refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
drivers/net/ethernet/chelsio/cxgb3/l2t.c | 15 ++++++++-------
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 10 +++++++---
2 files changed, 15 insertions(+), 10 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.c b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
index 9749d1239f58..0f2a47bc20d8 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
@@ -225,10 +225,11 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
/* there's definitely a free entry */
for (e = d->rover, end = &d->l2tab[d->nentries]; e != end; ++e)
- if (atomic_read(&e->refcnt) == 0)
+ if (refcount_read(&e->refcnt) == 0)
goto found;
- for (e = &d->l2tab[1]; atomic_read(&e->refcnt); ++e) ;
+ for (e = &d->l2tab[1]; refcount_read(&e->refcnt); ++e)
+ ;
found:
d->rover = e + 1;
atomic_dec(&d->nfree);
@@ -264,7 +265,7 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
void t3_l2e_free(struct l2t_data *d, struct l2t_entry *e)
{
spin_lock_bh(&e->lock);
- if (atomic_read(&e->refcnt) == 0) { /* hasn't been recycled */
+ if (refcount_read(&e->refcnt) == 0) { /* hasn't been recycled */
if (e->neigh) {
neigh_release(e->neigh);
e->neigh = NULL;
@@ -335,7 +336,7 @@ struct l2t_entry *t3_l2t_get(struct t3cdev *cdev, struct dst_entry *dst,
if (e->addr == addr && e->ifindex == ifidx &&
e->smt_idx == smt_idx) {
l2t_hold(d, e);
- if (atomic_read(&e->refcnt) == 1)
+ if (refcount_read(&e->refcnt) == 1)
reuse_entry(e, neigh);
goto done_unlock;
}
@@ -350,7 +351,7 @@ struct l2t_entry *t3_l2t_get(struct t3cdev *cdev, struct dst_entry *dst,
e->addr = addr;
e->ifindex = ifidx;
e->smt_idx = smt_idx;
- atomic_set(&e->refcnt, 1);
+ refcount_set(&e->refcnt, 1);
neigh_replace(e, neigh);
if (is_vlan_dev(neigh->dev))
e->vlan = vlan_dev_vlan_id(neigh->dev);
@@ -418,7 +419,7 @@ void t3_l2t_update(struct t3cdev *dev, struct neighbour *neigh)
__skb_queue_head_init(&arpq);
read_unlock(&d->lock);
- if (atomic_read(&e->refcnt)) {
+ if (refcount_read(&e->refcnt)) {
if (neigh != e->neigh)
neigh_replace(e, neigh);
@@ -459,7 +460,7 @@ struct l2t_data *t3_init_l2t(unsigned int l2t_capacity)
d->l2tab[i].state = L2T_STATE_UNUSED;
__skb_queue_head_init(&d->l2tab[i].arpq);
spin_lock_init(&d->l2tab[i].lock);
- atomic_set(&d->l2tab[i].refcnt, 0);
+ refcount_set(&d->l2tab[i].refcnt, 0);
}
return d;
}
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
index ea75f275023f..bbdaa4a6aba2 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -35,6 +35,7 @@
#include <linux/spinlock.h>
#include "t3cdev.h"
#include <linux/atomic.h>
+#include <linux/refcount.h>
enum {
L2T_STATE_VALID, /* entry is up to date */
@@ -66,7 +67,7 @@ struct l2t_entry {
struct l2t_entry *next; /* next l2t_entry on chain */
struct sk_buff_head arpq; /* queue of packets awaiting resolution */
spinlock_t lock;
- atomic_t refcnt; /* entry reference count */
+ refcount_t refcnt; /* entry reference count */
u8 dmac[6]; /* neighbour's MAC address */
};
@@ -133,7 +134,7 @@ static inline void l2t_release(struct t3cdev *t, struct l2t_entry *e)
rcu_read_lock();
d = L2DATA(t);
- if (atomic_dec_and_test(&e->refcnt) && d)
+ if (refcount_dec_and_test(&e->refcnt) && d)
t3_l2e_free(d, e);
rcu_read_unlock();
@@ -141,7 +142,10 @@ static inline void l2t_release(struct t3cdev *t, struct l2t_entry *e)
static inline void l2t_hold(struct l2t_data *d, struct l2t_entry *e)
{
- if (d && atomic_add_return(1, &e->refcnt) == 1) /* 0 -> 1 transition */
+ if (!d)
+ return;
+ refcount_inc(&e->refcnt);
+ if (refcount_read(&e->refcnt) == 1) /* 0 -> 1 transition */
atomic_dec(&d->nfree);
}
--
2.7.4
On Sat, Jul 17, 2021 at 06:16:15PM +0800, Xiyu Yang wrote:
> refcount_t type and corresponding API can protect refcounters from
> accidental underflow and overflow and further use-after-free situations.
>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
> ---
> drivers/net/ethernet/chelsio/cxgb3/l2t.c | 15 ++++++++-------
> drivers/net/ethernet/chelsio/cxgb3/l2t.h | 10 +++++++---
> 2 files changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.c b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
> index 9749d1239f58..0f2a47bc20d8 100644
> --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.c
> +++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
> @@ -225,10 +225,11 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
>
> /* there's definitely a free entry */
> for (e = d->rover, end = &d->l2tab[d->nentries]; e != end; ++e)
> - if (atomic_read(&e->refcnt) == 0)
> + if (refcount_read(&e->refcnt) == 0)
All those atomic_t to refcount_t patches can't be right, refcount_t can't be 0.
Thanks