misc: sgi-gru: Convert from atomic_t to refcount_t on gru_thread_state->ts_refcnt

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Acked-by: Dimitri Sivanich <sivanich@hpe.com>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Link: https://lore.kernel.org/r/1626517043-42696-1-git-send-email-xiyuyang19@fudan.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c
index 40ac59d..9afda47 100644 (file)
--- a/drivers/misc/sgi-gru/grumain.c
+++ b/drivers/misc/sgi-gru/grumain.c
@@ -282,7 +282,7 @@ static void gru_unload_mm_tracker(struct gru_state *gru,
  */
 void gts_drop(struct gru_thread_state *gts)
 {
-       if (gts && atomic_dec_return(&gts->ts_refcnt) == 0) {
+       if (gts && refcount_dec_and_test(&gts->ts_refcnt)) {
                if (gts->ts_gms)
                        gru_drop_mmu_notifier(gts->ts_gms);
                kfree(gts);
@@ -323,7 +323,7 @@ struct gru_thread_state *gru_alloc_gts(struct vm_area_struct *vma,
 
        STAT(gts_alloc);
        memset(gts, 0, sizeof(struct gru_thread_state)); /* zero out header */
-       atomic_set(&gts->ts_refcnt, 1);
+       refcount_set(&gts->ts_refcnt, 1);
        mutex_init(&gts->ts_ctxlock);
        gts->ts_cbr_au_count = cbr_au_count;
        gts->ts_dsr_au_count = dsr_au_count;
@@ -888,7 +888,7 @@ again:
                gts->ts_gru = gru;
                gts->ts_blade = gru->gs_blade_id;
                gts->ts_ctxnum = gru_assign_context_number(gru);
-               atomic_inc(&gts->ts_refcnt);
+               refcount_inc(&gts->ts_refcnt);
                gru->gs_gts[gts->ts_ctxnum] = gts;
                spin_unlock(&gru->gs_lock);
 

diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
index 5ce8f30..e4c067c 100644 (file)
--- a/drivers/misc/sgi-gru/grutables.h
+++ b/drivers/misc/sgi-gru/grutables.h
@@ -129,6 +129,7 @@
  *
  */
 
+#include <linux/refcount.h>
 #include <linux/rmap.h>
 #include <linux/interrupt.h>
 #include <linux/mutex.h>
@@ -358,7 +359,7 @@ struct gru_thread_state {
                                                     enabled */
        int                     ts_ctxnum;      /* context number where the
                                                   context is loaded */
-       atomic_t                ts_refcnt;      /* reference count GTS */
+       refcount_t              ts_refcnt;      /* reference count GTS */
        unsigned char           ts_dsr_au_count;/* Number of DSR resources
                                                   required for contest */
        unsigned char           ts_cbr_au_count;/* Number of CBR resources