[PATCH 23/29] drivers: convert vme_user_vma_priv.refcnt from atomic_t to refcount_t

From: Elena Reshetova
Date: Mon Mar 06 2017 - 09:35:51 EST

Next message: Elena Reshetova: "[PATCH 27/29] drivers, usb: convert ep_data.count from atomic_t to refcount_t"
Previous message: Elena Reshetova: "[PATCH 07/29] drivers, md: convert dm_dev_internal.count from atomic_t to refcount_t"
In reply to: Elena Reshetova: "[PATCH 07/29] drivers, md: convert dm_dev_internal.count from atomic_t to refcount_t"
Next in thread: Elena Reshetova: "[PATCH 27/29] drivers, usb: convert ep_data.count from atomic_t to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: David Windsor <dwindsor@xxxxxxxxx>
---
drivers/staging/vme/devices/vme_user.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/staging/vme/devices/vme_user.c b/drivers/staging/vme/devices/vme_user.c
index 69e9a770..a3d4610 100644
--- a/drivers/staging/vme/devices/vme_user.c
+++ b/drivers/staging/vme/devices/vme_user.c
@@ -17,7 +17,7 @@

#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt

-#include <linux/atomic.h>
+#include <linux/refcount.h>
#include <linux/cdev.h>
#include <linux/delay.h>
#include <linux/device.h>
@@ -118,7 +118,7 @@ static const int type[VME_DEVS] = { MASTER_MINOR, MASTER_MINOR,

struct vme_user_vma_priv {
unsigned int minor;
- atomic_t refcnt;
+ refcount_t refcnt;
};

static ssize_t resource_to_user(int minor, char __user *buf, size_t count,
@@ -430,7 +430,7 @@ static void vme_user_vm_open(struct vm_area_struct *vma)
{
struct vme_user_vma_priv *vma_priv = vma->vm_private_data;

- atomic_inc(&vma_priv->refcnt);
+ refcount_inc(&vma_priv->refcnt);
}

static void vme_user_vm_close(struct vm_area_struct *vma)
@@ -438,7 +438,7 @@ static void vme_user_vm_close(struct vm_area_struct *vma)
struct vme_user_vma_priv *vma_priv = vma->vm_private_data;
unsigned int minor = vma_priv->minor;

- if (!atomic_dec_and_test(&vma_priv->refcnt))
+ if (!refcount_dec_and_test(&vma_priv->refcnt))
return;

mutex_lock(&image[minor].mutex);
@@ -473,7 +473,7 @@ static int vme_user_master_mmap(unsigned int minor, struct vm_area_struct *vma)
}

vma_priv->minor = minor;
- atomic_set(&vma_priv->refcnt, 1);
+ refcount_set(&vma_priv->refcnt, 1);
vma->vm_ops = &vme_user_vm_ops;
vma->vm_private_data = vma_priv;

--
2.7.4

Next message: Elena Reshetova: "[PATCH 27/29] drivers, usb: convert ep_data.count from atomic_t to refcount_t"
Previous message: Elena Reshetova: "[PATCH 07/29] drivers, md: convert dm_dev_internal.count from atomic_t to refcount_t"
In reply to: Elena Reshetova: "[PATCH 07/29] drivers, md: convert dm_dev_internal.count from atomic_t to refcount_t"
Next in thread: Elena Reshetova: "[PATCH 27/29] drivers, usb: convert ep_data.count from atomic_t to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]