refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx> Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: David Windsor <dwindsor@xxxxxxxxx> --- drivers/media/v4l2-core/videobuf2-dma-sg.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/media/v4l2-core/videobuf2-dma-sg.c b/drivers/media/v4l2-core/videobuf2-dma-sg.c index ecff8f4..29fde1a 100644 --- a/drivers/media/v4l2-core/videobuf2-dma-sg.c +++ b/drivers/media/v4l2-core/videobuf2-dma-sg.c @@ -12,6 +12,7 @@ #include <linux/module.h> #include <linux/mm.h> +#include <linux/refcount.h> #include <linux/scatterlist.h> #include <linux/sched.h> #include <linux/slab.h> @@ -46,7 +47,7 @@ struct vb2_dma_sg_buf { struct sg_table *dma_sgt; size_t size; unsigned int num_pages; - atomic_t refcount; + refcount_t refcount; struct vb2_vmarea_handler handler; struct dma_buf_attachment *db_attach; @@ -150,7 +151,7 @@ static void *vb2_dma_sg_alloc(struct device *dev, unsigned long dma_attrs, buf->handler.put = vb2_dma_sg_put; buf->handler.arg = buf; - atomic_inc(&buf->refcount); + refcount_set(&buf->refcount, 1); dprintk(1, "%s: Allocated buffer of %d pages\n", __func__, buf->num_pages); @@ -176,7 +177,7 @@ static void vb2_dma_sg_put(void *buf_priv) struct sg_table *sgt = &buf->sg_table; int i = buf->num_pages; - if (atomic_dec_and_test(&buf->refcount)) { + if (refcount_dec_and_test(&buf->refcount)) { dprintk(1, "%s: Freeing buffer of %d pages\n", __func__, buf->num_pages); dma_unmap_sg_attrs(buf->dev, sgt->sgl, sgt->orig_nents, @@ -320,7 +321,7 @@ static unsigned int vb2_dma_sg_num_users(void *buf_priv) { struct vb2_dma_sg_buf *buf = buf_priv; - return atomic_read(&buf->refcount); + return refcount_read(&buf->refcount); } static int vb2_dma_sg_mmap(void *buf_priv, struct vm_area_struct *vma) @@ -530,7 +531,7 @@ static struct dma_buf *vb2_dma_sg_get_dmabuf(void *buf_priv, unsigned long flags return NULL; /* dmabuf keeps reference to vb2 buffer */ - atomic_inc(&buf->refcount); + refcount_inc(&buf->refcount); return dbuf; } -- 2.7.4