drivers, xen: convert grant_map.users from atomic_t to refcount_t
refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
This commit is contained in:
parent
4495c08e84
commit
c5f7c5a9a0
1 changed files with 6 additions and 5 deletions
|
@ -36,6 +36,7 @@
|
|||
#include <linux/spinlock.h>
|
||||
#include <linux/slab.h>
|
||||
#include <linux/highmem.h>
|
||||
#include <linux/refcount.h>
|
||||
|
||||
#include <xen/xen.h>
|
||||
#include <xen/grant_table.h>
|
||||
|
@ -86,7 +87,7 @@ struct grant_map {
|
|||
int index;
|
||||
int count;
|
||||
int flags;
|
||||
atomic_t users;
|
||||
refcount_t users;
|
||||
struct unmap_notify notify;
|
||||
struct ioctl_gntdev_grant_ref *grants;
|
||||
struct gnttab_map_grant_ref *map_ops;
|
||||
|
@ -166,7 +167,7 @@ static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count)
|
|||
|
||||
add->index = 0;
|
||||
add->count = count;
|
||||
atomic_set(&add->users, 1);
|
||||
refcount_set(&add->users, 1);
|
||||
|
||||
return add;
|
||||
|
||||
|
@ -212,7 +213,7 @@ static void gntdev_put_map(struct gntdev_priv *priv, struct grant_map *map)
|
|||
if (!map)
|
||||
return;
|
||||
|
||||
if (!atomic_dec_and_test(&map->users))
|
||||
if (!refcount_dec_and_test(&map->users))
|
||||
return;
|
||||
|
||||
atomic_sub(map->count, &pages_mapped);
|
||||
|
@ -400,7 +401,7 @@ static void gntdev_vma_open(struct vm_area_struct *vma)
|
|||
struct grant_map *map = vma->vm_private_data;
|
||||
|
||||
pr_debug("gntdev_vma_open %p\n", vma);
|
||||
atomic_inc(&map->users);
|
||||
refcount_inc(&map->users);
|
||||
}
|
||||
|
||||
static void gntdev_vma_close(struct vm_area_struct *vma)
|
||||
|
@ -1004,7 +1005,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma)
|
|||
goto unlock_out;
|
||||
}
|
||||
|
||||
atomic_inc(&map->users);
|
||||
refcount_inc(&map->users);
|
||||
|
||||
vma->vm_ops = &gntdev_vmops;
|
||||
|
||||
|
|
Loading…
Reference in a new issue