diff options
| author | Elena Reshetova <elena.reshetova@intel.com> | 2017-03-06 09:21:16 -0500 |
|---|---|---|
| committer | Boris Ostrovsky <boris.ostrovsky@oracle.com> | 2017-03-13 12:45:18 -0400 |
| commit | c5f7c5a9a0f84c511a8a336491f9b8a3060b6517 (patch) | |
| tree | 8c96894513de6ecef4ca4cd333e1a5840ca94fb7 | |
| parent | 4495c08e84729385774601b5146d51d9e5849f81 (diff) | |
drivers, xen: convert grant_map.users from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
| -rw-r--r-- | drivers/xen/gntdev.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index c77a0751a311..f3bf8f4e2d6c 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c | |||
| @@ -36,6 +36,7 @@ | |||
| 36 | #include <linux/spinlock.h> | 36 | #include <linux/spinlock.h> |
| 37 | #include <linux/slab.h> | 37 | #include <linux/slab.h> |
| 38 | #include <linux/highmem.h> | 38 | #include <linux/highmem.h> |
| 39 | #include <linux/refcount.h> | ||
| 39 | 40 | ||
| 40 | #include <xen/xen.h> | 41 | #include <xen/xen.h> |
| 41 | #include <xen/grant_table.h> | 42 | #include <xen/grant_table.h> |
| @@ -86,7 +87,7 @@ struct grant_map { | |||
| 86 | int index; | 87 | int index; |
| 87 | int count; | 88 | int count; |
| 88 | int flags; | 89 | int flags; |
| 89 | atomic_t users; | 90 | refcount_t users; |
| 90 | struct unmap_notify notify; | 91 | struct unmap_notify notify; |
| 91 | struct ioctl_gntdev_grant_ref *grants; | 92 | struct ioctl_gntdev_grant_ref *grants; |
| 92 | struct gnttab_map_grant_ref *map_ops; | 93 | struct gnttab_map_grant_ref *map_ops; |
| @@ -166,7 +167,7 @@ static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count) | |||
| 166 | 167 | ||
| 167 | add->index = 0; | 168 | add->index = 0; |
| 168 | add->count = count; | 169 | add->count = count; |
| 169 | atomic_set(&add->users, 1); | 170 | refcount_set(&add->users, 1); |
| 170 | 171 | ||
| 171 | return add; | 172 | return add; |
| 172 | 173 | ||
| @@ -212,7 +213,7 @@ static void gntdev_put_map(struct gntdev_priv *priv, struct grant_map *map) | |||
| 212 | if (!map) | 213 | if (!map) |
| 213 | return; | 214 | return; |
| 214 | 215 | ||
| 215 | if (!atomic_dec_and_test(&map->users)) | 216 | if (!refcount_dec_and_test(&map->users)) |
| 216 | return; | 217 | return; |
| 217 | 218 | ||
| 218 | atomic_sub(map->count, &pages_mapped); | 219 | atomic_sub(map->count, &pages_mapped); |
| @@ -400,7 +401,7 @@ static void gntdev_vma_open(struct vm_area_struct *vma) | |||
| 400 | struct grant_map *map = vma->vm_private_data; | 401 | struct grant_map *map = vma->vm_private_data; |
| 401 | 402 | ||
| 402 | pr_debug("gntdev_vma_open %p\n", vma); | 403 | pr_debug("gntdev_vma_open %p\n", vma); |
| 403 | atomic_inc(&map->users); | 404 | refcount_inc(&map->users); |
| 404 | } | 405 | } |
| 405 | 406 | ||
| 406 | static void gntdev_vma_close(struct vm_area_struct *vma) | 407 | static void gntdev_vma_close(struct vm_area_struct *vma) |
| @@ -1004,7 +1005,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) | |||
| 1004 | goto unlock_out; | 1005 | goto unlock_out; |
| 1005 | } | 1006 | } |
| 1006 | 1007 | ||
| 1007 | atomic_inc(&map->users); | 1008 | refcount_inc(&map->users); |
| 1008 | 1009 | ||
| 1009 | vma->vm_ops = &gntdev_vmops; | 1010 | vma->vm_ops = &gntdev_vmops; |
| 1010 | 1011 | ||