net, rds: convert rds_mr.r_refcount from atomic_t to refcount_t
authorReshetova, Elena <elena.reshetova@intel.com>
Tue, 4 Jul 2017 12:53:17 +0000 (15:53 +0300)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jul 2017 21:35:17 +0000 (22:35 +0100)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/rds/rdma.c
net/rds/rds.h

index f06fac4886b090f346090ac26dad8e1eaa8da471..8886f15abe90e16005d7e02f3514476c68d2b0db 100644 (file)
@@ -84,7 +84,7 @@ static struct rds_mr *rds_mr_tree_walk(struct rb_root *root, u64 key,
        if (insert) {
                rb_link_node(&insert->r_rb_node, parent, p);
                rb_insert_color(&insert->r_rb_node, root);
-               atomic_inc(&insert->r_refcount);
+               refcount_inc(&insert->r_refcount);
        }
        return NULL;
 }
@@ -99,7 +99,7 @@ static void rds_destroy_mr(struct rds_mr *mr)
        unsigned long flags;
 
        rdsdebug("RDS: destroy mr key is %x refcnt %u\n",
-                       mr->r_key, atomic_read(&mr->r_refcount));
+                       mr->r_key, refcount_read(&mr->r_refcount));
 
        if (test_and_set_bit(RDS_MR_DEAD, &mr->r_state))
                return;
@@ -223,7 +223,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
                goto out;
        }
 
-       atomic_set(&mr->r_refcount, 1);
+       refcount_set(&mr->r_refcount, 1);
        RB_CLEAR_NODE(&mr->r_rb_node);
        mr->r_trans = rs->rs_transport;
        mr->r_sock = rs;
@@ -307,7 +307,7 @@ static int __rds_rdma_map(struct rds_sock *rs, struct rds_get_mr_args *args,
 
        rdsdebug("RDS: get_mr key is %x\n", mr->r_key);
        if (mr_ret) {
-               atomic_inc(&mr->r_refcount);
+               refcount_inc(&mr->r_refcount);
                *mr_ret = mr;
        }
 
@@ -756,7 +756,7 @@ int rds_cmsg_rdma_dest(struct rds_sock *rs, struct rds_message *rm,
        if (!mr)
                err = -EINVAL;  /* invalid r_key */
        else
-               atomic_inc(&mr->r_refcount);
+               refcount_inc(&mr->r_refcount);
        spin_unlock_irqrestore(&rs->rs_rdma_lock, flags);
 
        if (mr) {
index 35ceaa2139c3c3f9fff466b19b3c5195859bb8ed..ea72d6e33c14256266717f983f6171b343c672de 100644 (file)
@@ -277,7 +277,7 @@ struct rds_incoming {
 
 struct rds_mr {
        struct rb_node          r_rb_node;
-       atomic_t                r_refcount;
+       refcount_t              r_refcount;
        u32                     r_key;
 
        /* A copy of the creation flags */
@@ -857,7 +857,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, struct rds_message *rm,
 void __rds_put_mr_final(struct rds_mr *mr);
 static inline void rds_mr_put(struct rds_mr *mr)
 {
-       if (atomic_dec_and_test(&mr->r_refcount))
+       if (refcount_dec_and_test(&mr->r_refcount))
                __rds_put_mr_final(mr);
 }