From d3cfd5b9c8dc2bd6dff08acb074973a09ba30751 Mon Sep 17 00:00:00 2001 From: Elena Reshetova Date: Mon, 6 Mar 2017 16:21:10 +0200 Subject: [PATCH] drivers: convert vme_user_vma_priv.refcnt from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Signed-off-by: Greg Kroah-Hartman --- drivers/staging/vme/devices/vme_user.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/staging/vme/devices/vme_user.c b/drivers/staging/vme/devices/vme_user.c index 69e9a7705afb..a3d4610fbdbe 100644 --- a/drivers/staging/vme/devices/vme_user.c +++ b/drivers/staging/vme/devices/vme_user.c @@ -17,7 +17,7 @@ #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt -#include +#include #include #include #include @@ -118,7 +118,7 @@ static const int type[VME_DEVS] = { MASTER_MINOR, MASTER_MINOR, struct vme_user_vma_priv { unsigned int minor; - atomic_t refcnt; + refcount_t refcnt; }; static ssize_t resource_to_user(int minor, char __user *buf, size_t count, @@ -430,7 +430,7 @@ static void vme_user_vm_open(struct vm_area_struct *vma) { struct vme_user_vma_priv *vma_priv = vma->vm_private_data; - atomic_inc(&vma_priv->refcnt); + refcount_inc(&vma_priv->refcnt); } static void vme_user_vm_close(struct vm_area_struct *vma) @@ -438,7 +438,7 @@ static void vme_user_vm_close(struct vm_area_struct *vma) struct vme_user_vma_priv *vma_priv = vma->vm_private_data; unsigned int minor = vma_priv->minor; - if (!atomic_dec_and_test(&vma_priv->refcnt)) + if (!refcount_dec_and_test(&vma_priv->refcnt)) return; mutex_lock(&image[minor].mutex); @@ -473,7 +473,7 @@ static int vme_user_master_mmap(unsigned int minor, struct vm_area_struct *vma) } vma_priv->minor = minor; - atomic_set(&vma_priv->refcnt, 1); + refcount_set(&vma_priv->refcnt, 1); vma->vm_ops = &vme_user_vm_ops; vma->vm_private_data = vma_priv; -- 2.20.1