From: Elena Reshetova Date: Mon, 6 Mar 2017 14:21:10 +0000 (+0200) Subject: drivers: convert vme_user_vma_priv.refcnt from atomic_t to refcount_t X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d3cfd5b9c8dc2bd6dff08acb074973a09ba30751;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git drivers: convert vme_user_vma_priv.refcnt from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/vme/devices/vme_user.c b/drivers/staging/vme/devices/vme_user.c index 69e9a7705afb..a3d4610fbdbe 100644 --- a/drivers/staging/vme/devices/vme_user.c +++ b/drivers/staging/vme/devices/vme_user.c @@ -17,7 +17,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include +#include #include #include #include @@ -118,7 +118,7 @@ static const int type[VME_DEVS] = { MASTER_MINOR, MASTER_MINOR, struct vme_user_vma_priv { unsigned int minor; - atomic_t refcnt; + refcount_t refcnt; }; static ssize_t resource_to_user(int minor, char __user *buf, size_t count, @@ -430,7 +430,7 @@ static void vme_user_vm_open(struct vm_area_struct *vma) { struct vme_user_vma_priv *vma_priv = vma->vm_private_data; - atomic_inc(&vma_priv->refcnt); + refcount_inc(&vma_priv->refcnt); } static void vme_user_vm_close(struct vm_area_struct *vma) @@ -438,7 +438,7 @@ static void vme_user_vm_close(struct vm_area_struct *vma) struct vme_user_vma_priv *vma_priv = vma->vm_private_data; unsigned int minor = vma_priv->minor; - if (!atomic_dec_and_test(&vma_priv->refcnt)) + if (!refcount_dec_and_test(&vma_priv->refcnt)) return; mutex_lock(&image[minor].mutex); @@ -473,7 +473,7 @@ static int vme_user_master_mmap(unsigned int minor, struct vm_area_struct *vma) } vma_priv->minor = minor; - atomic_set(&vma_priv->refcnt, 1); + refcount_set(&vma_priv->refcnt, 1); vma->vm_ops = &vme_user_vm_ops; vma->vm_private_data = vma_priv;