tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

drivers, char: convert vma_data.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Elena Reshetova and committed by
Greg Kroah-Hartman f7d88d24 132c93d4

+5 -4
+5 -4
drivers/char/mspec.c
··· 43 43 #include <linux/string.h> 44 44 #include <linux/slab.h> 45 45 #include <linux/numa.h> 46 + #include <linux/refcount.h> 46 47 #include <asm/page.h> 47 48 #include <asm/pgtable.h> 48 49 #include <linux/atomic.h> ··· 90 89 * protect in fork case where multiple tasks share the vma_data. 91 90 */ 92 91 struct vma_data { 93 - atomic_t refcnt; /* Number of vmas sharing the data. */ 92 + refcount_t refcnt; /* Number of vmas sharing the data. */ 94 93 spinlock_t lock; /* Serialize access to this structure. */ 95 94 int count; /* Number of pages allocated. */ 96 95 enum mspec_page_type type; /* Type of pages allocated. */ ··· 145 144 struct vma_data *vdata; 146 145 147 146 vdata = vma->vm_private_data; 148 - atomic_inc(&vdata->refcnt); 147 + refcount_inc(&vdata->refcnt); 149 148 } 150 149 151 150 /* ··· 163 162 164 163 vdata = vma->vm_private_data; 165 164 166 - if (!atomic_dec_and_test(&vdata->refcnt)) 165 + if (!refcount_dec_and_test(&vdata->refcnt)) 167 166 return; 168 167 169 168 last_index = (vdata->vm_end - vdata->vm_start) >> PAGE_SHIFT; ··· 275 274 vdata->vm_end = vma->vm_end; 276 275 vdata->type = type; 277 276 spin_lock_init(&vdata->lock); 278 - atomic_set(&vdata->refcnt, 1); 277 + refcount_set(&vdata->refcnt, 1); 279 278 vma->vm_private_data = vdata; 280 279 281 280 vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;