Commit d3981bc6 authored by Reshetova, Elena's avatar Reshetova, Elena Committed by David S. Miller
Browse files

net, ipv6: convert ifmcaddr6.mca_refcnt from atomic_t to refcount_t 



refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 271201c0

include/net/if_inet6.h

+1 −1
Original line number Diff line number Diff line
@@ -127,7 +127,7 @@ struct ifmcaddr6 { 
	struct timer_list	mca_timer;

	unsigned int		mca_flags;

	int			mca_users;

	atomic_t		mca_refcnt;

	refcount_t		mca_refcnt;

	spinlock_t		mca_lock;

	unsigned long		mca_cstamp;

	unsigned long		mca_tstamp;

net/ipv6/mcast.c

+9 −9
Original line number Diff line number Diff line
@@ -701,7 +701,7 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc) 


	spin_lock_bh(&mc->mca_lock);

	if (del_timer(&mc->mca_timer))

		atomic_dec(&mc->mca_refcnt);

		refcount_dec(&mc->mca_refcnt);

	spin_unlock_bh(&mc->mca_lock);

}
@@ -819,12 +819,12 @@ static void mld_clear_delrec(struct inet6_dev *idev) 


static void mca_get(struct ifmcaddr6 *mc)

{

	atomic_inc(&mc->mca_refcnt);

	refcount_inc(&mc->mca_refcnt);

}



static void ma_put(struct ifmcaddr6 *mc)

{

	if (atomic_dec_and_test(&mc->mca_refcnt)) {

	if (refcount_dec_and_test(&mc->mca_refcnt)) {

		in6_dev_put(mc->idev);

		kfree(mc);

	}
@@ -846,7 +846,7 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev, 
	mc->mca_users = 1;

	/* mca_stamp should be updated upon changes */

	mc->mca_cstamp = mc->mca_tstamp = jiffies;

	atomic_set(&mc->mca_refcnt, 1);

	refcount_set(&mc->mca_refcnt, 1);

	spin_lock_init(&mc->mca_lock);



	/* initial mode is (EX, empty) */
@@ -1065,7 +1065,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime) 
		return;



	if (del_timer(&ma->mca_timer)) {

		atomic_dec(&ma->mca_refcnt);

		refcount_dec(&ma->mca_refcnt);

		delay = ma->mca_timer.expires - jiffies;

	}
@@ -1074,7 +1074,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime) 


	ma->mca_timer.expires = jiffies + delay;

	if (!mod_timer(&ma->mca_timer, jiffies + delay))

		atomic_inc(&ma->mca_refcnt);

		refcount_inc(&ma->mca_refcnt);

	ma->mca_flags |= MAF_TIMER_RUNNING;

}
@@ -1469,7 +1469,7 @@ int igmp6_event_report(struct sk_buff *skb) 
		if (ipv6_addr_equal(&ma->mca_addr, &mld->mld_mca)) {

			spin_lock(&ma->mca_lock);

			if (del_timer(&ma->mca_timer))

				atomic_dec(&ma->mca_refcnt);

				refcount_dec(&ma->mca_refcnt);

			ma->mca_flags &= ~(MAF_LAST_REPORTER|MAF_TIMER_RUNNING);

			spin_unlock(&ma->mca_lock);

			break;
@@ -2391,12 +2391,12 @@ static void igmp6_join_group(struct ifmcaddr6 *ma) 


	spin_lock_bh(&ma->mca_lock);

	if (del_timer(&ma->mca_timer)) {

		atomic_dec(&ma->mca_refcnt);

		refcount_dec(&ma->mca_refcnt);

		delay = ma->mca_timer.expires - jiffies;

	}



	if (!mod_timer(&ma->mca_timer, jiffies + delay))

		atomic_inc(&ma->mca_refcnt);

		refcount_inc(&ma->mca_refcnt);

	ma->mca_flags |= MAF_TIMER_RUNNING | MAF_LAST_REPORTER;

	spin_unlock_bh(&ma->mca_lock);

}