提交 6343944b 编写于 作者: R Reshetova, Elena 提交者: David S. Miller

net: convert neigh_params.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: NElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: NHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NDavid Windsor <dwindsor@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 9f237430
...@@ -77,7 +77,7 @@ struct neigh_parms { ...@@ -77,7 +77,7 @@ struct neigh_parms {
void *sysctl_table; void *sysctl_table;
int dead; int dead;
atomic_t refcnt; refcount_t refcnt;
struct rcu_head rcu_head; struct rcu_head rcu_head;
int reachable_time; int reachable_time;
...@@ -396,12 +396,12 @@ void neigh_sysctl_unregister(struct neigh_parms *p); ...@@ -396,12 +396,12 @@ void neigh_sysctl_unregister(struct neigh_parms *p);
static inline void __neigh_parms_put(struct neigh_parms *parms) static inline void __neigh_parms_put(struct neigh_parms *parms)
{ {
atomic_dec(&parms->refcnt); refcount_dec(&parms->refcnt);
} }
static inline struct neigh_parms *neigh_parms_clone(struct neigh_parms *parms) static inline struct neigh_parms *neigh_parms_clone(struct neigh_parms *parms)
{ {
atomic_inc(&parms->refcnt); refcount_inc(&parms->refcnt);
return parms; return parms;
} }
......
...@@ -709,7 +709,7 @@ static void neigh_parms_destroy(struct neigh_parms *parms); ...@@ -709,7 +709,7 @@ static void neigh_parms_destroy(struct neigh_parms *parms);
static inline void neigh_parms_put(struct neigh_parms *parms) static inline void neigh_parms_put(struct neigh_parms *parms)
{ {
if (atomic_dec_and_test(&parms->refcnt)) if (refcount_dec_and_test(&parms->refcnt))
neigh_parms_destroy(parms); neigh_parms_destroy(parms);
} }
...@@ -1479,7 +1479,7 @@ struct neigh_parms *neigh_parms_alloc(struct net_device *dev, ...@@ -1479,7 +1479,7 @@ struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
p = kmemdup(&tbl->parms, sizeof(*p), GFP_KERNEL); p = kmemdup(&tbl->parms, sizeof(*p), GFP_KERNEL);
if (p) { if (p) {
p->tbl = tbl; p->tbl = tbl;
atomic_set(&p->refcnt, 1); refcount_set(&p->refcnt, 1);
p->reachable_time = p->reachable_time =
neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME)); neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
dev_hold(dev); dev_hold(dev);
...@@ -1542,7 +1542,7 @@ void neigh_table_init(int index, struct neigh_table *tbl) ...@@ -1542,7 +1542,7 @@ void neigh_table_init(int index, struct neigh_table *tbl)
INIT_LIST_HEAD(&tbl->parms_list); INIT_LIST_HEAD(&tbl->parms_list);
list_add(&tbl->parms.list, &tbl->parms_list); list_add(&tbl->parms.list, &tbl->parms_list);
write_pnet(&tbl->parms.net, &init_net); write_pnet(&tbl->parms.net, &init_net);
atomic_set(&tbl->parms.refcnt, 1); refcount_set(&tbl->parms.refcnt, 1);
tbl->parms.reachable_time = tbl->parms.reachable_time =
neigh_rand_reach_time(NEIGH_VAR(&tbl->parms, BASE_REACHABLE_TIME)); neigh_rand_reach_time(NEIGH_VAR(&tbl->parms, BASE_REACHABLE_TIME));
...@@ -1796,7 +1796,7 @@ static int neightbl_fill_parms(struct sk_buff *skb, struct neigh_parms *parms) ...@@ -1796,7 +1796,7 @@ static int neightbl_fill_parms(struct sk_buff *skb, struct neigh_parms *parms)
if ((parms->dev && if ((parms->dev &&
nla_put_u32(skb, NDTPA_IFINDEX, parms->dev->ifindex)) || nla_put_u32(skb, NDTPA_IFINDEX, parms->dev->ifindex)) ||
nla_put_u32(skb, NDTPA_REFCNT, atomic_read(&parms->refcnt)) || nla_put_u32(skb, NDTPA_REFCNT, refcount_read(&parms->refcnt)) ||
nla_put_u32(skb, NDTPA_QUEUE_LENBYTES, nla_put_u32(skb, NDTPA_QUEUE_LENBYTES,
NEIGH_VAR(parms, QUEUE_LEN_BYTES)) || NEIGH_VAR(parms, QUEUE_LEN_BYTES)) ||
/* approximative value for deprecated QUEUE_LEN (in packets) */ /* approximative value for deprecated QUEUE_LEN (in packets) */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册