net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
authorReshetova, Elena <elena.reshetova@intel.com>
Tue, 4 Jul 2017 12:53:31 +0000 (15:53 +0300)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jul 2017 21:35:19 +0000 (22:35 +0100)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/net/ax25.h
net/ax25/af_ax25.c

index e3467ba81f6ed980d6fb0746620e372201d01440..c4a0cf6f0810951e63c9e477f21e2af957e9a672 100644 (file)
@@ -244,7 +244,7 @@ typedef struct ax25_cb {
        unsigned char           window;
        struct timer_list       timer, dtimer;
        struct sock             *sk;            /* Backlink to socket */
-       atomic_t                refcount;
+       refcount_t              refcount;
 } ax25_cb;
 
 struct ax25_sock {
@@ -266,11 +266,11 @@ static inline struct ax25_cb *sk_to_ax25(const struct sock *sk)
        hlist_for_each_entry(__ax25, list, ax25_node)
 
 #define ax25_cb_hold(__ax25) \
-       atomic_inc(&((__ax25)->refcount))
+       refcount_inc(&((__ax25)->refcount))
 
 static __inline__ void ax25_cb_put(ax25_cb *ax25)
 {
-       if (atomic_dec_and_test(&ax25->refcount)) {
+       if (refcount_dec_and_test(&ax25->refcount)) {
                kfree(ax25->digipeat);
                kfree(ax25);
        }
index 0c92ba0cbe0be131787d1635aa58c3ce4c2fb1a4..f3f9d18891de8982a17ce389424e620fdf72ba8b 100644 (file)
@@ -510,7 +510,7 @@ ax25_cb *ax25_create_cb(void)
        if ((ax25 = kzalloc(sizeof(*ax25), GFP_ATOMIC)) == NULL)
                return NULL;
 
-       atomic_set(&ax25->refcount, 1);
+       refcount_set(&ax25->refcount, 1);
 
        skb_queue_head_init(&ax25->write_queue);
        skb_queue_head_init(&ax25->frag_queue);