forked from Minki/linux
net: convert fib_treeref from int to refcount_t
refcount_t type should be used instead of int when fib_treeref is used as a reference counter,and avoid use-after-free risks. Signed-off-by: Yajun Deng <yajun.deng@linux.dev> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20210729071350.28919-1-yajun.deng@linux.dev Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
parent
3e12361b6d
commit
79976892f7
@ -29,7 +29,7 @@ struct dn_fib_nh {
|
||||
struct dn_fib_info {
|
||||
struct dn_fib_info *fib_next;
|
||||
struct dn_fib_info *fib_prev;
|
||||
int fib_treeref;
|
||||
refcount_t fib_treeref;
|
||||
refcount_t fib_clntref;
|
||||
int fib_dead;
|
||||
unsigned int fib_flags;
|
||||
|
@ -133,7 +133,7 @@ struct fib_info {
|
||||
struct hlist_node fib_lhash;
|
||||
struct list_head nh_list;
|
||||
struct net *fib_net;
|
||||
int fib_treeref;
|
||||
refcount_t fib_treeref;
|
||||
refcount_t fib_clntref;
|
||||
unsigned int fib_flags;
|
||||
unsigned char fib_dead;
|
||||
|
@ -102,7 +102,7 @@ void dn_fib_free_info(struct dn_fib_info *fi)
|
||||
void dn_fib_release_info(struct dn_fib_info *fi)
|
||||
{
|
||||
spin_lock(&dn_fib_info_lock);
|
||||
if (fi && --fi->fib_treeref == 0) {
|
||||
if (fi && refcount_dec_and_test(&fi->fib_treeref)) {
|
||||
if (fi->fib_next)
|
||||
fi->fib_next->fib_prev = fi->fib_prev;
|
||||
if (fi->fib_prev)
|
||||
@ -385,11 +385,11 @@ link_it:
|
||||
if ((ofi = dn_fib_find_info(fi)) != NULL) {
|
||||
fi->fib_dead = 1;
|
||||
dn_fib_free_info(fi);
|
||||
ofi->fib_treeref++;
|
||||
refcount_inc(&ofi->fib_treeref);
|
||||
return ofi;
|
||||
}
|
||||
|
||||
fi->fib_treeref++;
|
||||
refcount_inc(&fi->fib_treeref);
|
||||
refcount_set(&fi->fib_clntref, 1);
|
||||
spin_lock(&dn_fib_info_lock);
|
||||
fi->fib_next = dn_fib_info_list;
|
||||
|
@ -260,7 +260,7 @@ EXPORT_SYMBOL_GPL(free_fib_info);
|
||||
void fib_release_info(struct fib_info *fi)
|
||||
{
|
||||
spin_lock_bh(&fib_info_lock);
|
||||
if (fi && --fi->fib_treeref == 0) {
|
||||
if (fi && refcount_dec_and_test(&fi->fib_treeref)) {
|
||||
hlist_del(&fi->fib_hash);
|
||||
if (fi->fib_prefsrc)
|
||||
hlist_del(&fi->fib_lhash);
|
||||
@ -1373,7 +1373,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
|
||||
if (!cfg->fc_mx) {
|
||||
fi = fib_find_info_nh(net, cfg);
|
||||
if (fi) {
|
||||
fi->fib_treeref++;
|
||||
refcount_inc(&fi->fib_treeref);
|
||||
return fi;
|
||||
}
|
||||
}
|
||||
@ -1547,11 +1547,11 @@ link_it:
|
||||
if (ofi) {
|
||||
fi->fib_dead = 1;
|
||||
free_fib_info(fi);
|
||||
ofi->fib_treeref++;
|
||||
refcount_inc(&ofi->fib_treeref);
|
||||
return ofi;
|
||||
}
|
||||
|
||||
fi->fib_treeref++;
|
||||
refcount_inc(&fi->fib_treeref);
|
||||
refcount_set(&fi->fib_clntref, 1);
|
||||
spin_lock_bh(&fib_info_lock);
|
||||
hlist_add_head(&fi->fib_hash,
|
||||
|
Loading…
Reference in New Issue
Block a user