refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
drivers/misc/sgi-gru/grumain.c | 6 +++---
drivers/misc/sgi-gru/grutables.h | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
index 40ac59dd018c..9afda47efbf2 100644
--- a/drivers/misc/sgi-gru/grumain.c
+++ b/drivers/misc/sgi-gru/grumain.c
@@ -282,7 +282,7 @@ static void gru_unload_mm_tracker(struct gru_state *gru,
*/
void gts_drop(struct gru_thread_state *gts)
{
- if (gts && atomic_dec_return(>s->ts_refcnt) == 0) {
+ if (gts && refcount_dec_and_test(>s->ts_refcnt)) {
if (gts->ts_gms)
gru_drop_mmu_notifier(gts->ts_gms);
kfree(gts);
@@ -323,7 +323,7 @@ struct gru_thread_state *gru_alloc_gts(struct vm_area_struct *vma,
STAT(gts_alloc);
memset(gts, 0, sizeof(struct gru_thread_state)); /* zero out header */
- atomic_set(>s->ts_refcnt, 1);
+ refcount_set(>s->ts_refcnt, 1);
mutex_init(>s->ts_ctxlock);
gts->ts_cbr_au_count = cbr_au_count;
gts->ts_dsr_au_count = dsr_au_count;
@@ -888,7 +888,7 @@ struct gru_state *gru_assign_gru_context(struct gru_thread_state *gts)
gts->ts_gru = gru;
gts->ts_blade = gru->gs_blade_id;
gts->ts_ctxnum = gru_assign_context_number(gru);
- atomic_inc(>s->ts_refcnt);
+ refcount_inc(>s->ts_refcnt);
gru->gs_gts[gts->ts_ctxnum] = gts;
spin_unlock(&gru->gs_lock);
diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
index 5ce8f3081e96..e4c067c61251 100644
--- a/drivers/misc/sgi-gru/grutables.h
+++ b/drivers/misc/sgi-gru/grutables.h
@@ -129,6 +129,7 @@
*
*/
+#include <linux/refcount.h>
#include <linux/rmap.h>
#include <linux/interrupt.h>
#include <linux/mutex.h>
@@ -358,7 +359,7 @@ struct gru_thread_state {
enabled */
int ts_ctxnum; /* context number where the
context is loaded */
- atomic_t ts_refcnt; /* reference count GTS */
+ refcount_t ts_refcnt; /* reference count GTS */
unsigned char ts_dsr_au_count;/* Number of DSR resources
required for contest */
unsigned char ts_cbr_au_count;/* Number of CBR resources
--
2.7.4
Acked-by: Dimitri Sivanich <[email protected]>
On Sat, Jul 17, 2021 at 06:17:22PM +0800, Xiyu Yang wrote:
> refcount_t type and corresponding API can protect refcounters from
> accidental underflow and overflow and further use-after-free situations.
>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
> ---
> drivers/misc/sgi-gru/grumain.c | 6 +++---
> drivers/misc/sgi-gru/grutables.h | 3 ++-
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
> index 40ac59dd018c..9afda47efbf2 100644
> --- a/drivers/misc/sgi-gru/grumain.c
> +++ b/drivers/misc/sgi-gru/grumain.c
> @@ -282,7 +282,7 @@ static void gru_unload_mm_tracker(struct gru_state *gru,
> */
> void gts_drop(struct gru_thread_state *gts)
> {
> - if (gts && atomic_dec_return(>s->ts_refcnt) == 0) {
> + if (gts && refcount_dec_and_test(>s->ts_refcnt)) {
> if (gts->ts_gms)
> gru_drop_mmu_notifier(gts->ts_gms);
> kfree(gts);
> @@ -323,7 +323,7 @@ struct gru_thread_state *gru_alloc_gts(struct vm_area_struct *vma,
>
> STAT(gts_alloc);
> memset(gts, 0, sizeof(struct gru_thread_state)); /* zero out header */
> - atomic_set(>s->ts_refcnt, 1);
> + refcount_set(>s->ts_refcnt, 1);
> mutex_init(>s->ts_ctxlock);
> gts->ts_cbr_au_count = cbr_au_count;
> gts->ts_dsr_au_count = dsr_au_count;
> @@ -888,7 +888,7 @@ struct gru_state *gru_assign_gru_context(struct gru_thread_state *gts)
> gts->ts_gru = gru;
> gts->ts_blade = gru->gs_blade_id;
> gts->ts_ctxnum = gru_assign_context_number(gru);
> - atomic_inc(>s->ts_refcnt);
> + refcount_inc(>s->ts_refcnt);
> gru->gs_gts[gts->ts_ctxnum] = gts;
> spin_unlock(&gru->gs_lock);
>
> diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
> index 5ce8f3081e96..e4c067c61251 100644
> --- a/drivers/misc/sgi-gru/grutables.h
> +++ b/drivers/misc/sgi-gru/grutables.h
> @@ -129,6 +129,7 @@
> *
> */
>
> +#include <linux/refcount.h>
> #include <linux/rmap.h>
> #include <linux/interrupt.h>
> #include <linux/mutex.h>
> @@ -358,7 +359,7 @@ struct gru_thread_state {
> enabled */
> int ts_ctxnum; /* context number where the
> context is loaded */
> - atomic_t ts_refcnt; /* reference count GTS */
> + refcount_t ts_refcnt; /* reference count GTS */
> unsigned char ts_dsr_au_count;/* Number of DSR resources
> required for contest */
> unsigned char ts_cbr_au_count;/* Number of CBR resources
> --
> 2.7.4
On Sat, Jul 17, 2021 at 06:17:22PM +0800, Xiyu Yang wrote:
> refcount_t type and corresponding API can protect refcounters from
> accidental underflow and overflow and further use-after-free situations.
>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
> ---
> drivers/misc/sgi-gru/grumain.c | 6 +++---
> drivers/misc/sgi-gru/grutables.h | 3 ++-
> 2 files changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
> index 40ac59dd018c..9afda47efbf2 100644
> --- a/drivers/misc/sgi-gru/grumain.c
> +++ b/drivers/misc/sgi-gru/grumain.c
> @@ -282,7 +282,7 @@ static void gru_unload_mm_tracker(struct gru_state *gru,
> */
> void gts_drop(struct gru_thread_state *gts)
> {
> - if (gts && atomic_dec_return(>s->ts_refcnt) == 0) {
> + if (gts && refcount_dec_and_test(>s->ts_refcnt)) {
> if (gts->ts_gms)
> gru_drop_mmu_notifier(gts->ts_gms);
> kfree(gts);
Related to this, shouldn't this really be a 'struct kref' instead of
hand-creating the exact same logic?
Want to make that change on top of this one?
thanks,
greg k-h