Commit f74370b8 authored by Elena Reshetova's avatar Elena Reshetova Committed by Linus Torvalds

ipc: convert sem_undo_list.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t
when the variable is used as a reference counter.  This allows to avoid
accidental refcounter overflows that might lead to use-after-free

Link: default avatarElena Reshetova <>
Signed-off-by: default avatarHans Liljestrand <>
Signed-off-by: Kees Cook's avatarKees Cook <>
Signed-off-by: default avatarDavid Windsor <>
Cc: Peter Zijlstra <>
Cc: Greg Kroah-Hartman <>
Cc: "Eric W. Biederman" <>
Cc: Ingo Molnar <>
Cc: Alexey Dobriyan <>
Cc: Serge Hallyn <>
Cc: <>
Cc: Davidlohr Bueso <>
Cc: Manfred Spraul <>
Signed-off-by: default avatarAndrew Morton <>
Signed-off-by: default avatarLinus Torvalds <>
parent a2e0602c
......@@ -122,7 +122,7 @@ struct sem_undo {
* that may be shared among all a CLONE_SYSVSEM task group.
struct sem_undo_list {
atomic_t refcnt;
refcount_t refcnt;
spinlock_t lock;
struct list_head list_proc;
......@@ -1642,7 +1642,7 @@ static inline int get_undo_list(struct sem_undo_list **undo_listp)
if (undo_list == NULL)
return -ENOMEM;
atomic_set(&undo_list->refcnt, 1);
refcount_set(&undo_list->refcnt, 1);
current->sysvsem.undo_list = undo_list;
......@@ -2041,7 +2041,7 @@ int copy_semundo(unsigned long clone_flags, struct task_struct *tsk)
error = get_undo_list(&undo_list);
if (error)
return error;
tsk->sysvsem.undo_list = undo_list;
} else
tsk->sysvsem.undo_list = NULL;
......@@ -2070,7 +2070,7 @@ void exit_sem(struct task_struct *tsk)
tsk->sysvsem.undo_list = NULL;
if (!atomic_dec_and_test(&ulp->refcnt))
if (!refcount_dec_and_test(&ulp->refcnt))
for (;;) {
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment