From b6d52ede224836f74dff50666b6a3076a5b8c92d Mon Sep 17 00:00:00 2001 From: "Reshetova, Elena" Date: Tue, 4 Jul 2017 15:53:31 +0300 Subject: [PATCH] net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Signed-off-by: David S. Miller --- include/net/ax25.h | 6 +++--- net/ax25/af_ax25.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/net/ax25.h b/include/net/ax25.h index e3467ba81f6e..c4a0cf6f0810 100644 --- a/include/net/ax25.h +++ b/include/net/ax25.h @@ -244,7 +244,7 @@ typedef struct ax25_cb { unsigned char window; struct timer_list timer, dtimer; struct sock *sk; /* Backlink to socket */ - atomic_t refcount; + refcount_t refcount; } ax25_cb; struct ax25_sock { @@ -266,11 +266,11 @@ static inline struct ax25_cb *sk_to_ax25(const struct sock *sk) hlist_for_each_entry(__ax25, list, ax25_node) #define ax25_cb_hold(__ax25) \ - atomic_inc(&((__ax25)->refcount)) + refcount_inc(&((__ax25)->refcount)) static __inline__ void ax25_cb_put(ax25_cb *ax25) { - if (atomic_dec_and_test(&ax25->refcount)) { + if (refcount_dec_and_test(&ax25->refcount)) { kfree(ax25->digipeat); kfree(ax25); } diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 0c92ba0cbe0b..f3f9d18891de 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -510,7 +510,7 @@ ax25_cb *ax25_create_cb(void) if ((ax25 = kzalloc(sizeof(*ax25), GFP_ATOMIC)) == NULL) return NULL; - atomic_set(&ax25->refcount, 1); + refcount_set(&ax25->refcount, 1); skb_queue_head_init(&ax25->write_queue); skb_queue_head_init(&ax25->frag_queue);