From: Reshetova, Elena Date: Tue, 4 Jul 2017 06:34:56 +0000 (+0300) Subject: net, ipv6: convert inet6_ifaddr.refcnt from atomic_t to refcount_t X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=271201c09c86cd75e0fd6206bde689176e85aa21;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git net, ipv6: convert inet6_ifaddr.refcnt from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Signed-off-by: David S. Miller --- diff --git a/include/net/addrconf.h b/include/net/addrconf.h index 620bd9a83ba9..6df79e96a780 100644 --- a/include/net/addrconf.h +++ b/include/net/addrconf.h @@ -350,18 +350,18 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp); static inline void in6_ifa_put(struct inet6_ifaddr *ifp) { - if (atomic_dec_and_test(&ifp->refcnt)) + if (refcount_dec_and_test(&ifp->refcnt)) inet6_ifa_finish_destroy(ifp); } static inline void __in6_ifa_put(struct inet6_ifaddr *ifp) { - atomic_dec(&ifp->refcnt); + refcount_dec(&ifp->refcnt); } static inline void in6_ifa_hold(struct inet6_ifaddr *ifp) { - atomic_inc(&ifp->refcnt); + refcount_inc(&ifp->refcnt); } diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h index e7a17b231afc..2b41cb86d62f 100644 --- a/include/net/if_inet6.h +++ b/include/net/if_inet6.h @@ -46,7 +46,7 @@ struct inet6_ifaddr { /* In seconds, relative to tstamp. Expiry is at tstamp + HZ * lft. */ __u32 valid_lft; __u32 prefered_lft; - atomic_t refcnt; + refcount_t refcnt; spinlock_t lock; int state; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 2365f1224c6b..3c46e9513a31 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -1050,7 +1050,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, ifa->idev = idev; /* For caller */ - in6_ifa_hold(ifa); + refcount_set(&ifa->refcnt, 1); /* Add to big hash table */ hash = inet6_addr_hash(addr);