Commit e00bdbef authored by Reshetova, Elena's avatar Reshetova, Elena Committed by David S. Miller

net, atm: convert eg_cache_entry.use from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 93714912
...@@ -339,7 +339,7 @@ static eg_cache_entry *eg_cache_get_by_cache_id(__be32 cache_id, ...@@ -339,7 +339,7 @@ static eg_cache_entry *eg_cache_get_by_cache_id(__be32 cache_id,
entry = mpc->eg_cache; entry = mpc->eg_cache;
while (entry != NULL) { while (entry != NULL) {
if (entry->ctrl_info.cache_id == cache_id) { if (entry->ctrl_info.cache_id == cache_id) {
atomic_inc(&entry->use); refcount_inc(&entry->use);
read_unlock_irq(&mpc->egress_lock); read_unlock_irq(&mpc->egress_lock);
return entry; return entry;
} }
...@@ -360,7 +360,7 @@ static eg_cache_entry *eg_cache_get_by_tag(__be32 tag, struct mpoa_client *mpc) ...@@ -360,7 +360,7 @@ static eg_cache_entry *eg_cache_get_by_tag(__be32 tag, struct mpoa_client *mpc)
entry = mpc->eg_cache; entry = mpc->eg_cache;
while (entry != NULL) { while (entry != NULL) {
if (entry->ctrl_info.tag == tag) { if (entry->ctrl_info.tag == tag) {
atomic_inc(&entry->use); refcount_inc(&entry->use);
read_unlock_irqrestore(&mpc->egress_lock, flags); read_unlock_irqrestore(&mpc->egress_lock, flags);
return entry; return entry;
} }
...@@ -382,7 +382,7 @@ static eg_cache_entry *eg_cache_get_by_vcc(struct atm_vcc *vcc, ...@@ -382,7 +382,7 @@ static eg_cache_entry *eg_cache_get_by_vcc(struct atm_vcc *vcc,
entry = mpc->eg_cache; entry = mpc->eg_cache;
while (entry != NULL) { while (entry != NULL) {
if (entry->shortcut == vcc) { if (entry->shortcut == vcc) {
atomic_inc(&entry->use); refcount_inc(&entry->use);
read_unlock_irqrestore(&mpc->egress_lock, flags); read_unlock_irqrestore(&mpc->egress_lock, flags);
return entry; return entry;
} }
...@@ -402,7 +402,7 @@ static eg_cache_entry *eg_cache_get_by_src_ip(__be32 ipaddr, ...@@ -402,7 +402,7 @@ static eg_cache_entry *eg_cache_get_by_src_ip(__be32 ipaddr,
entry = mpc->eg_cache; entry = mpc->eg_cache;
while (entry != NULL) { while (entry != NULL) {
if (entry->latest_ip_addr == ipaddr) { if (entry->latest_ip_addr == ipaddr) {
atomic_inc(&entry->use); refcount_inc(&entry->use);
read_unlock_irq(&mpc->egress_lock); read_unlock_irq(&mpc->egress_lock);
return entry; return entry;
} }
...@@ -415,7 +415,7 @@ static eg_cache_entry *eg_cache_get_by_src_ip(__be32 ipaddr, ...@@ -415,7 +415,7 @@ static eg_cache_entry *eg_cache_get_by_src_ip(__be32 ipaddr,
static void eg_cache_put(eg_cache_entry *entry) static void eg_cache_put(eg_cache_entry *entry)
{ {
if (atomic_dec_and_test(&entry->use)) { if (refcount_dec_and_test(&entry->use)) {
memset(entry, 0, sizeof(eg_cache_entry)); memset(entry, 0, sizeof(eg_cache_entry));
kfree(entry); kfree(entry);
} }
...@@ -468,7 +468,7 @@ static eg_cache_entry *eg_cache_add_entry(struct k_message *msg, ...@@ -468,7 +468,7 @@ static eg_cache_entry *eg_cache_add_entry(struct k_message *msg,
dprintk("adding an egress entry, ip = %pI4, this should be our IP\n", dprintk("adding an egress entry, ip = %pI4, this should be our IP\n",
&msg->content.eg_info.eg_dst_ip); &msg->content.eg_info.eg_dst_ip);
atomic_set(&entry->use, 1); refcount_set(&entry->use, 1);
dprintk("new_eg_cache_entry: about to lock\n"); dprintk("new_eg_cache_entry: about to lock\n");
write_lock_irq(&client->egress_lock); write_lock_irq(&client->egress_lock);
entry->next = client->eg_cache; entry->next = client->eg_cache;
...@@ -484,7 +484,7 @@ static eg_cache_entry *eg_cache_add_entry(struct k_message *msg, ...@@ -484,7 +484,7 @@ static eg_cache_entry *eg_cache_add_entry(struct k_message *msg,
dprintk("new_eg_cache_entry cache_id %u\n", dprintk("new_eg_cache_entry cache_id %u\n",
ntohl(entry->ctrl_info.cache_id)); ntohl(entry->ctrl_info.cache_id));
dprintk("mps_ip = %pI4\n", &entry->ctrl_info.mps_ip); dprintk("mps_ip = %pI4\n", &entry->ctrl_info.mps_ip);
atomic_inc(&entry->use); refcount_inc(&entry->use);
write_unlock_irq(&client->egress_lock); write_unlock_irq(&client->egress_lock);
dprintk("new_eg_cache_entry: unlocked\n"); dprintk("new_eg_cache_entry: unlocked\n");
......
...@@ -59,7 +59,7 @@ typedef struct eg_cache_entry{ ...@@ -59,7 +59,7 @@ typedef struct eg_cache_entry{
uint16_t entry_state; uint16_t entry_state;
__be32 latest_ip_addr; /* The src IP address of the last packet */ __be32 latest_ip_addr; /* The src IP address of the last packet */
struct eg_ctrl_info ctrl_info; struct eg_ctrl_info ctrl_info;
atomic_t use; refcount_t use;
} eg_cache_entry; } eg_cache_entry;
struct eg_cache_ops{ struct eg_cache_ops{
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment