leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

net, netrom: convert nr_neigh.refcount from atomic_t to refcount_t

Browse Source 
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Reshetova, Elena
2017-07-04 15:53:11 +03:00
committed by David S. Miller
parent 16f73c9649
commit af4207494d
2 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
include/net/netrom.h
View File

@@ -11,6 +11,7 @@
#include <linux/list.h> #include <linux/list.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <net/sock.h> #include <net/sock.h>
#include <linux/refcount.h>
#define NR_NETWORK_LEN 15 #define NR_NETWORK_LEN 15
#define NR_TRANSPORT_LEN 5 #define NR_TRANSPORT_LEN 5
@@ -93,7 +94,7 @@ struct nr_neigh {
unsigned short count; unsigned short count;
unsigned int number; unsigned int number;
unsigned char failed; unsigned char failed;
atomic_t refcount; refcount_t refcount;
}; };
struct nr_route { struct nr_route {
@@ -128,11 +129,11 @@ static __inline__ void nr_node_put(struct nr_node *nr_node)
} }
#define nr_neigh_hold(__nr_neigh) \ #define nr_neigh_hold(__nr_neigh) \
atomic_inc(&((__nr_neigh)->refcount)) refcount_inc(&((__nr_neigh)->refcount))
static __inline__ void nr_neigh_put(struct nr_neigh *nr_neigh) static __inline__ void nr_neigh_put(struct nr_neigh *nr_neigh)
{ {
if (atomic_dec_and_test(&nr_neigh->refcount)) { if (refcount_dec_and_test(&nr_neigh->refcount)) {
if (nr_neigh->ax25) if (nr_neigh->ax25)
ax25_cb_put(nr_neigh->ax25); ax25_cb_put(nr_neigh->ax25);
kfree(nr_neigh->digipeat); kfree(nr_neigh->digipeat);

4
net/netrom/nr_route.c
View File

@@ -149,7 +149,7 @@ static int __must_check nr_add_node(ax25_address *nr, const char *mnemonic,
nr_neigh->count = 0; nr_neigh->count = 0;
nr_neigh->number = nr_neigh_no++; nr_neigh->number = nr_neigh_no++;
nr_neigh->failed = 0; nr_neigh->failed = 0;
atomic_set(&nr_neigh->refcount, 1); refcount_set(&nr_neigh->refcount, 1);
if (ax25_digi != NULL && ax25_digi->ndigi > 0) { if (ax25_digi != NULL && ax25_digi->ndigi > 0) {
nr_neigh->digipeat = kmemdup(ax25_digi, nr_neigh->digipeat = kmemdup(ax25_digi,
@@ -431,7 +431,7 @@ static int __must_check nr_add_neigh(ax25_address *callsign,
nr_neigh->count = 0; nr_neigh->count = 0;
nr_neigh->number = nr_neigh_no++; nr_neigh->number = nr_neigh_no++;
nr_neigh->failed = 0; nr_neigh->failed = 0;
atomic_set(&nr_neigh->refcount, 1); refcount_set(&nr_neigh->refcount, 1);
if (ax25_digi != NULL && ax25_digi->ndigi > 0) { if (ax25_digi != NULL && ax25_digi->ndigi > 0) {
nr_neigh->digipeat = kmemdup(ax25_digi, sizeof(*ax25_digi), nr_neigh->digipeat = kmemdup(ax25_digi, sizeof(*ax25_digi),