[PATCH 13/36] net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t

From: Elena Reshetova
Date: Tue Jul 04 2017 - 08:55:49 EST


refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: David Windsor <dwindsor@xxxxxxxxx>
---
include/net/lapb.h | 3 ++-
net/lapb/lapb_iface.c | 6 +++---
2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/net/lapb.h b/include/net/lapb.h
index 9510f87..85e7737 100644
--- a/include/net/lapb.h
+++ b/include/net/lapb.h
@@ -1,6 +1,7 @@
#ifndef _LAPB_H
#define _LAPB_H
#include <linux/lapb.h>
+#include <linux/refcount.h>

#define LAPB_HEADER_LEN 20 /* LAPB over Ethernet + a bit more */

@@ -101,7 +102,7 @@ struct lapb_cb {
struct lapb_frame frmr_data;
unsigned char frmr_type;

- atomic_t refcnt;
+ refcount_t refcnt;
};

/* lapb_iface.c */
diff --git a/net/lapb/lapb_iface.c b/net/lapb/lapb_iface.c
index b50b64a..e15314e 100644
--- a/net/lapb/lapb_iface.c
+++ b/net/lapb/lapb_iface.c
@@ -54,12 +54,12 @@ static void lapb_free_cb(struct lapb_cb *lapb)

static __inline__ void lapb_hold(struct lapb_cb *lapb)
{
- atomic_inc(&lapb->refcnt);
+ refcount_inc(&lapb->refcnt);
}

static __inline__ void lapb_put(struct lapb_cb *lapb)
{
- if (atomic_dec_and_test(&lapb->refcnt))
+ if (refcount_dec_and_test(&lapb->refcnt))
lapb_free_cb(lapb);
}

@@ -136,7 +136,7 @@ static struct lapb_cb *lapb_create_cb(void)
lapb->mode = LAPB_DEFAULT_MODE;
lapb->window = LAPB_DEFAULT_WINDOW;
lapb->state = LAPB_STATE_0;
- atomic_set(&lapb->refcnt, 1);
+ refcount_set(&lapb->refcnt, 1);
out:
return lapb;
}
--
2.7.4