net, ipv6: convert xfrm6_tunnel_spi.refcnt from atomic_t to refcount_t
authorReshetova, Elena <elena.reshetova@intel.com>
Tue, 4 Jul 2017 06:34:59 +0000 (09:34 +0300)
committerDavid S. Miller <davem@davemloft.net>
Tue, 4 Jul 2017 08:29:04 +0000 (01:29 -0700)
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/xfrm6_tunnel.c

index d7b731a78d09f3ef7941911c3e35e29f3e8ff2d8..4e438bc7ee87007f9a5709ce61fb781abd069ffb 100644 (file)
@@ -59,7 +59,7 @@ struct xfrm6_tunnel_spi {
        struct hlist_node       list_byspi;
        xfrm_address_t          addr;
        u32                     spi;
-       atomic_t                refcnt;
+       refcount_t              refcnt;
        struct rcu_head         rcu_head;
 };
 
@@ -160,7 +160,7 @@ alloc_spi:
 
        memcpy(&x6spi->addr, saddr, sizeof(x6spi->addr));
        x6spi->spi = spi;
-       atomic_set(&x6spi->refcnt, 1);
+       refcount_set(&x6spi->refcnt, 1);
 
        hlist_add_head_rcu(&x6spi->list_byspi, &xfrm6_tn->spi_byspi[index]);
 
@@ -178,7 +178,7 @@ __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
        spin_lock_bh(&xfrm6_tunnel_spi_lock);
        x6spi = __xfrm6_tunnel_spi_lookup(net, saddr);
        if (x6spi) {
-               atomic_inc(&x6spi->refcnt);
+               refcount_inc(&x6spi->refcnt);
                spi = x6spi->spi;
        } else
                spi = __xfrm6_tunnel_alloc_spi(net, saddr);
@@ -207,7 +207,7 @@ static void xfrm6_tunnel_free_spi(struct net *net, xfrm_address_t *saddr)
                                  list_byaddr)
        {
                if (xfrm6_addr_equal(&x6spi->addr, saddr)) {
-                       if (atomic_dec_and_test(&x6spi->refcnt)) {
+                       if (refcount_dec_and_test(&x6spi->refcnt)) {
                                hlist_del_rcu(&x6spi->list_byaddr);
                                hlist_del_rcu(&x6spi->list_byspi);
                                call_rcu(&x6spi->rcu_head, x6spi_destroy_rcu);