Commit 79976892 authored by Yajun Deng's avatar Yajun Deng Committed by Jakub Kicinski
Browse files

net: convert fib_treeref from int to refcount_t 



refcount_t type should be used instead of int when fib_treeref is used as
a reference counter,and avoid use-after-free risks.

Signed-off-by: default avatarYajun Deng <yajun.deng@linux.dev>
Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20210729071350.28919-1-yajun.deng@linux.dev


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 3e12361b

include/net/dn_fib.h

+1 −1
Original line number Diff line number Diff line
@@ -29,7 +29,7 @@ struct dn_fib_nh { 
struct dn_fib_info {

	struct dn_fib_info	*fib_next;

	struct dn_fib_info	*fib_prev;

	int 			fib_treeref;

	refcount_t		fib_treeref;

	refcount_t		fib_clntref;

	int			fib_dead;

	unsigned int		fib_flags;

include/net/ip_fib.h

+1 −1
Original line number Diff line number Diff line
@@ -133,7 +133,7 @@ struct fib_info { 
	struct hlist_node	fib_lhash;

	struct list_head	nh_list;

	struct net		*fib_net;

	int			fib_treeref;

	refcount_t		fib_treeref;

	refcount_t		fib_clntref;

	unsigned int		fib_flags;

	unsigned char		fib_dead;

net/decnet/dn_fib.c

+3 −3
Original line number Diff line number Diff line
@@ -102,7 +102,7 @@ void dn_fib_free_info(struct dn_fib_info *fi) 
void dn_fib_release_info(struct dn_fib_info *fi)

{

	spin_lock(&dn_fib_info_lock);

	if (fi && --fi->fib_treeref == 0) {

	if (fi && refcount_dec_and_test(&fi->fib_treeref)) {

		if (fi->fib_next)

			fi->fib_next->fib_prev = fi->fib_prev;

		if (fi->fib_prev)
@@ -385,11 +385,11 @@ struct dn_fib_info *dn_fib_create_info(const struct rtmsg *r, struct nlattr *att 
	if ((ofi = dn_fib_find_info(fi)) != NULL) {

		fi->fib_dead = 1;

		dn_fib_free_info(fi);

		ofi->fib_treeref++;

		refcount_inc(&ofi->fib_treeref);

		return ofi;

	}



	fi->fib_treeref++;

	refcount_inc(&fi->fib_treeref);

	refcount_set(&fi->fib_clntref, 1);

	spin_lock(&dn_fib_info_lock);

	fi->fib_next = dn_fib_info_list;

net/ipv4/fib_semantics.c

+4 −4
Original line number Diff line number Diff line
@@ -260,7 +260,7 @@ EXPORT_SYMBOL_GPL(free_fib_info); 
void fib_release_info(struct fib_info *fi)

{

	spin_lock_bh(&fib_info_lock);

	if (fi && --fi->fib_treeref == 0) {

	if (fi && refcount_dec_and_test(&fi->fib_treeref)) {

		hlist_del(&fi->fib_hash);

		if (fi->fib_prefsrc)

			hlist_del(&fi->fib_lhash);
@@ -1373,7 +1373,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg, 
		if (!cfg->fc_mx) {

			fi = fib_find_info_nh(net, cfg);

			if (fi) {

				fi->fib_treeref++;

				refcount_inc(&fi->fib_treeref);

				return fi;

			}

		}
@@ -1547,11 +1547,11 @@ struct fib_info *fib_create_info(struct fib_config *cfg, 
	if (ofi) {

		fi->fib_dead = 1;

		free_fib_info(fi);

		ofi->fib_treeref++;

		refcount_inc(&ofi->fib_treeref);

		return ofi;

	}



	fi->fib_treeref++;

	refcount_inc(&fi->fib_treeref);

	refcount_set(&fi->fib_clntref, 1);

	spin_lock_bh(&fib_info_lock);

	hlist_add_head(&fi->fib_hash,