Commit f7d88d24 authored by Elena Reshetova's avatar Elena Reshetova Committed by Greg Kroah-Hartman

drivers, char: convert vma_data.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 132c93d4
...@@ -43,6 +43,7 @@ ...@@ -43,6 +43,7 @@
#include <linux/string.h> #include <linux/string.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/numa.h> #include <linux/numa.h>
#include <linux/refcount.h>
#include <asm/page.h> #include <asm/page.h>
#include <asm/pgtable.h> #include <asm/pgtable.h>
#include <linux/atomic.h> #include <linux/atomic.h>
...@@ -89,7 +90,7 @@ static int is_sn2; ...@@ -89,7 +90,7 @@ static int is_sn2;
* protect in fork case where multiple tasks share the vma_data. * protect in fork case where multiple tasks share the vma_data.
*/ */
struct vma_data { struct vma_data {
atomic_t refcnt; /* Number of vmas sharing the data. */ refcount_t refcnt; /* Number of vmas sharing the data. */
spinlock_t lock; /* Serialize access to this structure. */ spinlock_t lock; /* Serialize access to this structure. */
int count; /* Number of pages allocated. */ int count; /* Number of pages allocated. */
enum mspec_page_type type; /* Type of pages allocated. */ enum mspec_page_type type; /* Type of pages allocated. */
...@@ -144,7 +145,7 @@ mspec_open(struct vm_area_struct *vma) ...@@ -144,7 +145,7 @@ mspec_open(struct vm_area_struct *vma)
struct vma_data *vdata; struct vma_data *vdata;
vdata = vma->vm_private_data; vdata = vma->vm_private_data;
atomic_inc(&vdata->refcnt); refcount_inc(&vdata->refcnt);
} }
/* /*
...@@ -162,7 +163,7 @@ mspec_close(struct vm_area_struct *vma) ...@@ -162,7 +163,7 @@ mspec_close(struct vm_area_struct *vma)
vdata = vma->vm_private_data; vdata = vma->vm_private_data;
if (!atomic_dec_and_test(&vdata->refcnt)) if (!refcount_dec_and_test(&vdata->refcnt))
return; return;
last_index = (vdata->vm_end - vdata->vm_start) >> PAGE_SHIFT; last_index = (vdata->vm_end - vdata->vm_start) >> PAGE_SHIFT;
...@@ -274,7 +275,7 @@ mspec_mmap(struct file *file, struct vm_area_struct *vma, ...@@ -274,7 +275,7 @@ mspec_mmap(struct file *file, struct vm_area_struct *vma,
vdata->vm_end = vma->vm_end; vdata->vm_end = vma->vm_end;
vdata->type = type; vdata->type = type;
spin_lock_init(&vdata->lock); spin_lock_init(&vdata->lock);
atomic_set(&vdata->refcnt, 1); refcount_set(&vdata->refcnt, 1);
vma->vm_private_data = vdata; vma->vm_private_data = vdata;
vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP; vma->vm_flags |= VM_IO | VM_PFNMAP | VM_DONTEXPAND | VM_DONTDUMP;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment