refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx> Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: David Windsor <dwindsor@xxxxxxxxx> --- include/net/llc.h | 6 +++--- net/llc/llc_core.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/net/llc.h b/include/net/llc.h index e8e61d4..dc35f25 100644 --- a/include/net/llc.h +++ b/include/net/llc.h @@ -55,7 +55,7 @@ struct llc_sap { unsigned char state; unsigned char p_bit; unsigned char f_bit; - atomic_t refcnt; + refcount_t refcnt; int (*rcv_func)(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, @@ -113,14 +113,14 @@ struct llc_sap *llc_sap_open(unsigned char lsap, struct net_device *orig_dev)); static inline void llc_sap_hold(struct llc_sap *sap) { - atomic_inc(&sap->refcnt); + refcount_inc(&sap->refcnt); } void llc_sap_close(struct llc_sap *sap); static inline void llc_sap_put(struct llc_sap *sap) { - if (atomic_dec_and_test(&sap->refcnt)) + if (refcount_dec_and_test(&sap->refcnt)) llc_sap_close(sap); } diff --git a/net/llc/llc_core.c b/net/llc/llc_core.c index 842851c..8904126 100644 --- a/net/llc/llc_core.c +++ b/net/llc/llc_core.c @@ -41,7 +41,7 @@ static struct llc_sap *llc_sap_alloc(void) spin_lock_init(&sap->sk_lock); for (i = 0; i < LLC_SK_LADDR_HASH_ENTRIES; i++) INIT_HLIST_NULLS_HEAD(&sap->sk_laddr_hash[i], i); - atomic_set(&sap->refcnt, 1); + refcount_set(&sap->refcnt, 1); } return sap; } -- 2.7.4