提交 9f237430 编写于 作者: R Reshetova, Elena 提交者: David S. Miller

net: convert neighbour.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: NElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: NHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NDavid Windsor <dwindsor@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 1cc9a98b
...@@ -28,7 +28,7 @@ static inline struct neighbour *__ipv4_neigh_lookup(struct net_device *dev, u32 ...@@ -28,7 +28,7 @@ static inline struct neighbour *__ipv4_neigh_lookup(struct net_device *dev, u32
rcu_read_lock_bh(); rcu_read_lock_bh();
n = __ipv4_neigh_lookup_noref(dev, key); n = __ipv4_neigh_lookup_noref(dev, key);
if (n && !atomic_inc_not_zero(&n->refcnt)) if (n && !refcount_inc_not_zero(&n->refcnt))
n = NULL; n = NULL;
rcu_read_unlock_bh(); rcu_read_unlock_bh();
......
...@@ -384,7 +384,7 @@ static inline struct neighbour *__ipv6_neigh_lookup(struct net_device *dev, cons ...@@ -384,7 +384,7 @@ static inline struct neighbour *__ipv6_neigh_lookup(struct net_device *dev, cons
rcu_read_lock_bh(); rcu_read_lock_bh();
n = __ipv6_neigh_lookup_noref(dev, pkey); n = __ipv6_neigh_lookup_noref(dev, pkey);
if (n && !atomic_inc_not_zero(&n->refcnt)) if (n && !refcount_inc_not_zero(&n->refcnt))
n = NULL; n = NULL;
rcu_read_unlock_bh(); rcu_read_unlock_bh();
......
...@@ -17,6 +17,7 @@ ...@@ -17,6 +17,7 @@
*/ */
#include <linux/atomic.h> #include <linux/atomic.h>
#include <linux/refcount.h>
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/rcupdate.h> #include <linux/rcupdate.h>
...@@ -137,7 +138,7 @@ struct neighbour { ...@@ -137,7 +138,7 @@ struct neighbour {
unsigned long confirmed; unsigned long confirmed;
unsigned long updated; unsigned long updated;
rwlock_t lock; rwlock_t lock;
atomic_t refcnt; refcount_t refcnt;
struct sk_buff_head arp_queue; struct sk_buff_head arp_queue;
unsigned int arp_queue_len_bytes; unsigned int arp_queue_len_bytes;
struct timer_list timer; struct timer_list timer;
...@@ -410,18 +411,18 @@ static inline struct neigh_parms *neigh_parms_clone(struct neigh_parms *parms) ...@@ -410,18 +411,18 @@ static inline struct neigh_parms *neigh_parms_clone(struct neigh_parms *parms)
static inline void neigh_release(struct neighbour *neigh) static inline void neigh_release(struct neighbour *neigh)
{ {
if (atomic_dec_and_test(&neigh->refcnt)) if (refcount_dec_and_test(&neigh->refcnt))
neigh_destroy(neigh); neigh_destroy(neigh);
} }
static inline struct neighbour * neigh_clone(struct neighbour *neigh) static inline struct neighbour * neigh_clone(struct neighbour *neigh)
{ {
if (neigh) if (neigh)
atomic_inc(&neigh->refcnt); refcount_inc(&neigh->refcnt);
return neigh; return neigh;
} }
#define neigh_hold(n) atomic_inc(&(n)->refcnt) #define neigh_hold(n) refcount_inc(&(n)->refcnt)
static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
{ {
......
...@@ -137,11 +137,11 @@ static int neigh_check_cb(struct neighbour *n) ...@@ -137,11 +137,11 @@ static int neigh_check_cb(struct neighbour *n)
if (entry->vccs || time_before(jiffies, entry->expires)) if (entry->vccs || time_before(jiffies, entry->expires))
return 0; return 0;
if (atomic_read(&n->refcnt) > 1) { if (refcount_read(&n->refcnt) > 1) {
struct sk_buff *skb; struct sk_buff *skb;
pr_debug("destruction postponed with ref %d\n", pr_debug("destruction postponed with ref %d\n",
atomic_read(&n->refcnt)); refcount_read(&n->refcnt));
while ((skb = skb_dequeue(&n->arp_queue)) != NULL) while ((skb = skb_dequeue(&n->arp_queue)) != NULL)
dev_kfree_skb(skb); dev_kfree_skb(skb);
...@@ -767,7 +767,7 @@ static void atmarp_info(struct seq_file *seq, struct neighbour *n, ...@@ -767,7 +767,7 @@ static void atmarp_info(struct seq_file *seq, struct neighbour *n,
seq_printf(seq, "(resolving)\n"); seq_printf(seq, "(resolving)\n");
else else
seq_printf(seq, "(expired, ref %d)\n", seq_printf(seq, "(expired, ref %d)\n",
atomic_read(&entry->neigh->refcnt)); refcount_read(&entry->neigh->refcnt));
} else if (!svc) { } else if (!svc) {
seq_printf(seq, "%d.%d.%d\n", seq_printf(seq, "%d.%d.%d\n",
clip_vcc->vcc->dev->number, clip_vcc->vcc->dev->number,
......
...@@ -124,7 +124,7 @@ static bool neigh_del(struct neighbour *n, __u8 state, ...@@ -124,7 +124,7 @@ static bool neigh_del(struct neighbour *n, __u8 state,
bool retval = false; bool retval = false;
write_lock(&n->lock); write_lock(&n->lock);
if (atomic_read(&n->refcnt) == 1 && !(n->nud_state & state)) { if (refcount_read(&n->refcnt) == 1 && !(n->nud_state & state)) {
struct neighbour *neigh; struct neighbour *neigh;
neigh = rcu_dereference_protected(n->next, neigh = rcu_dereference_protected(n->next,
...@@ -254,7 +254,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev) ...@@ -254,7 +254,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev)
neigh_del_timer(n); neigh_del_timer(n);
n->dead = 1; n->dead = 1;
if (atomic_read(&n->refcnt) != 1) { if (refcount_read(&n->refcnt) != 1) {
/* The most unpleasant situation. /* The most unpleasant situation.
We must destroy neighbour entry, We must destroy neighbour entry,
but someone still uses it. but someone still uses it.
...@@ -335,7 +335,7 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, struct net_device ...@@ -335,7 +335,7 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, struct net_device
NEIGH_CACHE_STAT_INC(tbl, allocs); NEIGH_CACHE_STAT_INC(tbl, allocs);
n->tbl = tbl; n->tbl = tbl;
atomic_set(&n->refcnt, 1); refcount_set(&n->refcnt, 1);
n->dead = 1; n->dead = 1;
out: out:
return n; return n;
...@@ -444,7 +444,7 @@ struct neighbour *neigh_lookup(struct neigh_table *tbl, const void *pkey, ...@@ -444,7 +444,7 @@ struct neighbour *neigh_lookup(struct neigh_table *tbl, const void *pkey,
rcu_read_lock_bh(); rcu_read_lock_bh();
n = __neigh_lookup_noref(tbl, pkey, dev); n = __neigh_lookup_noref(tbl, pkey, dev);
if (n) { if (n) {
if (!atomic_inc_not_zero(&n->refcnt)) if (!refcount_inc_not_zero(&n->refcnt))
n = NULL; n = NULL;
NEIGH_CACHE_STAT_INC(tbl, hits); NEIGH_CACHE_STAT_INC(tbl, hits);
} }
...@@ -473,7 +473,7 @@ struct neighbour *neigh_lookup_nodev(struct neigh_table *tbl, struct net *net, ...@@ -473,7 +473,7 @@ struct neighbour *neigh_lookup_nodev(struct neigh_table *tbl, struct net *net,
n = rcu_dereference_bh(n->next)) { n = rcu_dereference_bh(n->next)) {
if (!memcmp(n->primary_key, pkey, key_len) && if (!memcmp(n->primary_key, pkey, key_len) &&
net_eq(dev_net(n->dev), net)) { net_eq(dev_net(n->dev), net)) {
if (!atomic_inc_not_zero(&n->refcnt)) if (!refcount_inc_not_zero(&n->refcnt))
n = NULL; n = NULL;
NEIGH_CACHE_STAT_INC(tbl, hits); NEIGH_CACHE_STAT_INC(tbl, hits);
break; break;
...@@ -821,7 +821,7 @@ static void neigh_periodic_work(struct work_struct *work) ...@@ -821,7 +821,7 @@ static void neigh_periodic_work(struct work_struct *work)
if (time_before(n->used, n->confirmed)) if (time_before(n->used, n->confirmed))
n->used = n->confirmed; n->used = n->confirmed;
if (atomic_read(&n->refcnt) == 1 && if (refcount_read(&n->refcnt) == 1 &&
(state == NUD_FAILED || (state == NUD_FAILED ||
time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) { time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
*np = n->next; *np = n->next;
...@@ -2234,7 +2234,7 @@ static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh, ...@@ -2234,7 +2234,7 @@ static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
ci.ndm_used = jiffies_to_clock_t(now - neigh->used); ci.ndm_used = jiffies_to_clock_t(now - neigh->used);
ci.ndm_confirmed = jiffies_to_clock_t(now - neigh->confirmed); ci.ndm_confirmed = jiffies_to_clock_t(now - neigh->confirmed);
ci.ndm_updated = jiffies_to_clock_t(now - neigh->updated); ci.ndm_updated = jiffies_to_clock_t(now - neigh->updated);
ci.ndm_refcnt = atomic_read(&neigh->refcnt) - 1; ci.ndm_refcnt = refcount_read(&neigh->refcnt) - 1;
read_unlock_bh(&neigh->lock); read_unlock_bh(&neigh->lock);
if (nla_put_u32(skb, NDA_PROBES, atomic_read(&neigh->probes)) || if (nla_put_u32(skb, NDA_PROBES, atomic_read(&neigh->probes)) ||
......
...@@ -559,7 +559,7 @@ static inline void dn_neigh_format_entry(struct seq_file *seq, ...@@ -559,7 +559,7 @@ static inline void dn_neigh_format_entry(struct seq_file *seq,
(dn->flags&DN_NDFLAG_R2) ? "2" : "-", (dn->flags&DN_NDFLAG_R2) ? "2" : "-",
(dn->flags&DN_NDFLAG_P3) ? "3" : "-", (dn->flags&DN_NDFLAG_P3) ? "3" : "-",
dn->n.nud_state, dn->n.nud_state,
atomic_read(&dn->n.refcnt), refcount_read(&dn->n.refcnt),
dn->blksize, dn->blksize,
(dn->n.dev) ? dn->n.dev->name : "?"); (dn->n.dev) ? dn->n.dev->name : "?");
read_unlock(&n->lock); read_unlock(&n->lock);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册