Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c5f7c5a9 authored by Elena Reshetova's avatar Elena Reshetova Committed by Boris Ostrovsky
Browse files

drivers, xen: convert grant_map.users from atomic_t to refcount_t 



refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
parent 4495c08e

drivers/xen/gntdev.c

+6 −5
Original line number Diff line number Diff line
@@ -36,6 +36,7 @@ 
#include <linux/spinlock.h>

#include <linux/slab.h>

#include <linux/highmem.h>

#include <linux/refcount.h>



#include <xen/xen.h>

#include <xen/grant_table.h>
@@ -86,7 +87,7 @@ struct grant_map { 
	int index;

	int count;

	int flags;

	atomic_t users;

	refcount_t users;

	struct unmap_notify notify;

	struct ioctl_gntdev_grant_ref *grants;

	struct gnttab_map_grant_ref   *map_ops;
@@ -166,7 +167,7 @@ static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count) 


	add->index = 0;

	add->count = count;

	atomic_set(&add->users, 1);

	refcount_set(&add->users, 1);



	return add;
@@ -212,7 +213,7 @@ static void gntdev_put_map(struct gntdev_priv *priv, struct grant_map *map) 
	if (!map)

		return;



	if (!atomic_dec_and_test(&map->users))

	if (!refcount_dec_and_test(&map->users))

		return;



	atomic_sub(map->count, &pages_mapped);
@@ -400,7 +401,7 @@ static void gntdev_vma_open(struct vm_area_struct *vma) 
	struct grant_map *map = vma->vm_private_data;



	pr_debug("gntdev_vma_open %p\n", vma);

	atomic_inc(&map->users);

	refcount_inc(&map->users);

}



static void gntdev_vma_close(struct vm_area_struct *vma)
@@ -1004,7 +1005,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) 
		goto unlock_out;

	}



	atomic_inc(&map->users);

	refcount_inc(&map->users);



	vma->vm_ops = &gntdev_vmops;