net, ipx: convert ipx_interface.refcnt from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/include/net/ipx.h b/include/net/ipx.h
index e5cff68..2de1281 100644
--- a/include/net/ipx.h
+++ b/include/net/ipx.h
@@ -14,6 +14,7 @@
#include <linux/ipx.h>
#include <linux/list.h>
#include <linux/slab.h>
+#include <linux/refcount.h>
struct ipx_address {
__be32 net;
@@ -54,7 +55,7 @@
/* IPX address */
__be32 if_netnum;
unsigned char if_node[IPX_NODE_LEN];
- atomic_t refcnt;
+ refcount_t refcnt;
/* physical device info */
struct net_device *if_dev;
@@ -139,7 +140,7 @@
static __inline__ void ipxitf_hold(struct ipx_interface *intrfc)
{
- atomic_inc(&intrfc->refcnt);
+ refcount_inc(&intrfc->refcnt);
}
void ipxitf_down(struct ipx_interface *intrfc);
@@ -157,7 +158,7 @@
static __inline__ void ipxitf_put(struct ipx_interface *intrfc)
{
- if (atomic_dec_and_test(&intrfc->refcnt))
+ if (refcount_dec_and_test(&intrfc->refcnt))
ipxitf_down(intrfc);
}
diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c
index fa31ef2..ac598ec 100644
--- a/net/ipx/af_ipx.c
+++ b/net/ipx/af_ipx.c
@@ -308,7 +308,7 @@
static void __ipxitf_put(struct ipx_interface *intrfc)
{
- if (atomic_dec_and_test(&intrfc->refcnt))
+ if (refcount_dec_and_test(&intrfc->refcnt))
__ipxitf_down(intrfc);
}
@@ -876,7 +876,7 @@
intrfc->if_ipx_offset = ipx_offset;
intrfc->if_sknum = IPX_MIN_EPHEMERAL_SOCKET;
INIT_HLIST_HEAD(&intrfc->if_sklist);
- atomic_set(&intrfc->refcnt, 1);
+ refcount_set(&intrfc->refcnt, 1);
spin_lock_init(&intrfc->if_sklist_lock);
}
@@ -1105,7 +1105,7 @@
memcpy((char *)&(intrfc->if_node[IPX_NODE_LEN-dev->addr_len]),
dev->dev_addr, dev->addr_len);
spin_lock_init(&intrfc->if_sklist_lock);
- atomic_set(&intrfc->refcnt, 1);
+ refcount_set(&intrfc->refcnt, 1);
ipxitf_insert(intrfc);
dev_hold(dev);
}
diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
index c1d247e..7d75e4c 100644
--- a/net/ipx/ipx_proc.c
+++ b/net/ipx/ipx_proc.c
@@ -53,7 +53,7 @@
seq_printf(seq, "%-11s", ipx_device_name(i));
seq_printf(seq, "%-9s", ipx_frame_name(i->if_dlink_type));
#ifdef IPX_REFCNT_DEBUG
- seq_printf(seq, "%6d", atomic_read(&i->refcnt));
+ seq_printf(seq, "%6d", refcount_read(&i->refcnt));
#endif
seq_puts(seq, "\n");
out: