lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Mon, 19 Jul 2021 11:24:36 +0800
From:   Xiyu Yang <xiyuyang19@...an.edu.cn>
To:     Evgeniy Polyakov <zbr@...emap.net>, linux-kernel@...r.kernel.org
Cc:     yuanxzhang@...an.edu.cn, Xiyu Yang <xiyuyang19@...an.edu.cn>,
        Xin Tan <tanxin.ctf@...il.com>
Subject: [PATCH] w1: Convert from atomic_t to refcount_t on w1_cb_block->refcnt

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Signed-off-by: Xiyu Yang <xiyuyang19@...an.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@...il.com>
---
 drivers/w1/w1_netlink.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/w1/w1_netlink.c b/drivers/w1/w1_netlink.c
index fa490aa4407c..a24e09bb13ab 100644
--- a/drivers/w1/w1_netlink.c
+++ b/drivers/w1/w1_netlink.c
@@ -3,6 +3,7 @@
  * Copyright (c) 2003 Evgeniy Polyakov <zbr@...emap.net>
  */
 
+#include <linux/refcount.h>
 #include <linux/slab.h>
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
@@ -17,7 +18,7 @@
  * allocation.
  */
 struct w1_cb_block {
-	atomic_t refcnt;
+	refcount_t refcnt;
 	u32 portid; /* Sending process port ID */
 	/* maximum value for first_cn->len */
 	u16 maxlen;
@@ -61,7 +62,7 @@ static u16 w1_reply_len(struct w1_cb_block *block)
 
 static void w1_unref_block(struct w1_cb_block *block)
 {
-	if (atomic_sub_return(1, &block->refcnt) == 0) {
+	if (refcount_dec_and_test(&block->refcnt)) {
 		u16 len = w1_reply_len(block);
 		if (len) {
 			cn_netlink_send_mult(block->first_cn, len,
@@ -609,7 +610,7 @@ static void w1_cn_callback(struct cn_msg *cn, struct netlink_skb_parms *nsp)
 			w1_netlink_send_error(cn, msg, nsp->portid, -ENOMEM);
 			return;
 		}
-		atomic_set(&block->refcnt, 1);
+		refcount_set(&block->refcnt, 1);
 		block->portid = nsp->portid;
 		memcpy(&block->request_cn, cn, sizeof(*cn) + cn->len);
 		node = (struct w1_cb_node *)(block->request_cn.data + cn->len);
@@ -675,7 +676,7 @@ static void w1_cn_callback(struct cn_msg *cn, struct netlink_skb_parms *nsp)
 
 		err = 0;
 
-		atomic_inc(&block->refcnt);
+		refcount_inc(&block->refcnt);
 		node->async.cb = w1_process_cb;
 		node->block = block;
 		node->msg = (struct w1_netlink_msg *)((u8 *)&block->request_cn +
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ