Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0462d992 authored by Elena Reshetova's avatar Elena Reshetova Committed by Martin Schwidefsky
Browse files

vmur: convert urdev.ref_count from atomic_t to refcount_t 



atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)

Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.

The variable urdev.ref_count is used as pure reference counter.
Convert it to refcount_t and fix up the operations.

Suggested-by: default avatarKees Cook <keescook@chromium.org>
Reviewed-by: default avatarDavid Windsor <dwindsor@gmail.com>
Reviewed-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent 3593eb94

drivers/s390/char/vmur.c

+4 −4
Original line number Original line Diff line number Diff line
@@ -110,7 +110,7 @@ static struct urdev *urdev_alloc(struct ccw_device *cdev) 
	mutex_init(&urd->io_mutex);

	mutex_init(&urd->io_mutex);

	init_waitqueue_head(&urd->wait);

	init_waitqueue_head(&urd->wait);

	spin_lock_init(&urd->open_lock);

	spin_lock_init(&urd->open_lock);

	atomic_set(&urd->ref_count,  1);

	refcount_set(&urd->ref_count,  1);

	urd->cdev = cdev;

	urd->cdev = cdev;

	get_device(&cdev->dev);

	get_device(&cdev->dev);

	return urd;

	return urd;
@@ -126,7 +126,7 @@ static void urdev_free(struct urdev *urd) 




static void urdev_get(struct urdev *urd)

static void urdev_get(struct urdev *urd)

{

{

	atomic_inc(&urd->ref_count);

	refcount_inc(&urd->ref_count);

}

}





static struct urdev *urdev_get_from_cdev(struct ccw_device *cdev)

static struct urdev *urdev_get_from_cdev(struct ccw_device *cdev)
@@ -159,7 +159,7 @@ static struct urdev *urdev_get_from_devno(u16 devno) 




static void urdev_put(struct urdev *urd)

static void urdev_put(struct urdev *urd)

{

{

	if (atomic_dec_and_test(&urd->ref_count))

	if (refcount_dec_and_test(&urd->ref_count))

		urdev_free(urd);

		urdev_free(urd);

}

}
@@ -945,7 +945,7 @@ static int ur_set_offline_force(struct ccw_device *cdev, int force) 
		rc = -EBUSY;

		rc = -EBUSY;

		goto fail_urdev_put;

		goto fail_urdev_put;

	}

	}

	if (!force && (atomic_read(&urd->ref_count) > 2)) {

	if (!force && (refcount_read(&urd->ref_count) > 2)) {

		/* There is still a user of urd (e.g. ur_open) */

		/* There is still a user of urd (e.g. ur_open) */

		TRACE("ur_set_offline: BUSY\n");

		TRACE("ur_set_offline: BUSY\n");

		rc = -EBUSY;

		rc = -EBUSY;

drivers/s390/char/vmur.h

+3 −1
Original line number Original line Diff line number Diff line
@@ -11,6 +11,8 @@ 
#ifndef _VMUR_H_

#ifndef _VMUR_H_

#define _VMUR_H_

#define _VMUR_H_





#include <linux/refcount.h>



#define DEV_CLASS_UR_I 0x20 /* diag210 unit record input device class */

#define DEV_CLASS_UR_I 0x20 /* diag210 unit record input device class */

#define DEV_CLASS_UR_O 0x10 /* diag210 unit record output device class */

#define DEV_CLASS_UR_O 0x10 /* diag210 unit record output device class */

/*

/*
@@ -69,7 +71,7 @@ struct urdev { 
	size_t reclen;			/* Record length for *write* CCWs */

	size_t reclen;			/* Record length for *write* CCWs */

	int class;			/* VM device class */

	int class;			/* VM device class */

	int io_request_rc;		/* return code from I/O request */

	int io_request_rc;		/* return code from I/O request */

	atomic_t ref_count;		/* reference counter */

	refcount_t ref_count;		/* reference counter */

	wait_queue_head_t wait;		/* wait queue to serialize open */

	wait_queue_head_t wait;		/* wait queue to serialize open */

	int open_flag;			/* "urdev is open" flag */

	int open_flag;			/* "urdev is open" flag */

	spinlock_t open_lock;		/* serialize critical sections */

	spinlock_t open_lock;		/* serialize critical sections */