refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx> Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: David Windsor <dwindsor@xxxxxxxxx> --- include/net/ipx.h | 6 +++--- net/ipx/ipx_route.c | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/net/ipx.h b/include/net/ipx.h index 2de1281..af32b97 100644 --- a/include/net/ipx.h +++ b/include/net/ipx.h @@ -81,7 +81,7 @@ struct ipx_route { unsigned char ir_routed; unsigned char ir_router_node[IPX_NODE_LEN]; struct list_head node; /* node in ipx_routes list */ - atomic_t refcnt; + refcount_t refcnt; }; struct ipx_cb { @@ -164,12 +164,12 @@ static __inline__ void ipxitf_put(struct ipx_interface *intrfc) static __inline__ void ipxrtr_hold(struct ipx_route *rt) { - atomic_inc(&rt->refcnt); + refcount_inc(&rt->refcnt); } static __inline__ void ipxrtr_put(struct ipx_route *rt) { - if (atomic_dec_and_test(&rt->refcnt)) + if (refcount_dec_and_test(&rt->refcnt)) kfree(rt); } #endif /* _NET_INET_IPX_H_ */ diff --git a/net/ipx/ipx_route.c b/net/ipx/ipx_route.c index 3e2a32a..b5d9144 100644 --- a/net/ipx/ipx_route.c +++ b/net/ipx/ipx_route.c @@ -59,7 +59,7 @@ int ipxrtr_add_route(__be32 network, struct ipx_interface *intrfc, if (!rt) goto out; - atomic_set(&rt->refcnt, 1); + refcount_set(&rt->refcnt, 1); ipxrtr_hold(rt); write_lock_bh(&ipx_routes_lock); list_add(&rt->node, &ipx_routes); -- 2.7.4