net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 3dbfd5e..41d580c 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -23,6 +23,7 @@
#include <net/inetpeer.h>
#include <linux/percpu.h>
#include <linux/notifier.h>
+#include <linux/refcount.h>
struct fib_config {
u8 fc_dst_len;
@@ -105,7 +106,7 @@ struct fib_info {
struct hlist_node fib_lhash;
struct net *fib_net;
int fib_treeref;
- atomic_t fib_clntref;
+ refcount_t fib_clntref;
unsigned int fib_flags;
unsigned char fib_dead;
unsigned char fib_protocol;
@@ -430,12 +431,12 @@ void free_fib_info(struct fib_info *fi);
static inline void fib_info_hold(struct fib_info *fi)
{
- atomic_inc(&fi->fib_clntref);
+ refcount_inc(&fi->fib_clntref);
}
static inline void fib_info_put(struct fib_info *fi)
{
- if (atomic_dec_and_test(&fi->fib_clntref))
+ if (refcount_dec_and_test(&fi->fib_clntref))
free_fib_info(fi);
}