drivers: convert vme_user_vma_priv.refcnt from atomic_t to refcount_t
authorElena Reshetova <elena.reshetova@intel.com>
Mon, 6 Mar 2017 14:21:10 +0000 (16:21 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 13 Mar 2017 22:23:12 +0000 (06:23 +0800)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/vme/devices/vme_user.c

index 69e9a7705afb31025c64a2a2c3340236acd69d1e..a3d4610fbdbe3ff5b9deb109301db5d347bf551a 100644 (file)
@@ -17,7 +17,7 @@
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <linux/cdev.h>
 #include <linux/delay.h>
 #include <linux/device.h>
@@ -118,7 +118,7 @@ static const int type[VME_DEVS] = { MASTER_MINOR,   MASTER_MINOR,
 
 struct vme_user_vma_priv {
        unsigned int minor;
-       atomic_t refcnt;
+       refcount_t refcnt;
 };
 
 static ssize_t resource_to_user(int minor, char __user *buf, size_t count,
@@ -430,7 +430,7 @@ static void vme_user_vm_open(struct vm_area_struct *vma)
 {
        struct vme_user_vma_priv *vma_priv = vma->vm_private_data;
 
-       atomic_inc(&vma_priv->refcnt);
+       refcount_inc(&vma_priv->refcnt);
 }
 
 static void vme_user_vm_close(struct vm_area_struct *vma)
@@ -438,7 +438,7 @@ static void vme_user_vm_close(struct vm_area_struct *vma)
        struct vme_user_vma_priv *vma_priv = vma->vm_private_data;
        unsigned int minor = vma_priv->minor;
 
-       if (!atomic_dec_and_test(&vma_priv->refcnt))
+       if (!refcount_dec_and_test(&vma_priv->refcnt))
                return;
 
        mutex_lock(&image[minor].mutex);
@@ -473,7 +473,7 @@ static int vme_user_master_mmap(unsigned int minor, struct vm_area_struct *vma)
        }
 
        vma_priv->minor = minor;
-       atomic_set(&vma_priv->refcnt, 1);
+       refcount_set(&vma_priv->refcnt, 1);
        vma->vm_ops = &vme_user_vm_ops;
        vma->vm_private_data = vma_priv;