Atomic.h>`
`30`	`31`	`#include <AK/Platform.h>`
`31`	`32`	`#include <AK/StdLibExtras.h>`
`32`	`33`
`@@ -62,8 +63,8 @@ class RefCountedBase {`
`62`	`63`
`63`	`64`	`ALWAYS_INLINE void ref() const`
`64`	`65`	`{`
`65`		`- ASSERT(m_ref_count);`
`66`		`- ++m_ref_count;`
	`66`	`+ auto old_ref_count = m_ref_count++;`
	`67`	`+ ASSERT(old_ref_count > 0);`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`ALWAYS_INLINE RefCountType ref_count() const`
`@@ -78,25 +79,26 @@ class RefCountedBase {`
`78`	`79`	`ASSERT(m_ref_count == 0);`
`79`	`80`	`}`
`80`	`81`
`81`		`- ALWAYS_INLINE void deref_base() const`
	`82`	`+ ALWAYS_INLINE RefCountType deref_base() const`
`82`	`83`	`{`
`83`		`- ASSERT(m_ref_count);`
`84`		`- --m_ref_count;`
	`84`	`+ auto old_ref_count = m_ref_count--;`
	`85`	`+ ASSERT(old_ref_count > 0);`
	`86`	`+ return old_ref_count - 1;`
`85`	`87`	`}`
`86`	`88`
`87`		`- mutable RefCountType m_ref_count { 1 };`
	`89`	`+ mutable Atomic<RefCountType> m_ref_count { 1 };`
`88`	`90`	`};`
`89`	`91`
`90`	`92`	`template<typename T>`
`91`	`93`	`class RefCounted : public RefCountedBase {`
`92`	`94`	`public:`
`93`	`95`	`void unref() const`
`94`	`96`	`{`
`95`		`- deref_base();`
`96`		`- if (m_ref_count == 0) {`
	`97`	`+ auto new_ref_count = deref_base();`
	`98`	`+ if (new_ref_count == 0) {`
`97`	`99`	`call_will_be_destroyed_if_present(static_cast<const T*>(this));`
`98`	`100`	`delete static_cast<const T*>(this);`
`99`		`- } else if (m_ref_count == 1) {`
	`101`	`+ } else if (new_ref_count == 1) {`
`100`	`102`	`call_one_ref_left_if_present(static_cast<const T*>(this));`
`101`	`103`	`}`
`102`	`104`	`}`