summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReshetova, Elena <elena.reshetova@intel.com>2017-07-04 15:53:31 +0300
committerDavid S. Miller <davem@davemloft.net>2017-07-04 22:35:19 +0100
commitb6d52ede224836f74dff50666b6a3076a5b8c92d (patch)
treec9e439fb24a3171edd0421ee6f41cd9a974cc4ae
parent39f25d42c04959f0ddb5b14b01b27ea221736509 (diff)
downloadlinux-next-b6d52ede224836f74dff50666b6a3076a5b8c92d.tar.gz
net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t
refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/ax25.h6
-rw-r--r--net/ax25/af_ax25.c2
2 files changed, 4 insertions, 4 deletions
diff --git a/include/net/ax25.h b/include/net/ax25.h
index e3467ba81f6e..c4a0cf6f0810 100644
--- a/include/net/ax25.h
+++ b/include/net/ax25.h
@@ -244,7 +244,7 @@ typedef struct ax25_cb {
unsigned char window;
struct timer_list timer, dtimer;
struct sock *sk; /* Backlink to socket */
- atomic_t refcount;
+ refcount_t refcount;
} ax25_cb;
struct ax25_sock {
@@ -266,11 +266,11 @@ static inline struct ax25_cb *sk_to_ax25(const struct sock *sk)
hlist_for_each_entry(__ax25, list, ax25_node)
#define ax25_cb_hold(__ax25) \
- atomic_inc(&((__ax25)->refcount))
+ refcount_inc(&((__ax25)->refcount))
static __inline__ void ax25_cb_put(ax25_cb *ax25)
{
- if (atomic_dec_and_test(&ax25->refcount)) {
+ if (refcount_dec_and_test(&ax25->refcount)) {
kfree(ax25->digipeat);
kfree(ax25);
}
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 0c92ba0cbe0b..f3f9d18891de 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -510,7 +510,7 @@ ax25_cb *ax25_create_cb(void)
if ((ax25 = kzalloc(sizeof(*ax25), GFP_ATOMIC)) == NULL)
return NULL;
- atomic_set(&ax25->refcount, 1);
+ refcount_set(&ax25->refcount, 1);
skb_queue_head_init(&ax25->write_queue);
skb_queue_head_init(&ax25->frag_queue);