projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8851ab5)
net: convert in_device.refcnt from atomic_t to refcount_t
authorReshetova, Elena <elena.reshetova@intel.com>
Fri, 30 Jun 2017 10:08:03 +0000 (13:08 +0300)
committerDavid S. Miller <davem@davemloft.net>
Sat, 1 Jul 2017 14:39:08 +0000 (07:39 -0700)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/inetdevice.h patch | blob | blame | history
net/ipv4/devinet.c patch | blob | blame | history

diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index e7c04c4e4bcd3e538b365b138a848df9ed96ede6..fb3f809e34e4796b406bf4da2323a940d28517fb 100644 (file)
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -11,6 +11,7 @@
 #include <linux/timer.h>
 #include <linux/sysctl.h>
 #include <linux/rtnetlink.h>
+#include <linux/refcount.h>
 
 struct ipv4_devconf {
        void    *sysctl;
@@ -22,7 +23,7 @@ struct ipv4_devconf {
 
 struct in_device {
        struct net_device       *dev;
-       atomic_t                refcnt;
+       refcount_t              refcnt;
        int                     dead;
        struct in_ifaddr        *ifa_list;      /* IP ifaddr chain              */
 
@@ -219,7 +220,7 @@ static inline struct in_device *in_dev_get(const struct net_device *dev)
        rcu_read_lock();
        in_dev = __in_dev_get_rcu(dev);
        if (in_dev)
-               atomic_inc(&in_dev->refcnt);
+               refcount_inc(&in_dev->refcnt);
        rcu_read_unlock();
        return in_dev;
 }
@@ -240,12 +241,12 @@ void in_dev_finish_destroy(struct in_device *idev);
 
 static inline void in_dev_put(struct in_device *idev)
 {
-       if (atomic_dec_and_test(&idev->refcnt))
+       if (refcount_dec_and_test(&idev->refcnt))
                in_dev_finish_destroy(idev);
 }
 
-#define __in_dev_put(idev)  atomic_dec(&(idev)->refcnt)
-#define in_dev_hold(idev)   atomic_inc(&(idev)->refcnt)
+#define __in_dev_put(idev)  refcount_dec(&(idev)->refcnt)
+#define in_dev_hold(idev)   refcount_inc(&(idev)->refcnt)
 
 #endif /* __KERNEL__ */
 
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index a7dd088d5fc96da259813cae48c374527c9e251e..38d9af9b917c08685deb3288baab84189ec9c9a0 100644 (file)
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -252,7 +252,7 @@ static struct in_device *inetdev_init(struct net_device *dev)
        /* Reference in_dev->dev */
        dev_hold(dev);
        /* Account for reference dev->ip_ptr (below) */
-       in_dev_hold(in_dev);
+       refcount_set(&in_dev->refcnt, 1);
 
        err = devinet_sysctl_register(in_dev);
        if (err) {