net, ipv6: convert ifmcaddr6.mca_refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Reshetova, Elena 2017-07-04 09:34:57 +03:00 committed by David S. Miller
parent 271201c09c
commit d3981bc615
2 changed files with 10 additions and 10 deletions

View File

@ -127,7 +127,7 @@ struct ifmcaddr6 {
struct timer_list mca_timer; struct timer_list mca_timer;
unsigned int mca_flags; unsigned int mca_flags;
int mca_users; int mca_users;
atomic_t mca_refcnt; refcount_t mca_refcnt;
spinlock_t mca_lock; spinlock_t mca_lock;
unsigned long mca_cstamp; unsigned long mca_cstamp;
unsigned long mca_tstamp; unsigned long mca_tstamp;

View File

@ -701,7 +701,7 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc)
spin_lock_bh(&mc->mca_lock); spin_lock_bh(&mc->mca_lock);
if (del_timer(&mc->mca_timer)) if (del_timer(&mc->mca_timer))
atomic_dec(&mc->mca_refcnt); refcount_dec(&mc->mca_refcnt);
spin_unlock_bh(&mc->mca_lock); spin_unlock_bh(&mc->mca_lock);
} }
@ -819,12 +819,12 @@ static void mld_clear_delrec(struct inet6_dev *idev)
static void mca_get(struct ifmcaddr6 *mc) static void mca_get(struct ifmcaddr6 *mc)
{ {
atomic_inc(&mc->mca_refcnt); refcount_inc(&mc->mca_refcnt);
} }
static void ma_put(struct ifmcaddr6 *mc) static void ma_put(struct ifmcaddr6 *mc)
{ {
if (atomic_dec_and_test(&mc->mca_refcnt)) { if (refcount_dec_and_test(&mc->mca_refcnt)) {
in6_dev_put(mc->idev); in6_dev_put(mc->idev);
kfree(mc); kfree(mc);
} }
@ -846,7 +846,7 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev,
mc->mca_users = 1; mc->mca_users = 1;
/* mca_stamp should be updated upon changes */ /* mca_stamp should be updated upon changes */
mc->mca_cstamp = mc->mca_tstamp = jiffies; mc->mca_cstamp = mc->mca_tstamp = jiffies;
atomic_set(&mc->mca_refcnt, 1); refcount_set(&mc->mca_refcnt, 1);
spin_lock_init(&mc->mca_lock); spin_lock_init(&mc->mca_lock);
/* initial mode is (EX, empty) */ /* initial mode is (EX, empty) */
@ -1065,7 +1065,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime)
return; return;
if (del_timer(&ma->mca_timer)) { if (del_timer(&ma->mca_timer)) {
atomic_dec(&ma->mca_refcnt); refcount_dec(&ma->mca_refcnt);
delay = ma->mca_timer.expires - jiffies; delay = ma->mca_timer.expires - jiffies;
} }
@ -1074,7 +1074,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime)
ma->mca_timer.expires = jiffies + delay; ma->mca_timer.expires = jiffies + delay;
if (!mod_timer(&ma->mca_timer, jiffies + delay)) if (!mod_timer(&ma->mca_timer, jiffies + delay))
atomic_inc(&ma->mca_refcnt); refcount_inc(&ma->mca_refcnt);
ma->mca_flags |= MAF_TIMER_RUNNING; ma->mca_flags |= MAF_TIMER_RUNNING;
} }
@ -1469,7 +1469,7 @@ int igmp6_event_report(struct sk_buff *skb)
if (ipv6_addr_equal(&ma->mca_addr, &mld->mld_mca)) { if (ipv6_addr_equal(&ma->mca_addr, &mld->mld_mca)) {
spin_lock(&ma->mca_lock); spin_lock(&ma->mca_lock);
if (del_timer(&ma->mca_timer)) if (del_timer(&ma->mca_timer))
atomic_dec(&ma->mca_refcnt); refcount_dec(&ma->mca_refcnt);
ma->mca_flags &= ~(MAF_LAST_REPORTER|MAF_TIMER_RUNNING); ma->mca_flags &= ~(MAF_LAST_REPORTER|MAF_TIMER_RUNNING);
spin_unlock(&ma->mca_lock); spin_unlock(&ma->mca_lock);
break; break;
@ -2391,12 +2391,12 @@ static void igmp6_join_group(struct ifmcaddr6 *ma)
spin_lock_bh(&ma->mca_lock); spin_lock_bh(&ma->mca_lock);
if (del_timer(&ma->mca_timer)) { if (del_timer(&ma->mca_timer)) {
atomic_dec(&ma->mca_refcnt); refcount_dec(&ma->mca_refcnt);
delay = ma->mca_timer.expires - jiffies; delay = ma->mca_timer.expires - jiffies;
} }
if (!mod_timer(&ma->mca_timer, jiffies + delay)) if (!mod_timer(&ma->mca_timer, jiffies + delay))
atomic_inc(&ma->mca_refcnt); refcount_inc(&ma->mca_refcnt);
ma->mca_flags |= MAF_TIMER_RUNNING | MAF_LAST_REPORTER; ma->mca_flags |= MAF_TIMER_RUNNING | MAF_LAST_REPORTER;
spin_unlock_bh(&ma->mca_lock); spin_unlock_bh(&ma->mca_lock);
} }