Commit ec9bf373 authored by Weihang Li's avatar Weihang Li Committed by Jason Gunthorpe
Browse files

RDMA/core: Use refcount_t instead of atomic_t on refcount of ib_uverbs_device 

The refcount_t API will WARN on underflow and overflow of a reference
counter, and avoid use-after-free risks.

Link: https://lore.kernel.org/r/1622194663-2383-8-git-send-email-liweihang@huawei.com


Signed-off-by: default avatarWeihang Li <liweihang@huawei.com>
Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
parent a5e27fb6

drivers/infiniband/core/uverbs.h

+1 −1
Original line number Diff line number Diff line
@@ -97,7 +97,7 @@ ib_uverbs_init_udata_buf_or_null(struct ib_udata *udata, 
 */



struct ib_uverbs_device {

	atomic_t				refcount;

	refcount_t				refcount;

	u32					num_comp_vectors;

	struct completion			comp;

	struct device				dev;

drivers/infiniband/core/uverbs_main.c

+6 −6
Original line number Diff line number Diff line
@@ -197,7 +197,7 @@ void ib_uverbs_release_file(struct kref *ref) 
		module_put(ib_dev->ops.owner);

	srcu_read_unlock(&file->device->disassociate_srcu, srcu_key);



	if (atomic_dec_and_test(&file->device->refcount))

	if (refcount_dec_and_test(&file->device->refcount))

		ib_uverbs_comp_dev(file->device);



	if (file->default_async_file)
@@ -891,7 +891,7 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp) 
	int srcu_key;



	dev = container_of(inode->i_cdev, struct ib_uverbs_device, cdev);

	if (!atomic_inc_not_zero(&dev->refcount))

	if (!refcount_inc_not_zero(&dev->refcount))

		return -ENXIO;



	get_device(&dev->dev);
@@ -955,7 +955,7 @@ static int ib_uverbs_open(struct inode *inode, struct file *filp) 
err:

	mutex_unlock(&dev->lists_mutex);

	srcu_read_unlock(&dev->disassociate_srcu, srcu_key);

	if (atomic_dec_and_test(&dev->refcount))

	if (refcount_dec_and_test(&dev->refcount))

		ib_uverbs_comp_dev(dev);



	put_device(&dev->dev);
@@ -1124,7 +1124,7 @@ static int ib_uverbs_add_one(struct ib_device *device) 
	uverbs_dev->dev.release = ib_uverbs_release_dev;

	uverbs_dev->groups[0] = &dev_attr_group;

	uverbs_dev->dev.groups = uverbs_dev->groups;

	atomic_set(&uverbs_dev->refcount, 1);

	refcount_set(&uverbs_dev->refcount, 1);

	init_completion(&uverbs_dev->comp);

	uverbs_dev->xrcd_tree = RB_ROOT;

	mutex_init(&uverbs_dev->xrcd_tree_mutex);
@@ -1166,7 +1166,7 @@ static int ib_uverbs_add_one(struct ib_device *device) 
err_uapi:

	ida_free(&uverbs_ida, devnum);

err:

	if (atomic_dec_and_test(&uverbs_dev->refcount))

	if (refcount_dec_and_test(&uverbs_dev->refcount))

		ib_uverbs_comp_dev(uverbs_dev);

	wait_for_completion(&uverbs_dev->comp);

	put_device(&uverbs_dev->dev);
@@ -1229,7 +1229,7 @@ static void ib_uverbs_remove_one(struct ib_device *device, void *client_data) 
		wait_clients = 0;

	}



	if (atomic_dec_and_test(&uverbs_dev->refcount))

	if (refcount_dec_and_test(&uverbs_dev->refcount))

		ib_uverbs_comp_dev(uverbs_dev);

	if (wait_clients)

		wait_for_completion(&uverbs_dev->comp);