lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1626516975-42566-1-git-send-email-xiyuyang19@fudan.edu.cn>
Date:   Sat, 17 Jul 2021 18:16:15 +0800
From:   Xiyu Yang <xiyuyang19@...an.edu.cn>
To:     Raju Rangoju <rajur@...lsio.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     yuanxzhang@...an.edu.cn, Xiyu Yang <xiyuyang19@...an.edu.cn>,
        Xin Tan <tanxin.ctf@...il.com>
Subject: [PATCH] cxgb3: Convert from atomic_t to refcount_t on l2t_entry->refcnt

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
---
 drivers/net/ethernet/chelsio/cxgb3/l2t.c | 15 ++++++++-------
 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 10 +++++++---
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.c b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
index 9749d1239f58..0f2a47bc20d8 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
@@ -225,10 +225,11 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
 
 	/* there's definitely a free entry */
 	for (e = d->rover, end = &d->l2tab[d->nentries]; e != end; ++e)
-		if (atomic_read(&e->refcnt) == 0)
+		if (refcount_read(&e->refcnt) == 0)
 			goto found;
 
-	for (e = &d->l2tab[1]; atomic_read(&e->refcnt); ++e) ;
+	for (e = &d->l2tab[1]; refcount_read(&e->refcnt); ++e)
+		;
 found:
 	d->rover = e + 1;
 	atomic_dec(&d->nfree);
@@ -264,7 +265,7 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
 void t3_l2e_free(struct l2t_data *d, struct l2t_entry *e)
 {
 	spin_lock_bh(&e->lock);
-	if (atomic_read(&e->refcnt) == 0) {	/* hasn't been recycled */
+	if (refcount_read(&e->refcnt) == 0) {	/* hasn't been recycled */
 		if (e->neigh) {
 			neigh_release(e->neigh);
 			e->neigh = NULL;
@@ -335,7 +336,7 @@ struct l2t_entry *t3_l2t_get(struct t3cdev *cdev, struct dst_entry *dst,
 		if (e->addr == addr && e->ifindex == ifidx &&
 		    e->smt_idx == smt_idx) {
 			l2t_hold(d, e);
-			if (atomic_read(&e->refcnt) == 1)
+			if (refcount_read(&e->refcnt) == 1)
 				reuse_entry(e, neigh);
 			goto done_unlock;
 		}
@@ -350,7 +351,7 @@ struct l2t_entry *t3_l2t_get(struct t3cdev *cdev, struct dst_entry *dst,
 		e->addr = addr;
 		e->ifindex = ifidx;
 		e->smt_idx = smt_idx;
-		atomic_set(&e->refcnt, 1);
+		refcount_set(&e->refcnt, 1);
 		neigh_replace(e, neigh);
 		if (is_vlan_dev(neigh->dev))
 			e->vlan = vlan_dev_vlan_id(neigh->dev);
@@ -418,7 +419,7 @@ void t3_l2t_update(struct t3cdev *dev, struct neighbour *neigh)
 	__skb_queue_head_init(&arpq);
 
 	read_unlock(&d->lock);
-	if (atomic_read(&e->refcnt)) {
+	if (refcount_read(&e->refcnt)) {
 		if (neigh != e->neigh)
 			neigh_replace(e, neigh);
 
@@ -459,7 +460,7 @@ struct l2t_data *t3_init_l2t(unsigned int l2t_capacity)
 		d->l2tab[i].state = L2T_STATE_UNUSED;
 		__skb_queue_head_init(&d->l2tab[i].arpq);
 		spin_lock_init(&d->l2tab[i].lock);
-		atomic_set(&d->l2tab[i].refcnt, 0);
+		refcount_set(&d->l2tab[i].refcnt, 0);
 	}
 	return d;
 }
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
index ea75f275023f..bbdaa4a6aba2 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -35,6 +35,7 @@
 #include <linux/spinlock.h>
 #include "t3cdev.h"
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 
 enum {
 	L2T_STATE_VALID,	/* entry is up to date */
@@ -66,7 +67,7 @@ struct l2t_entry {
 	struct l2t_entry *next;	/* next l2t_entry on chain */
 	struct sk_buff_head arpq;	/* queue of packets awaiting resolution */
 	spinlock_t lock;
-	atomic_t refcnt;	/* entry reference count */
+	refcount_t refcnt;	/* entry reference count */
 	u8 dmac[6];		/* neighbour's MAC address */
 };
 
@@ -133,7 +134,7 @@ static inline void l2t_release(struct t3cdev *t, struct l2t_entry *e)
 	rcu_read_lock();
 	d = L2DATA(t);
 
-	if (atomic_dec_and_test(&e->refcnt) && d)
+	if (refcount_dec_and_test(&e->refcnt) && d)
 		t3_l2e_free(d, e);
 
 	rcu_read_unlock();
@@ -141,7 +142,10 @@ static inline void l2t_release(struct t3cdev *t, struct l2t_entry *e)
 
 static inline void l2t_hold(struct l2t_data *d, struct l2t_entry *e)
 {
-	if (d && atomic_add_return(1, &e->refcnt) == 1)	/* 0 -> 1 transition */
+	if (!d)
+		return;
+	refcount_inc(&e->refcnt);
+	if (refcount_read(&e->refcnt) == 1)	/* 0 -> 1 transition */
 		atomic_dec(&d->nfree);
 }
 
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ