drivers, usb: convert dev_data.count from atomic_t to refcount_t
authorElena Reshetova <elena.reshetova@intel.com>
Mon, 6 Mar 2017 14:21:13 +0000 (16:21 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 17 Mar 2017 04:32:59 +0000 (13:32 +0900)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/usb/gadget/legacy/inode.c

index a2c916869293720e378ced6b265532846eca52a3..db34b4dee0d9affbb8627c7895b8ea2308f68e3c 100644 (file)
@@ -27,6 +27,7 @@
 #include <linux/mmu_context.h>
 #include <linux/aio.h>
 #include <linux/uio.h>
+#include <linux/refcount.h>
 
 #include <linux/device.h>
 #include <linux/moduleparam.h>
@@ -114,7 +115,7 @@ enum ep0_state {
 
 struct dev_data {
        spinlock_t                      lock;
-       atomic_t                        count;
+       refcount_t                      count;
        enum ep0_state                  state;          /* P: lock */
        struct usb_gadgetfs_event       event [N_EVENT];
        unsigned                        ev_next;
@@ -150,12 +151,12 @@ struct dev_data {
 
 static inline void get_dev (struct dev_data *data)
 {
-       atomic_inc (&data->count);
+       refcount_inc (&data->count);
 }
 
 static void put_dev (struct dev_data *data)
 {
-       if (likely (!atomic_dec_and_test (&data->count)))
+       if (likely (!refcount_dec_and_test (&data->count)))
                return;
        /* needs no more cleanup */
        BUG_ON (waitqueue_active (&data->wait));
@@ -170,7 +171,7 @@ static struct dev_data *dev_new (void)
        if (!dev)
                return NULL;
        dev->state = STATE_DEV_DISABLED;
-       atomic_set (&dev->count, 1);
+       refcount_set (&dev->count, 1);
        spin_lock_init (&dev->lock);
        INIT_LIST_HEAD (&dev->epfiles);
        init_waitqueue_head (&dev->wait);