hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t 

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Reshetova, Elena 2017-07-04 09:34:54 +03:00 committed by David S. Miller
parent 25f4535a94
commit 0aeea21ada
3 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
include/net/ipv6.h
View File

@ -16,6 +16,7 @@
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <linux/hardirq.h> #include <linux/hardirq.h>
#include <linux/jhash.h> #include <linux/jhash.h>
#include <linux/refcount.h>
#include <net/if_inet6.h> #include <net/if_inet6.h>
#include <net/ndisc.h> #include <net/ndisc.h>
#include <net/flow.h> #include <net/flow.h>
@ -203,7 +204,7 @@ extern rwlock_t ip6_ra_lock;
*/ */
struct ipv6_txoptions { struct ipv6_txoptions {
atomic_t refcnt; refcount_t refcnt;
/* Length of this structure */ /* Length of this structure */
int tot_len; int tot_len;
@ -265,7 +266,7 @@ static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
rcu_read_lock(); rcu_read_lock();
opt = rcu_dereference(np->opt); opt = rcu_dereference(np->opt);
if (opt) { if (opt) {
if (!atomic_inc_not_zero(&opt->refcnt)) if (!refcount_inc_not_zero(&opt->refcnt))
opt = NULL; opt = NULL;
else else
opt = rcu_pointer_handoff(opt); opt = rcu_pointer_handoff(opt);
@ -276,7 +277,7 @@ static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
static inline void txopt_put(struct ipv6_txoptions *opt) static inline void txopt_put(struct ipv6_txoptions *opt)
{ {
if (opt && atomic_dec_and_test(&opt->refcnt)) if (opt && refcount_dec_and_test(&opt->refcnt))
kfree_rcu(opt, rcu); kfree_rcu(opt, rcu);
} }

4
net/ipv6/exthdrs.c
View File

@ -971,7 +971,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
*((char **)&opt2->dst1opt) += dif; *((char **)&opt2->dst1opt) += dif;
if (opt2->srcrt) if (opt2->srcrt)
*((char **)&opt2->srcrt) += dif; *((char **)&opt2->srcrt) += dif;
atomic_set(&opt2->refcnt, 1); refcount_set(&opt2->refcnt, 1);
} }
return opt2; return opt2;
} }
@ -1056,7 +1056,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
return ERR_PTR(-ENOBUFS); return ERR_PTR(-ENOBUFS);
memset(opt2, 0, tot_len); memset(opt2, 0, tot_len);
atomic_set(&opt2->refcnt, 1); refcount_set(&opt2->refcnt, 1);
opt2->tot_len = tot_len; opt2->tot_len = tot_len;
p = (char *)(opt2 + 1); p = (char *)(opt2 + 1);

2
net/ipv6/ipv6_sockglue.c
View File

@ -505,7 +505,7 @@ sticky_done:
break; break;
memset(opt, 0, sizeof(*opt)); memset(opt, 0, sizeof(*opt));
atomic_set(&opt->refcnt, 1); refcount_set(&opt->refcnt, 1);
opt->tot_len = sizeof(*opt) + optlen; opt->tot_len = sizeof(*opt) + optlen;
retv = -EFAULT; retv = -EFAULT;
if (copy_from_user(opt+1, optval, optlen)) if (copy_from_user(opt+1, optval, optlen))