net, sctp: convert sctp_auth_bytes.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Reshetova, Elena 2017-07-04 15:53:24 +03:00 committed by David S. Miller
parent 55eabed60a
commit 6871584a5e
2 changed files with 5 additions and 4 deletions

View File

@ -31,6 +31,7 @@
#define __sctp_auth_h__
#include <linux/list.h>
#include <linux/refcount.h>
struct sctp_endpoint;
struct sctp_association;
@ -53,7 +54,7 @@ struct sctp_hmac {
* over SCTP-AUTH
*/
struct sctp_auth_bytes {
atomic_t refcnt;
refcount_t refcnt;
__u32 len;
__u8 data[];
};
@ -76,7 +77,7 @@ static inline void sctp_auth_key_hold(struct sctp_auth_bytes *key)
if (!key)
return;
atomic_inc(&key->refcnt);
refcount_inc(&key->refcnt);
}
void sctp_auth_key_put(struct sctp_auth_bytes *key);

View File

@ -63,7 +63,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key)
if (!key)
return;
if (atomic_dec_and_test(&key->refcnt)) {
if (refcount_dec_and_test(&key->refcnt)) {
kzfree(key);
SCTP_DBG_OBJCNT_DEC(keys);
}
@ -84,7 +84,7 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp)
return NULL;
key->len = key_len;
atomic_set(&key->refcnt, 1);
refcount_set(&key->refcnt, 1);
SCTP_DBG_OBJCNT_INC(keys);
return key;