diff options
author | Elena Reshetova <elena.reshetova@intel.com> | 2017-03-06 17:20:50 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-03-23 15:57:19 +0300 |
commit | f7d88d24c5a2b66b02770e2776fce72b5fd70193 (patch) | |
tree | 97b3f2f75da7998195f1344a2438fc3079ca57a5 /drivers/char/mspec.c | |
parent | 132c93d4215c5ea12f8bb291249ede159d507b6e (diff) | |
download | linux-f7d88d24c5a2b66b02770e2776fce72b5fd70193.tar.xz |
drivers, char: convert vma_data.refcnt from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/char/mspec.c')
-rw-r--r-- | drivers/char/mspec.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/drivers/char/mspec.c b/drivers/char/mspec.c index a9c2fa3c81e5..7b75669d3670 100644 --- a/drivers/char/mspec.c +++ b/drivers/char/mspec.c @@ -43,6 +43,7 @@ #include <linux/string.h> #include <linux/slab.h> #include <linux/numa.h> +#include <linux/refcount.h> #include <asm/page.h> #include <asm/pgtable.h> #include <linux/atomic.h> @@ -89,7 +90,7 @@ static int is_sn2; * protect in fork case where multiple tasks share the vma_data. */ struct vma_data { - atomic_t refcnt; /* Number of vmas sharing the data. */ + refcount_t refcnt; /* Number of vmas sharing the data. */ spinlock_t lock; /* Serialize access to this structure. */ int count; /* Number of pages allocated. */ enum mspec_page_type type; /* Type of pages allocated. */ @@ -144,7 +145,7 @@ mspec_open(struct vm_area_struct *vma) struct vma_data *vdata; vdata = vma->vm_private_data; - atomic_inc(&vdata->refcnt); + refcount_inc(&vdata->refcnt); } /* @@ -162,7 +163,7 @@ mspec_close(struct vm_area_struct *vma) vdata = vma->vm_private_data; - if (!atomic_dec_and_test(&vdata->refcnt)) + if (!refcount_dec_and_test(&vdata->refcnt)) return; last_index = (vdata->vm_end - vdata->vm_start) >> PAGE_SHIFT; @@ -274,7 +275,7 @@ mspec_mmap(struct file *file, struct vm_area_struct *vma, vdata->vm_end = vma->vm_end; vdata->type = type; spin_lock_init(&vdata->lock); - atomic_set(&vdata->refcnt, 1); + refcount_set(&vdata->refcnt, 1); vma->vm_private_data = vdata; vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; |