refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx> Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: David Windsor <dwindsor@xxxxxxxxx> --- include/net/lapb.h | 3 ++- net/lapb/lapb_iface.c | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/net/lapb.h b/include/net/lapb.h index 9510f87..85e7737 100644 --- a/include/net/lapb.h +++ b/include/net/lapb.h @@ -1,6 +1,7 @@ #ifndef _LAPB_H #define _LAPB_H #include <linux/lapb.h> +#include <linux/refcount.h> #define LAPB_HEADER_LEN 20 /* LAPB over Ethernet + a bit more */ @@ -101,7 +102,7 @@ struct lapb_cb { struct lapb_frame frmr_data; unsigned char frmr_type; - atomic_t refcnt; + refcount_t refcnt; }; /* lapb_iface.c */ diff --git a/net/lapb/lapb_iface.c b/net/lapb/lapb_iface.c index b50b64a..e15314e 100644 --- a/net/lapb/lapb_iface.c +++ b/net/lapb/lapb_iface.c @@ -54,12 +54,12 @@ static void lapb_free_cb(struct lapb_cb *lapb) static __inline__ void lapb_hold(struct lapb_cb *lapb) { - atomic_inc(&lapb->refcnt); + refcount_inc(&lapb->refcnt); } static __inline__ void lapb_put(struct lapb_cb *lapb) { - if (atomic_dec_and_test(&lapb->refcnt)) + if (refcount_dec_and_test(&lapb->refcnt)) lapb_free_cb(lapb); } @@ -136,7 +136,7 @@ static struct lapb_cb *lapb_create_cb(void) lapb->mode = LAPB_DEFAULT_MODE; lapb->window = LAPB_DEFAULT_WINDOW; lapb->state = LAPB_STATE_0; - atomic_set(&lapb->refcnt, 1); + refcount_set(&lapb->refcnt, 1); out: return lapb; } -- 2.7.4