net, rds: convert rds_message.m_refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/rds/message.c b/net/rds/message.c
index 49bfb512d808d9f3159a031cf375767ef755d73a..4318cc9b78f7b157a19fe93433ccdf9c4c34153d 100644 (file)
--- a/net/rds/message.c
+++ b/net/rds/message.c
@@ -48,8 +48,8 @@ static unsigned int   rds_exthdr_size[__RDS_EXTHDR_MAX] = {
 
 void rds_message_addref(struct rds_message *rm)
 {
-       rdsdebug("addref rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-       atomic_inc(&rm->m_refcount);
+       rdsdebug("addref rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+       refcount_inc(&rm->m_refcount);
 }
 EXPORT_SYMBOL_GPL(rds_message_addref);
 
@@ -83,9 +83,9 @@ static void rds_message_purge(struct rds_message *rm)
 
 void rds_message_put(struct rds_message *rm)
 {
-       rdsdebug("put rm %p ref %d\n", rm, atomic_read(&rm->m_refcount));
-       WARN(!atomic_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
-       if (atomic_dec_and_test(&rm->m_refcount)) {
+       rdsdebug("put rm %p ref %d\n", rm, refcount_read(&rm->m_refcount));
+       WARN(!refcount_read(&rm->m_refcount), "danger refcount zero on %p\n", rm);
+       if (refcount_dec_and_test(&rm->m_refcount)) {
                BUG_ON(!list_empty(&rm->m_sock_item));
                BUG_ON(!list_empty(&rm->m_conn_item));
                rds_message_purge(rm);
@@ -206,7 +206,7 @@ struct rds_message *rds_message_alloc(unsigned int extra_len, gfp_t gfp)
        rm->m_used_sgs = 0;
        rm->m_total_sgs = extra_len / sizeof(struct scatterlist);
 
-       atomic_set(&rm->m_refcount, 1);
+       refcount_set(&rm->m_refcount, 1);
        INIT_LIST_HEAD(&rm->m_sock_item);
        INIT_LIST_HEAD(&rm->m_conn_item);
        spin_lock_init(&rm->m_rs_lock);

diff --git a/net/rds/rds.h b/net/rds/rds.h
index ea72d6e33c14256266717f983f6171b343c672de..516bcc89b46fdfd630dad78ad432a753e977f633 100644 (file)
--- a/net/rds/rds.h
+++ b/net/rds/rds.h
@@ -356,7 +356,7 @@ static inline u32 rds_rdma_cookie_offset(rds_rdma_cookie_t cookie)
 #define RDS_MSG_FLUSH          8
 
 struct rds_message {
-       atomic_t                m_refcount;
+       refcount_t              m_refcount;
        struct list_head        m_sock_item;
        struct list_head        m_conn_item;
        struct rds_incoming     m_inc;