net: convert in_device.refcnt from atomic_t to refcount_t
refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
8851ab5267
commit
7658b36f1b
2 changed files with 7 additions and 6 deletions
|
@ -11,6 +11,7 @@
|
||||||
#include <linux/timer.h>
|
#include <linux/timer.h>
|
||||||
#include <linux/sysctl.h>
|
#include <linux/sysctl.h>
|
||||||
#include <linux/rtnetlink.h>
|
#include <linux/rtnetlink.h>
|
||||||
|
#include <linux/refcount.h>
|
||||||
|
|
||||||
struct ipv4_devconf {
|
struct ipv4_devconf {
|
||||||
void *sysctl;
|
void *sysctl;
|
||||||
|
@ -22,7 +23,7 @@ struct ipv4_devconf {
|
||||||
|
|
||||||
struct in_device {
|
struct in_device {
|
||||||
struct net_device *dev;
|
struct net_device *dev;
|
||||||
atomic_t refcnt;
|
refcount_t refcnt;
|
||||||
int dead;
|
int dead;
|
||||||
struct in_ifaddr *ifa_list; /* IP ifaddr chain */
|
struct in_ifaddr *ifa_list; /* IP ifaddr chain */
|
||||||
|
|
||||||
|
@ -219,7 +220,7 @@ static inline struct in_device *in_dev_get(const struct net_device *dev)
|
||||||
rcu_read_lock();
|
rcu_read_lock();
|
||||||
in_dev = __in_dev_get_rcu(dev);
|
in_dev = __in_dev_get_rcu(dev);
|
||||||
if (in_dev)
|
if (in_dev)
|
||||||
atomic_inc(&in_dev->refcnt);
|
refcount_inc(&in_dev->refcnt);
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
return in_dev;
|
return in_dev;
|
||||||
}
|
}
|
||||||
|
@ -240,12 +241,12 @@ void in_dev_finish_destroy(struct in_device *idev);
|
||||||
|
|
||||||
static inline void in_dev_put(struct in_device *idev)
|
static inline void in_dev_put(struct in_device *idev)
|
||||||
{
|
{
|
||||||
if (atomic_dec_and_test(&idev->refcnt))
|
if (refcount_dec_and_test(&idev->refcnt))
|
||||||
in_dev_finish_destroy(idev);
|
in_dev_finish_destroy(idev);
|
||||||
}
|
}
|
||||||
|
|
||||||
#define __in_dev_put(idev) atomic_dec(&(idev)->refcnt)
|
#define __in_dev_put(idev) refcount_dec(&(idev)->refcnt)
|
||||||
#define in_dev_hold(idev) atomic_inc(&(idev)->refcnt)
|
#define in_dev_hold(idev) refcount_inc(&(idev)->refcnt)
|
||||||
|
|
||||||
#endif /* __KERNEL__ */
|
#endif /* __KERNEL__ */
|
||||||
|
|
||||||
|
|
|
@ -252,7 +252,7 @@ static struct in_device *inetdev_init(struct net_device *dev)
|
||||||
/* Reference in_dev->dev */
|
/* Reference in_dev->dev */
|
||||||
dev_hold(dev);
|
dev_hold(dev);
|
||||||
/* Account for reference dev->ip_ptr (below) */
|
/* Account for reference dev->ip_ptr (below) */
|
||||||
in_dev_hold(in_dev);
|
refcount_set(&in_dev->refcnt, 1);
|
||||||
|
|
||||||
err = devinet_sysctl_register(in_dev);
|
err = devinet_sysctl_register(in_dev);
|
||||||
if (err) {
|
if (err) {
|
||||||
|
|
Loading…
Reference in a new issue