net, sctp: convert sctp_ep_common.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 6a0d372585064ada2fab4597d799f0d94161ec88..5ab29af8ca8acbdb80c94e4a07c23fac64a22526 100644 (file)
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1174,7 +1174,7 @@ struct sctp_ep_common {
         *   refcnt   - Reference count access to this object.
         *   dead     - Do not attempt to use this object.
         */
-       atomic_t    refcnt;
+       refcount_t    refcnt;
        bool        dead;
 
        /* What socket does this endpoint belong to?  */

diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index fa4f530ab7e1435b645eaf3fc45fcb42f7e51e08..40ec83679d6ef17b16d5b6e612058a3d0d7222e9 100644 (file)
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -88,7 +88,7 @@ static struct sctp_association *sctp_association_init(struct sctp_association *a
        asoc->base.type = SCTP_EP_TYPE_ASSOCIATION;
 
        /* Initialize the object handling fields.  */
-       atomic_set(&asoc->base.refcnt, 1);
+       refcount_set(&asoc->base.refcnt, 1);
 
        /* Initialize the bind addr area.  */
        sctp_bind_addr_init(&asoc->base.bind_addr, ep->base.bind_addr.port);
@@ -873,7 +873,7 @@ void sctp_assoc_control_transport(struct sctp_association *asoc,
 /* Hold a reference to an association. */
 void sctp_association_hold(struct sctp_association *asoc)
 {
-       atomic_inc(&asoc->base.refcnt);
+       refcount_inc(&asoc->base.refcnt);
 }
 
 /* Release a reference to an association and cleanup
@@ -881,7 +881,7 @@ void sctp_association_hold(struct sctp_association *asoc)
  */
 void sctp_association_put(struct sctp_association *asoc)
 {
-       if (atomic_dec_and_test(&asoc->base.refcnt))
+       if (refcount_dec_and_test(&asoc->base.refcnt))
                sctp_association_destroy(asoc);
 }
 

diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index efbc31877804e3d64d3c46ddd58916d16b2d3572..0e86f988f83621caaea34b3aa63772e2ec0ee7ca 100644 (file)
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -114,7 +114,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
        ep->base.type = SCTP_EP_TYPE_SOCKET;
 
        /* Initialize the basic object fields. */
-       atomic_set(&ep->base.refcnt, 1);
+       refcount_set(&ep->base.refcnt, 1);
        ep->base.dead = false;
 
        /* Create an input queue.  */
@@ -285,7 +285,7 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
 /* Hold a reference to an endpoint. */
 void sctp_endpoint_hold(struct sctp_endpoint *ep)
 {
-       atomic_inc(&ep->base.refcnt);
+       refcount_inc(&ep->base.refcnt);
 }
 
 /* Release a reference to an endpoint and clean up if there are
@@ -293,7 +293,7 @@ void sctp_endpoint_hold(struct sctp_endpoint *ep)
  */
 void sctp_endpoint_put(struct sctp_endpoint *ep)
 {
-       if (atomic_dec_and_test(&ep->base.refcnt))
+       if (refcount_dec_and_test(&ep->base.refcnt))
                sctp_endpoint_destroy(ep);
 }