refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations.
Signed-off-by: Elena Reshetova <elena.reshet...@intel.com> Signed-off-by: Hans Liljestrand <ishkam...@gmail.com> Signed-off-by: Kees Cook <keesc...@chromium.org> Signed-off-by: David Windsor <dwind...@gmail.com> --- include/net/sctp/auth.h | 5 +++-- net/sctp/auth.c | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/include/net/sctp/auth.h b/include/net/sctp/auth.h index 9b9fb12..328fccc 100644 --- a/include/net/sctp/auth.h +++ b/include/net/sctp/auth.h @@ -31,6 +31,7 @@ #define __sctp_auth_h__ #include <linux/list.h> +#include <linux/refcount.h> struct sctp_endpoint; struct sctp_association; @@ -53,7 +54,7 @@ struct sctp_hmac { * over SCTP-AUTH */ struct sctp_auth_bytes { - atomic_t refcnt; + refcount_t refcnt; __u32 len; __u8 data[]; }; @@ -76,7 +77,7 @@ static inline void sctp_auth_key_hold(struct sctp_auth_bytes *key) if (!key) return; - atomic_inc(&key->refcnt); + refcount_inc(&key->refcnt); } void sctp_auth_key_put(struct sctp_auth_bytes *key); diff --git a/net/sctp/auth.c b/net/sctp/auth.c index f99d485..b6c98fe 100644 --- a/net/sctp/auth.c +++ b/net/sctp/auth.c @@ -63,7 +63,7 @@ void sctp_auth_key_put(struct sctp_auth_bytes *key) if (!key) return; - if (atomic_dec_and_test(&key->refcnt)) { + if (refcount_dec_and_test(&key->refcnt)) { kzfree(key); SCTP_DBG_OBJCNT_DEC(keys); } @@ -84,7 +84,7 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp) return NULL; key->len = key_len; - atomic_set(&key->refcnt, 1); + refcount_set(&key->refcnt, 1); SCTP_DBG_OBJCNT_INC(keys); return key; -- 2.7.4