From c0acdfb409c82047853df1e5f3dbdbe4005c78ae Mon Sep 17 00:00:00 2001 From: "Reshetova, Elena" Date: Tue, 4 Jul 2017 15:53:25 +0300 Subject: [PATCH] net, sctp: convert sctp_datamsg.refcnt from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova Signed-off-by: Hans Liljestrand Signed-off-by: Kees Cook Signed-off-by: David Windsor Signed-off-by: David S. Miller --- include/net/sctp/structs.h | 2 +- net/sctp/chunk.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index 07c11fefa8c4..4d7c855d8443 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -496,7 +496,7 @@ struct sctp_datamsg { /* Chunks waiting to be submitted to lower layer. */ struct list_head chunks; /* Reference counting. */ - atomic_t refcnt; + refcount_t refcnt; /* When is this message no longer interesting to the peer? */ unsigned long expires_at; /* Did the messenge fail to send? */ diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c index 81466f6442e8..1323d41e68b8 100644 --- a/net/sctp/chunk.c +++ b/net/sctp/chunk.c @@ -49,7 +49,7 @@ /* Initialize datamsg from memory. */ static void sctp_datamsg_init(struct sctp_datamsg *msg) { - atomic_set(&msg->refcnt, 1); + refcount_set(&msg->refcnt, 1); msg->send_failed = 0; msg->send_error = 0; msg->can_delay = 1; @@ -136,13 +136,13 @@ static void sctp_datamsg_destroy(struct sctp_datamsg *msg) /* Hold a reference. */ static void sctp_datamsg_hold(struct sctp_datamsg *msg) { - atomic_inc(&msg->refcnt); + refcount_inc(&msg->refcnt); } /* Release a reference. */ void sctp_datamsg_put(struct sctp_datamsg *msg) { - if (atomic_dec_and_test(&msg->refcnt)) + if (refcount_dec_and_test(&msg->refcnt)) sctp_datamsg_destroy(msg); } -- 2.11.0