drivers, usb: convert ep_data.count from atomic_t to refcount_t

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Elena Reshetova and committed by

Greg Kroah-Hartman 9 years ago 8d66db50 b7ddc981

+4 -4

1 changed file

expand all

drivers

usb

gadget

legacy

inode.c

+4 -4

drivers/usb/gadget/legacy/inode.c

··· 191 191 struct ep_data { 192 192 struct mutex lock; 193 193 enum ep_state state; 194 - atomic_t count; 194 + refcount_t count; 195 195 struct dev_data *dev; 196 196 /* must hold dev->lock before accessing ep or req */ 197 197 struct usb_ep *ep; ··· 206 206 207 207 static inline void get_ep (struct ep_data *data) 208 208 { 209 - atomic_inc (&data->count); 209 + refcount_inc (&data->count); 210 210 } 211 211 212 212 static void put_ep (struct ep_data *data) 213 213 { 214 - if (likely (!atomic_dec_and_test (&data->count))) 214 + if (likely (!refcount_dec_and_test (&data->count))) 215 215 return; 216 216 put_dev (data->dev); 217 217 /* needs no more cleanup */ ··· 1562 1562 init_waitqueue_head (&data->wait); 1563 1563 1564 1564 strncpy (data->name, ep->name, sizeof (data->name) - 1); 1565 - atomic_set (&data->count, 1); 1565 + refcount_set (&data->count, 1); 1566 1566 data->dev = dev; 1567 1567 get_dev (dev); 1568 1568