net, atm: convert atm_dev.refcnt from atomic_t to refcount_t
authorReshetova, Elena <elena.reshetova@intel.com>
Tue, 4 Jul 2017 12:53:01 +0000 (15:53 +0300)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jul 2017 21:35:16 +0000 (22:35 +0100)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/atmdev.h
net/atm/proc.c
net/atm/resources.c

index 4d97a89da0660c3d91ce0da6af025e04e8e27601..0ec9bdb1cc9f9bdcad76caae816e7c8518f272f3 100644 (file)
@@ -11,6 +11,7 @@
 #include <linux/uio.h>
 #include <net/sock.h>
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <uapi/linux/atmdev.h>
 
 #ifdef CONFIG_PROC_FS
@@ -158,7 +159,7 @@ struct atm_dev {
        struct k_atm_dev_stats stats;   /* statistics */
        char            signal;         /* signal status (ATM_PHY_SIG_*) */
        int             link_rate;      /* link rate (default: OC3) */
-       atomic_t        refcnt;         /* reference count */
+       refcount_t      refcnt;         /* reference count */
        spinlock_t      lock;           /* protect internal members */
 #ifdef CONFIG_PROC_FS
        struct proc_dir_entry *proc_entry; /* proc entry */
@@ -261,13 +262,13 @@ static inline int atm_may_send(struct atm_vcc *vcc,unsigned int size)
 
 static inline void atm_dev_hold(struct atm_dev *dev)
 {
-       atomic_inc(&dev->refcnt);
+       refcount_inc(&dev->refcnt);
 }
 
 
 static inline void atm_dev_put(struct atm_dev *dev)
 {
-       if (atomic_dec_and_test(&dev->refcnt)) {
+       if (refcount_dec_and_test(&dev->refcnt)) {
                BUG_ON(!test_bit(ATM_DF_REMOVED, &dev->flags));
                if (dev->ops->dev_close)
                        dev->ops->dev_close(dev);
index 27c9c01c537d7b998c32b304d931feca940c2953..4caca2a90ec4a94fe7819f6b9cfe56b22cb20020 100644 (file)
@@ -61,7 +61,7 @@ static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
        add_stats(seq, "0", &dev->stats.aal0);
        seq_puts(seq, "  ");
        add_stats(seq, "5", &dev->stats.aal5);
-       seq_printf(seq, "\t[%d]", atomic_read(&dev->refcnt));
+       seq_printf(seq, "\t[%d]", refcount_read(&dev->refcnt));
        seq_putc(seq, '\n');
 }
 
index 0447d5d0b63983b139bda2853eaa9980640dd32d..918244757b7dd0e62e6dc395b0bc5b54231e0d59 100644 (file)
@@ -109,7 +109,7 @@ struct atm_dev *atm_dev_register(const char *type, struct device *parent,
        else
                memset(&dev->flags, 0, sizeof(dev->flags));
        memset(&dev->stats, 0, sizeof(dev->stats));
-       atomic_set(&dev->refcnt, 1);
+       refcount_set(&dev->refcnt, 1);
 
        if (atm_proc_dev_register(dev) < 0) {
                pr_err("atm_proc_dev_register failed for dev %s\n", type);