summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorReshetova, Elena <elena.reshetova@intel.com>2017-07-04 09:34:54 +0300
committerDavid S. Miller <davem@davemloft.net>2017-07-04 01:29:03 -0700
commit0aeea21ada517b99a6e95298ffc105381bcd3a52 (patch)
tree5a09b35a770e6893d3f146053463a64ddce6488b
parent25f4535a94c2b38d09912d7e8bab371c9e97be38 (diff)
downloadlinux-0aeea21ada517b99a6e95298ffc105381bcd3a52.tar.bz2
net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t
refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/ipv6.h7
-rw-r--r--net/ipv6/exthdrs.c4
-rw-r--r--net/ipv6/ipv6_sockglue.c2
3 files changed, 7 insertions, 6 deletions
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 3e505bbff8ca..6eac5cf8f1e6 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -16,6 +16,7 @@
#include <linux/ipv6.h>
#include <linux/hardirq.h>
#include <linux/jhash.h>
+#include <linux/refcount.h>
#include <net/if_inet6.h>
#include <net/ndisc.h>
#include <net/flow.h>
@@ -203,7 +204,7 @@ extern rwlock_t ip6_ra_lock;
*/
struct ipv6_txoptions {
- atomic_t refcnt;
+ refcount_t refcnt;
/* Length of this structure */
int tot_len;
@@ -265,7 +266,7 @@ static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
rcu_read_lock();
opt = rcu_dereference(np->opt);
if (opt) {
- if (!atomic_inc_not_zero(&opt->refcnt))
+ if (!refcount_inc_not_zero(&opt->refcnt))
opt = NULL;
else
opt = rcu_pointer_handoff(opt);
@@ -276,7 +277,7 @@ static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
static inline void txopt_put(struct ipv6_txoptions *opt)
{
- if (opt && atomic_dec_and_test(&opt->refcnt))
+ if (opt && refcount_dec_and_test(&opt->refcnt))
kfree_rcu(opt, rcu);
}
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 0460af226011..4996d734f1d2 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -971,7 +971,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
*((char **)&opt2->dst1opt) += dif;
if (opt2->srcrt)
*((char **)&opt2->srcrt) += dif;
- atomic_set(&opt2->refcnt, 1);
+ refcount_set(&opt2->refcnt, 1);
}
return opt2;
}
@@ -1056,7 +1056,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
return ERR_PTR(-ENOBUFS);
memset(opt2, 0, tot_len);
- atomic_set(&opt2->refcnt, 1);
+ refcount_set(&opt2->refcnt, 1);
opt2->tot_len = tot_len;
p = (char *)(opt2 + 1);
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index a531ba032b85..85404e7c3114 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -505,7 +505,7 @@ sticky_done:
break;
memset(opt, 0, sizeof(*opt));
- atomic_set(&opt->refcnt, 1);
+ refcount_set(&opt->refcnt, 1);
opt->tot_len = sizeof(*opt) + optlen;
retv = -EFAULT;
if (copy_from_user(opt+1, optval, optlen))