Skip to content

Commit

Permalink
ipc: convert sem_undo_list.refcnt from atomic_t to refcount_t
Browse files Browse the repository at this point in the history 
refcount_t type and corresponding API should be used instead of atomic_t
when the variable is used as a reference counter.  This allows to avoid
accidental refcounter overflows that might lead to use-after-free
situations.

Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Elena Reshetova <[email protected]>
Signed-off-by: Hans Liljestrand <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: David Windsor <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Greg Kroah-Hartman <[email protected]>
Cc: "Eric W. Biederman" <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Serge Hallyn <[email protected]>
Cc: <[email protected]>
Cc: Davidlohr Bueso <[email protected]>
Cc: Manfred Spraul <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
@ereshetova @torvalds
ereshetova authored and torvalds committed Sep 9, 2017
1 parent a2e0602 commit f74370b
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions ipc/sem.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ struct sem_undo {
* that may be shared among all a CLONE_SYSVSEM task group.
*/
struct sem_undo_list {
atomic_t refcnt;
refcount_t refcnt;
spinlock_t lock;
struct list_head list_proc;
};
Expand Down Expand Up @@ -1642,7 +1642,7 @@ static inline int get_undo_list(struct sem_undo_list **undo_listp)
if (undo_list == NULL)
return -ENOMEM;
spin_lock_init(&undo_list->lock);
atomic_set(&undo_list->refcnt, 1);
refcount_set(&undo_list->refcnt, 1);
INIT_LIST_HEAD(&undo_list->list_proc);

current->sysvsem.undo_list = undo_list;
Expand Down Expand Up @@ -2041,7 +2041,7 @@ int copy_semundo(unsigned long clone_flags, struct task_struct *tsk)
error = get_undo_list(&undo_list);
if (error)
return error;
atomic_inc(&undo_list->refcnt);
refcount_inc(&undo_list->refcnt);
tsk->sysvsem.undo_list = undo_list;
} else
tsk->sysvsem.undo_list = NULL;
Expand Down Expand Up @@ -2070,7 +2070,7 @@ void exit_sem(struct task_struct *tsk)
return;
tsk->sysvsem.undo_list = NULL;

if (!atomic_dec_and_test(&ulp->refcnt))
if (!refcount_dec_and_test(&ulp->refcnt))
return;

for (;;) {
Expand Down

0 comments on commit f74370b

Please sign in to comment.