提交 66af846f 编写于 作者: R Reshetova, Elena 提交者: David S. Miller

net, vxlan: convert vxlan_sock.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: NElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: NHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NDavid Windsor <dwindsor@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 f00c854c
...@@ -1034,11 +1034,11 @@ static bool vxlan_group_used(struct vxlan_net *vn, struct vxlan_dev *dev) ...@@ -1034,11 +1034,11 @@ static bool vxlan_group_used(struct vxlan_net *vn, struct vxlan_dev *dev)
/* The vxlan_sock is only used by dev, leaving group has /* The vxlan_sock is only used by dev, leaving group has
* no effect on other vxlan devices. * no effect on other vxlan devices.
*/ */
if (family == AF_INET && sock4 && atomic_read(&sock4->refcnt) == 1) if (family == AF_INET && sock4 && refcount_read(&sock4->refcnt) == 1)
return false; return false;
#if IS_ENABLED(CONFIG_IPV6) #if IS_ENABLED(CONFIG_IPV6)
sock6 = rtnl_dereference(dev->vn6_sock); sock6 = rtnl_dereference(dev->vn6_sock);
if (family == AF_INET6 && sock6 && atomic_read(&sock6->refcnt) == 1) if (family == AF_INET6 && sock6 && refcount_read(&sock6->refcnt) == 1)
return false; return false;
#endif #endif
...@@ -1075,7 +1075,7 @@ static bool __vxlan_sock_release_prep(struct vxlan_sock *vs) ...@@ -1075,7 +1075,7 @@ static bool __vxlan_sock_release_prep(struct vxlan_sock *vs)
if (!vs) if (!vs)
return false; return false;
if (!atomic_dec_and_test(&vs->refcnt)) if (!refcount_dec_and_test(&vs->refcnt))
return false; return false;
vn = net_generic(sock_net(vs->sock->sk), vxlan_net_id); vn = net_generic(sock_net(vs->sock->sk), vxlan_net_id);
...@@ -2825,7 +2825,7 @@ static struct vxlan_sock *vxlan_socket_create(struct net *net, bool ipv6, ...@@ -2825,7 +2825,7 @@ static struct vxlan_sock *vxlan_socket_create(struct net *net, bool ipv6,
} }
vs->sock = sock; vs->sock = sock;
atomic_set(&vs->refcnt, 1); refcount_set(&vs->refcnt, 1);
vs->flags = (flags & VXLAN_F_RCV_FLAGS); vs->flags = (flags & VXLAN_F_RCV_FLAGS);
spin_lock(&vn->sock_lock); spin_lock(&vn->sock_lock);
...@@ -2860,7 +2860,7 @@ static int __vxlan_sock_add(struct vxlan_dev *vxlan, bool ipv6) ...@@ -2860,7 +2860,7 @@ static int __vxlan_sock_add(struct vxlan_dev *vxlan, bool ipv6)
spin_lock(&vn->sock_lock); spin_lock(&vn->sock_lock);
vs = vxlan_find_sock(vxlan->net, ipv6 ? AF_INET6 : AF_INET, vs = vxlan_find_sock(vxlan->net, ipv6 ? AF_INET6 : AF_INET,
vxlan->cfg.dst_port, vxlan->cfg.flags); vxlan->cfg.dst_port, vxlan->cfg.flags);
if (vs && !atomic_add_unless(&vs->refcnt, 1, 0)) { if (vs && !refcount_inc_not_zero(&vs->refcnt)) {
spin_unlock(&vn->sock_lock); spin_unlock(&vn->sock_lock);
return -EBUSY; return -EBUSY;
} }
......
...@@ -183,7 +183,7 @@ struct vxlan_sock { ...@@ -183,7 +183,7 @@ struct vxlan_sock {
struct hlist_node hlist; struct hlist_node hlist;
struct socket *sock; struct socket *sock;
struct hlist_head vni_list[VNI_HASH_SIZE]; struct hlist_head vni_list[VNI_HASH_SIZE];
atomic_t refcnt; refcount_t refcnt;
u32 flags; u32 flags;
}; };
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册