Commit 79976892 authored by Yajun Deng's avatar Yajun Deng Committed by Jakub Kicinski

net: convert fib_treeref from int to refcount_t

refcount_t type should be used instead of int when fib_treeref is used as
a reference counter,and avoid use-after-free risks.
Signed-off-by: default avatarYajun Deng <yajun.deng@linux.dev>
Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20210729071350.28919-1-yajun.deng@linux.devSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 3e12361b
...@@ -29,7 +29,7 @@ struct dn_fib_nh { ...@@ -29,7 +29,7 @@ struct dn_fib_nh {
struct dn_fib_info { struct dn_fib_info {
struct dn_fib_info *fib_next; struct dn_fib_info *fib_next;
struct dn_fib_info *fib_prev; struct dn_fib_info *fib_prev;
int fib_treeref; refcount_t fib_treeref;
refcount_t fib_clntref; refcount_t fib_clntref;
int fib_dead; int fib_dead;
unsigned int fib_flags; unsigned int fib_flags;
......
...@@ -133,7 +133,7 @@ struct fib_info { ...@@ -133,7 +133,7 @@ struct fib_info {
struct hlist_node fib_lhash; struct hlist_node fib_lhash;
struct list_head nh_list; struct list_head nh_list;
struct net *fib_net; struct net *fib_net;
int fib_treeref; refcount_t fib_treeref;
refcount_t fib_clntref; refcount_t fib_clntref;
unsigned int fib_flags; unsigned int fib_flags;
unsigned char fib_dead; unsigned char fib_dead;
......
...@@ -102,7 +102,7 @@ void dn_fib_free_info(struct dn_fib_info *fi) ...@@ -102,7 +102,7 @@ void dn_fib_free_info(struct dn_fib_info *fi)
void dn_fib_release_info(struct dn_fib_info *fi) void dn_fib_release_info(struct dn_fib_info *fi)
{ {
spin_lock(&dn_fib_info_lock); spin_lock(&dn_fib_info_lock);
if (fi && --fi->fib_treeref == 0) { if (fi && refcount_dec_and_test(&fi->fib_treeref)) {
if (fi->fib_next) if (fi->fib_next)
fi->fib_next->fib_prev = fi->fib_prev; fi->fib_next->fib_prev = fi->fib_prev;
if (fi->fib_prev) if (fi->fib_prev)
...@@ -385,11 +385,11 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct nlattr *att ...@@ -385,11 +385,11 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct nlattr *att
if ((ofi = dn_fib_find_info(fi)) != NULL) { if ((ofi = dn_fib_find_info(fi)) != NULL) {
fi->fib_dead = 1; fi->fib_dead = 1;
dn_fib_free_info(fi); dn_fib_free_info(fi);
ofi->fib_treeref++; refcount_inc(&ofi->fib_treeref);
return ofi; return ofi;
} }
fi->fib_treeref++; refcount_inc(&fi->fib_treeref);
refcount_set(&fi->fib_clntref, 1); refcount_set(&fi->fib_clntref, 1);
spin_lock(&dn_fib_info_lock); spin_lock(&dn_fib_info_lock);
fi->fib_next = dn_fib_info_list; fi->fib_next = dn_fib_info_list;
......
...@@ -260,7 +260,7 @@ EXPORT_SYMBOL_GPL(free_fib_info); ...@@ -260,7 +260,7 @@ EXPORT_SYMBOL_GPL(free_fib_info);
void fib_release_info(struct fib_info *fi) void fib_release_info(struct fib_info *fi)
{ {
spin_lock_bh(&fib_info_lock); spin_lock_bh(&fib_info_lock);
if (fi && --fi->fib_treeref == 0) { if (fi && refcount_dec_and_test(&fi->fib_treeref)) {
hlist_del(&fi->fib_hash); hlist_del(&fi->fib_hash);
if (fi->fib_prefsrc) if (fi->fib_prefsrc)
hlist_del(&fi->fib_lhash); hlist_del(&fi->fib_lhash);
...@@ -1373,7 +1373,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, ...@@ -1373,7 +1373,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
if (!cfg->fc_mx) { if (!cfg->fc_mx) {
fi = fib_find_info_nh(net, cfg); fi = fib_find_info_nh(net, cfg);
if (fi) { if (fi) {
fi->fib_treeref++; refcount_inc(&fi->fib_treeref);
return fi; return fi;
} }
} }
...@@ -1547,11 +1547,11 @@ struct fib_info *fib_create_info(struct fib_config *cfg, ...@@ -1547,11 +1547,11 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
if (ofi) { if (ofi) {
fi->fib_dead = 1; fi->fib_dead = 1;
free_fib_info(fi); free_fib_info(fi);
ofi->fib_treeref++; refcount_inc(&ofi->fib_treeref);
return ofi; return ofi;
} }
fi->fib_treeref++; refcount_inc(&fi->fib_treeref);
refcount_set(&fi->fib_clntref, 1); refcount_set(&fi->fib_clntref, 1);
spin_lock_bh(&fib_info_lock); spin_lock_bh(&fib_info_lock);
hlist_add_head(&fi->fib_hash, hlist_add_head(&fi->fib_hash,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment