Commit f00c854c authored by Reshetova, Elena's avatar Reshetova, Elena Committed by David S. Miller

net, l2tp: convert l2tp_session.ref_count from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent fbea9e07
...@@ -1854,7 +1854,7 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn ...@@ -1854,7 +1854,7 @@ struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunn
/* Bump the reference count. The session context is deleted /* Bump the reference count. The session context is deleted
* only when this drops to zero. * only when this drops to zero.
*/ */
l2tp_session_inc_refcount(session); refcount_set(&session->ref_count, 1);
l2tp_tunnel_inc_refcount(tunnel); l2tp_tunnel_inc_refcount(tunnel);
/* Ensure tunnel socket isn't deleted */ /* Ensure tunnel socket isn't deleted */
......
...@@ -99,7 +99,7 @@ struct l2tp_session { ...@@ -99,7 +99,7 @@ struct l2tp_session {
int nr_oos_count; /* For OOS recovery */ int nr_oos_count; /* For OOS recovery */
int nr_oos_count_max; int nr_oos_count_max;
struct hlist_node hlist; /* Hash list node */ struct hlist_node hlist; /* Hash list node */
atomic_t ref_count; refcount_t ref_count;
char name[32]; /* for logging */ char name[32]; /* for logging */
char ifname[IFNAMSIZ]; char ifname[IFNAMSIZ];
...@@ -274,12 +274,12 @@ int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg); ...@@ -274,12 +274,12 @@ int l2tp_ioctl(struct sock *sk, int cmd, unsigned long arg);
*/ */
static inline void l2tp_session_inc_refcount_1(struct l2tp_session *session) static inline void l2tp_session_inc_refcount_1(struct l2tp_session *session)
{ {
atomic_inc(&session->ref_count); refcount_inc(&session->ref_count);
} }
static inline void l2tp_session_dec_refcount_1(struct l2tp_session *session) static inline void l2tp_session_dec_refcount_1(struct l2tp_session *session)
{ {
if (atomic_dec_and_test(&session->ref_count)) if (refcount_dec_and_test(&session->ref_count))
l2tp_session_free(session); l2tp_session_free(session);
} }
...@@ -288,14 +288,14 @@ static inline void l2tp_session_dec_refcount_1(struct l2tp_session *session) ...@@ -288,14 +288,14 @@ static inline void l2tp_session_dec_refcount_1(struct l2tp_session *session)
do { \ do { \
pr_debug("l2tp_session_inc_refcount: %s:%d %s: cnt=%d\n", \ pr_debug("l2tp_session_inc_refcount: %s:%d %s: cnt=%d\n", \
__func__, __LINE__, (_s)->name, \ __func__, __LINE__, (_s)->name, \
atomic_read(&_s->ref_count)); \ refcount_read(&_s->ref_count)); \
l2tp_session_inc_refcount_1(_s); \ l2tp_session_inc_refcount_1(_s); \
} while (0) } while (0)
#define l2tp_session_dec_refcount(_s) \ #define l2tp_session_dec_refcount(_s) \
do { \ do { \
pr_debug("l2tp_session_dec_refcount: %s:%d %s: cnt=%d\n", \ pr_debug("l2tp_session_dec_refcount: %s:%d %s: cnt=%d\n", \
__func__, __LINE__, (_s)->name, \ __func__, __LINE__, (_s)->name, \
atomic_read(&_s->ref_count)); \ refcount_read(&_s->ref_count)); \
l2tp_session_dec_refcount_1(_s); \ l2tp_session_dec_refcount_1(_s); \
} while (0) } while (0)
#else #else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment