linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 00/16] Networking drivers refcount conversions
@ 2017-03-28  8:56 Elena Reshetova
  2017-03-28  8:56 ` [PATCH 01/16] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
                   ` (15 more replies)
  0 siblings, 16 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova

This series, for various different networking drivers, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.

The below patches are fully independent and can be cherry-picked separately.
Since we convert all kernel subsystems in the same fashion, resulting
in about 300 patches, we have to group them for sending at least in some
fashion to be manageable. Please excuse the long cc list.

If there are no objections to these patches, please take them
through the relevant trees.

Elena Reshetova (16):
  drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to
    refcount_t
  drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to
    refcount_t
  drivers, net, mlx4: convert mlx4_cq.refcount from atomic_t to
    refcount_t
  drivers, net, mlx4: convert mlx4_qp.refcount from atomic_t to
    refcount_t
  drivers, net, mlx4: convert mlx4_srq.refcount from atomic_t to
    refcount_t
  drivers, net, mlx5: convert mlx5_cq.refcount from atomic_t to
    refcount_t
  drivers, net, mlx5: convert fs_node.refcount from atomic_t to
    refcount_t
  drivers, net, hamradio: convert sixpack.refcnt from atomic_t to
    refcount_t
  drivers, net: convert masces_rx_sa.refcnt from atomic_t to refcount_t
  drivers, net: convert masces_rx_sc.refcnt from atomic_t to refcount_t
  drivers, net: convert masces_tx_sa.refcnt from atomic_t to refcount_t
  drivers, net, ppp: convert asyncppp.refcnt from atomic_t to refcount_t
  drivers, net, ppp: convert ppp_file.refcnt from atomic_t to refcount_t
  drivers, net, ppp: convert syncppp.refcnt from atomic_t to refcount_t
  drivers, net, intersil: convert hostap_cmd_queue.usecnt from atomic_t
    to refcount_t
  drivers, net, intersil: convert request_context.refcount from atomic_t
    to refcount_t

 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c      | 13 ++++++-----
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h      |  4 +++-
 drivers/net/ethernet/mediatek/mtk_eth_soc.c        |  8 ++++---
 drivers/net/ethernet/mediatek/mtk_eth_soc.h        |  4 +++-
 drivers/net/ethernet/mellanox/mlx4/cq.c            |  8 +++----
 drivers/net/ethernet/mellanox/mlx4/qp.c            |  8 +++----
 drivers/net/ethernet/mellanox/mlx4/srq.c           |  8 +++----
 drivers/net/ethernet/mellanox/mlx5/core/cq.c       | 16 +++++++-------
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c  | 24 ++++++++++-----------
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.h  |  3 ++-
 drivers/net/hamradio/6pack.c                       | 12 +++++------
 drivers/net/macsec.c                               | 25 +++++++++++-----------
 drivers/net/ppp/ppp_async.c                        | 10 ++++-----
 drivers/net/ppp/ppp_generic.c                      | 17 ++++++++-------
 drivers/net/ppp/ppp_synctty.c                      | 11 +++++-----
 drivers/net/wireless/intersil/hostap/hostap_hw.c   | 12 +++++------
 drivers/net/wireless/intersil/hostap/hostap_wlan.h |  3 ++-
 .../net/wireless/intersil/orinoco/orinoco_usb.c    | 15 +++++++------
 include/linux/mlx4/device.h                        |  8 +++----
 include/linux/mlx5/cq.h                            |  4 ++--
 20 files changed, 112 insertions(+), 101 deletions(-)

-- 
2.7.4

^ permalink raw reply	[flat|nested] 24+ messages in thread

* [PATCH 01/16] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 02/16] drivers, net, ethernet: convert mtk_eth.dma_refcnt " Elena Reshetova
                   ` (14 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c | 13 ++++++-------
 drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h |  4 +++-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
index 3103ef9..2900390 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.c
@@ -96,7 +96,8 @@ int cxgb4_clip_get(const struct net_device *dev, const u32 *lip, u8 v6)
 		if (!ret) {
 			ce = cte;
 			read_unlock_bh(&ctbl->lock);
-			goto found;
+			refcount_inc(&ce->refcnt);
+			return 0;
 		}
 	}
 	read_unlock_bh(&ctbl->lock);
@@ -108,7 +109,7 @@ int cxgb4_clip_get(const struct net_device *dev, const u32 *lip, u8 v6)
 		list_del(&ce->list);
 		INIT_LIST_HEAD(&ce->list);
 		spin_lock_init(&ce->lock);
-		atomic_set(&ce->refcnt, 0);
+		refcount_set(&ce->refcnt, 0);
 		atomic_dec(&ctbl->nfree);
 		list_add_tail(&ce->list, &ctbl->hash_list[hash]);
 		if (v6) {
@@ -138,9 +139,7 @@ int cxgb4_clip_get(const struct net_device *dev, const u32 *lip, u8 v6)
 		return -ENOMEM;
 	}
 	write_unlock_bh(&ctbl->lock);
-found:
-	atomic_inc(&ce->refcnt);
-
+	refcount_set(&ce->refcnt, 1);
 	return 0;
 }
 EXPORT_SYMBOL(cxgb4_clip_get);
@@ -179,7 +178,7 @@ void cxgb4_clip_release(const struct net_device *dev, const u32 *lip, u8 v6)
 found:
 	write_lock_bh(&ctbl->lock);
 	spin_lock_bh(&ce->lock);
-	if (atomic_dec_and_test(&ce->refcnt)) {
+	if (refcount_dec_and_test(&ce->refcnt)) {
 		list_del(&ce->list);
 		INIT_LIST_HEAD(&ce->list);
 		list_add_tail(&ce->list, &ctbl->ce_free_head);
@@ -266,7 +265,7 @@ int clip_tbl_show(struct seq_file *seq, void *v)
 			ip[0] = '\0';
 			sprintf(ip, "%pISc", &ce->addr);
 			seq_printf(seq, "%-25s   %u\n", ip,
-				   atomic_read(&ce->refcnt));
+				   refcount_read(&ce->refcnt));
 		}
 	}
 	seq_printf(seq, "Free clip entries : %d\n", atomic_read(&ctbl->nfree));
diff --git a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h
index 35eb43c..a0e0ae1 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h
+++ b/drivers/net/ethernet/chelsio/cxgb4/clip_tbl.h
@@ -10,9 +10,11 @@
  *  release for licensing terms and conditions.
  */
 
+#include <linux/refcount.h>
+
 struct clip_entry {
 	spinlock_t lock;	/* Hold while modifying clip reference */
-	atomic_t refcnt;
+	refcount_t refcnt;
 	struct list_head list;
 	union {
 		struct sockaddr_in addr;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 02/16] drivers, net, ethernet: convert mtk_eth.dma_refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
  2017-03-28  8:56 ` [PATCH 01/16] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 03/16] drivers, net, mlx4: convert mlx4_cq.refcount " Elena Reshetova
                   ` (13 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 +++++---
 drivers/net/ethernet/mediatek/mtk_eth_soc.h | 4 +++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index bf6317e..d27f9d9 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -1725,7 +1725,7 @@ static int mtk_open(struct net_device *dev)
 	struct mtk_eth *eth = mac->hw;
 
 	/* we run 2 netdevs on the same dma ring so we only bring it up once */
-	if (!atomic_read(&eth->dma_refcnt)) {
+	if (!refcount_read(&eth->dma_refcnt)) {
 		int err = mtk_start_dma(eth);
 
 		if (err)
@@ -1735,8 +1735,10 @@ static int mtk_open(struct net_device *dev)
 		napi_enable(&eth->rx_napi);
 		mtk_irq_enable(eth, MTK_QDMA_INT_MASK, MTK_TX_DONE_INT);
 		mtk_irq_enable(eth, MTK_PDMA_INT_MASK, MTK_RX_DONE_INT);
+		refcount_set(&eth->dma_refcnt, 1);
 	}
-	atomic_inc(&eth->dma_refcnt);
+	else
+		refcount_inc(&eth->dma_refcnt);
 
 	phy_start(dev->phydev);
 	netif_start_queue(dev);
@@ -1776,7 +1778,7 @@ static int mtk_stop(struct net_device *dev)
 	phy_stop(dev->phydev);
 
 	/* only shutdown DMA if this is the last user */
-	if (!atomic_dec_and_test(&eth->dma_refcnt))
+	if (!refcount_dec_and_test(&eth->dma_refcnt))
 		return 0;
 
 	mtk_irq_disable(eth, MTK_QDMA_INT_MASK, MTK_TX_DONE_INT);
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
index 99b1c8e..e5b99b7 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
@@ -15,6 +15,8 @@
 #ifndef MTK_ETH_H
 #define MTK_ETH_H
 
+#include <linux/refcount.h>
+
 #define MTK_QDMA_PAGE_SIZE	2048
 #define	MTK_MAX_RX_LENGTH	1536
 #define MTK_TX_DMA_BUF_LEN	0x3fff
@@ -541,7 +543,7 @@ struct mtk_eth {
 	struct regmap			*pctl;
 	u32				chip_id;
 	bool				hwlro;
-	atomic_t			dma_refcnt;
+	refcount_t			dma_refcnt;
 	struct mtk_tx_ring		tx_ring;
 	struct mtk_rx_ring		rx_ring[MTK_MAX_RX_RING_NUM];
 	struct napi_struct		tx_napi;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 03/16] drivers, net, mlx4: convert mlx4_cq.refcount from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
  2017-03-28  8:56 ` [PATCH 01/16] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
  2017-03-28  8:56 ` [PATCH 02/16] drivers, net, ethernet: convert mtk_eth.dma_refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 04/16] drivers, net, mlx4: convert mlx4_qp.refcount " Elena Reshetova
                   ` (12 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx4/cq.c | 8 ++++----
 include/linux/mlx4/device.h             | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/cq.c b/drivers/net/ethernet/mellanox/mlx4/cq.c
index fa6d235..c58e8b7 100644
--- a/drivers/net/ethernet/mellanox/mlx4/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/cq.c
@@ -69,7 +69,7 @@ void mlx4_cq_tasklet_cb(unsigned long data)
 	list_for_each_entry_safe(mcq, temp, &ctx->process_list, tasklet_ctx.list) {
 		list_del_init(&mcq->tasklet_ctx.list);
 		mcq->tasklet_ctx.comp(mcq);
-		if (atomic_dec_and_test(&mcq->refcount))
+		if (refcount_dec_and_test(&mcq->refcount))
 			complete(&mcq->free);
 		if (time_after(jiffies, end))
 			break;
@@ -92,7 +92,7 @@ static void mlx4_add_cq_to_tasklet(struct mlx4_cq *cq)
 	 * still arrive.
 	 */
 	if (list_empty_careful(&cq->tasklet_ctx.list)) {
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 		kick = list_empty(&tasklet_ctx->list);
 		list_add_tail(&cq->tasklet_ctx.list, &tasklet_ctx->list);
 		if (kick)
@@ -343,7 +343,7 @@ int mlx4_cq_alloc(struct mlx4_dev *dev, int nent,
 	cq->cons_index = 0;
 	cq->arm_sn     = 1;
 	cq->uar        = uar;
-	atomic_set(&cq->refcount, 1);
+	refcount_set(&cq->refcount, 1);
 	init_completion(&cq->free);
 	cq->comp = mlx4_add_cq_to_tasklet;
 	cq->tasklet_ctx.priv =
@@ -385,7 +385,7 @@ void mlx4_cq_free(struct mlx4_dev *dev, struct mlx4_cq *cq)
 	    priv->eq_table.eq[MLX4_EQ_ASYNC].irq)
 		synchronize_irq(priv->eq_table.eq[MLX4_EQ_ASYNC].irq);
 
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 	wait_for_completion(&cq->free);
 
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index 7e66e4f..5fea001 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -40,7 +40,7 @@
 #include <linux/cpu_rmap.h>
 #include <linux/crash_dump.h>
 
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #include <linux/timecounter.h>
 
@@ -738,7 +738,7 @@ struct mlx4_cq {
 	int			cqn;
 	unsigned		vector;
 
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 	struct {
 		struct list_head list;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 04/16] drivers, net, mlx4: convert mlx4_qp.refcount from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (2 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 03/16] drivers, net, mlx4: convert mlx4_cq.refcount " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 05/16] drivers, net, mlx4: convert mlx4_srq.refcount " Elena Reshetova
                   ` (11 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx4/qp.c | 8 ++++----
 include/linux/mlx4/device.h             | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/qp.c b/drivers/net/ethernet/mellanox/mlx4/qp.c
index 2d6abd4..6017316 100644
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
@@ -55,7 +55,7 @@ void mlx4_qp_event(struct mlx4_dev *dev, u32 qpn, int event_type)
 
 	qp = __mlx4_qp_lookup(dev, qpn);
 	if (qp)
-		atomic_inc(&qp->refcount);
+		refcount_inc(&qp->refcount);
 
 	spin_unlock(&qp_table->lock);
 
@@ -66,7 +66,7 @@ void mlx4_qp_event(struct mlx4_dev *dev, u32 qpn, int event_type)
 
 	qp->event(qp, event_type);
 
-	if (atomic_dec_and_test(&qp->refcount))
+	if (refcount_dec_and_test(&qp->refcount))
 		complete(&qp->free);
 }
 
@@ -406,7 +406,7 @@ int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp)
 	if (err)
 		goto err_icm;
 
-	atomic_set(&qp->refcount, 1);
+	refcount_set(&qp->refcount, 1);
 	init_completion(&qp->free);
 
 	return 0;
@@ -500,7 +500,7 @@ EXPORT_SYMBOL_GPL(mlx4_qp_remove);
 
 void mlx4_qp_free(struct mlx4_dev *dev, struct mlx4_qp *qp)
 {
-	if (atomic_dec_and_test(&qp->refcount))
+	if (refcount_dec_and_test(&qp->refcount))
 		complete(&qp->free);
 	wait_for_completion(&qp->free);
 
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index 5fea001..756ca22 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -754,7 +754,7 @@ struct mlx4_qp {
 
 	int			qpn;
 
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 };
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 05/16] drivers, net, mlx4: convert mlx4_srq.refcount from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (3 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 04/16] drivers, net, mlx4: convert mlx4_qp.refcount " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
                   ` (10 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx4/srq.c | 8 ++++----
 include/linux/mlx4/device.h              | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/srq.c b/drivers/net/ethernet/mellanox/mlx4/srq.c
index f44d089..3369f65 100644
--- a/drivers/net/ethernet/mellanox/mlx4/srq.c
+++ b/drivers/net/ethernet/mellanox/mlx4/srq.c
@@ -49,7 +49,7 @@ void mlx4_srq_event(struct mlx4_dev *dev, u32 srqn, int event_type)
 	srq = radix_tree_lookup(&srq_table->tree, srqn & (dev->caps.num_srqs - 1));
 	rcu_read_unlock();
 	if (srq)
-		atomic_inc(&srq->refcount);
+		refcount_inc(&srq->refcount);
 	else {
 		mlx4_warn(dev, "Async event for bogus SRQ %08x\n", srqn);
 		return;
@@ -57,7 +57,7 @@ void mlx4_srq_event(struct mlx4_dev *dev, u32 srqn, int event_type)
 
 	srq->event(srq, event_type);
 
-	if (atomic_dec_and_test(&srq->refcount))
+	if (refcount_dec_and_test(&srq->refcount))
 		complete(&srq->free);
 }
 
@@ -203,7 +203,7 @@ int mlx4_srq_alloc(struct mlx4_dev *dev, u32 pdn, u32 cqn, u16 xrcd,
 	if (err)
 		goto err_radix;
 
-	atomic_set(&srq->refcount, 1);
+	refcount_set(&srq->refcount, 1);
 	init_completion(&srq->free);
 
 	return 0;
@@ -232,7 +232,7 @@ void mlx4_srq_free(struct mlx4_dev *dev, struct mlx4_srq *srq)
 	radix_tree_delete(&srq_table->tree, srq->srqn);
 	spin_unlock_irq(&srq_table->lock);
 
-	if (atomic_dec_and_test(&srq->refcount))
+	if (refcount_dec_and_test(&srq->refcount))
 		complete(&srq->free);
 	wait_for_completion(&srq->free);
 
diff --git a/include/linux/mlx4/device.h b/include/linux/mlx4/device.h
index 756ca22..8998807 100644
--- a/include/linux/mlx4/device.h
+++ b/include/linux/mlx4/device.h
@@ -766,7 +766,7 @@ struct mlx4_srq {
 	int			max_gs;
 	int			wqe_shift;
 
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 };
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (4 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 05/16] drivers, net, mlx4: convert mlx4_srq.refcount " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  9:33   ` David Laight
  2017-03-28  8:56 ` [PATCH 07/16] drivers, net, mlx5: convert fs_node.refcount " Elena Reshetova
                   ` (9 subsequent siblings)
  15 siblings, 1 reply; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/cq.c | 16 ++++++++--------
 include/linux/mlx5/cq.h                      |  4 ++--
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cq.c b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
index 336d473..1016e05 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/cq.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/cq.c
@@ -58,7 +58,7 @@ void mlx5_cq_tasklet_cb(unsigned long data)
 				 tasklet_ctx.list) {
 		list_del_init(&mcq->tasklet_ctx.list);
 		mcq->tasklet_ctx.comp(mcq);
-		if (atomic_dec_and_test(&mcq->refcount))
+		if (refcount_dec_and_test(&mcq->refcount))
 			complete(&mcq->free);
 		if (time_after(jiffies, end))
 			break;
@@ -80,7 +80,7 @@ static void mlx5_add_cq_to_tasklet(struct mlx5_core_cq *cq)
 	 * still arrive.
 	 */
 	if (list_empty_careful(&cq->tasklet_ctx.list)) {
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 		list_add_tail(&cq->tasklet_ctx.list, &tasklet_ctx->list);
 	}
 	spin_unlock_irqrestore(&tasklet_ctx->lock, flags);
@@ -94,7 +94,7 @@ void mlx5_cq_completion(struct mlx5_core_dev *dev, u32 cqn)
 	spin_lock(&table->lock);
 	cq = radix_tree_lookup(&table->tree, cqn);
 	if (likely(cq))
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 	spin_unlock(&table->lock);
 
 	if (!cq) {
@@ -106,7 +106,7 @@ void mlx5_cq_completion(struct mlx5_core_dev *dev, u32 cqn)
 
 	cq->comp(cq);
 
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 }
 
@@ -119,7 +119,7 @@ void mlx5_cq_event(struct mlx5_core_dev *dev, u32 cqn, int event_type)
 
 	cq = radix_tree_lookup(&table->tree, cqn);
 	if (cq)
-		atomic_inc(&cq->refcount);
+		refcount_inc(&cq->refcount);
 
 	spin_unlock(&table->lock);
 
@@ -130,7 +130,7 @@ void mlx5_cq_event(struct mlx5_core_dev *dev, u32 cqn, int event_type)
 
 	cq->event(cq, event_type);
 
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 }
 
@@ -159,7 +159,7 @@ int mlx5_core_create_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq,
 	cq->cqn = MLX5_GET(create_cq_out, out, cqn);
 	cq->cons_index = 0;
 	cq->arm_sn     = 0;
-	atomic_set(&cq->refcount, 1);
+	refcount_set(&cq->refcount, 1);
 	init_completion(&cq->free);
 	if (!cq->comp)
 		cq->comp = mlx5_add_cq_to_tasklet;
@@ -222,7 +222,7 @@ int mlx5_core_destroy_cq(struct mlx5_core_dev *dev, struct mlx5_core_cq *cq)
 	synchronize_irq(cq->irqn);
 
 	mlx5_debug_cq_remove(dev, cq);
-	if (atomic_dec_and_test(&cq->refcount))
+	if (refcount_dec_and_test(&cq->refcount))
 		complete(&cq->free);
 	wait_for_completion(&cq->free);
 
diff --git a/include/linux/mlx5/cq.h b/include/linux/mlx5/cq.h
index 9589884..6a57ec2 100644
--- a/include/linux/mlx5/cq.h
+++ b/include/linux/mlx5/cq.h
@@ -35,7 +35,7 @@
 
 #include <rdma/ib_verbs.h>
 #include <linux/mlx5/driver.h>
-
+#include <linux/refcount.h>
 
 struct mlx5_core_cq {
 	u32			cqn;
@@ -43,7 +43,7 @@ struct mlx5_core_cq {
 	__be32		       *set_ci_db;
 	__be32		       *arm_db;
 	struct mlx5_uars_page  *uar;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	struct completion	free;
 	unsigned		vector;
 	unsigned int		irqn;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 07/16] drivers, net, mlx5: convert fs_node.refcount from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (5 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 08/16] drivers, net, hamradio: convert sixpack.refcnt " Elena Reshetova
                   ` (8 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 24 +++++++++++------------
 drivers/net/ethernet/mellanox/mlx5/core/fs_core.h |  3 ++-
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
index 2478516..4f74d15 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.c
@@ -163,7 +163,7 @@ static void tree_init_node(struct fs_node *node,
 			   unsigned int refcount,
 			   void (*remove_func)(struct fs_node *))
 {
-	atomic_set(&node->refcount, refcount);
+	refcount_set(&node->refcount, refcount);
 	INIT_LIST_HEAD(&node->list);
 	INIT_LIST_HEAD(&node->children);
 	mutex_init(&node->lock);
@@ -173,7 +173,7 @@ static void tree_init_node(struct fs_node *node,
 static void tree_add_node(struct fs_node *node, struct fs_node *parent)
 {
 	if (parent)
-		atomic_inc(&parent->refcount);
+		refcount_inc(&parent->refcount);
 	node->parent = parent;
 
 	/* Parent is the root */
@@ -185,7 +185,7 @@ static void tree_add_node(struct fs_node *node, struct fs_node *parent)
 
 static void tree_get_node(struct fs_node *node)
 {
-	atomic_inc(&node->refcount);
+	refcount_inc(&node->refcount);
 }
 
 static void nested_lock_ref_node(struct fs_node *node,
@@ -193,7 +193,7 @@ static void nested_lock_ref_node(struct fs_node *node,
 {
 	if (node) {
 		mutex_lock_nested(&node->lock, class);
-		atomic_inc(&node->refcount);
+		refcount_inc(&node->refcount);
 	}
 }
 
@@ -201,14 +201,14 @@ static void lock_ref_node(struct fs_node *node)
 {
 	if (node) {
 		mutex_lock(&node->lock);
-		atomic_inc(&node->refcount);
+		refcount_inc(&node->refcount);
 	}
 }
 
 static void unlock_ref_node(struct fs_node *node)
 {
 	if (node) {
-		atomic_dec(&node->refcount);
+		refcount_dec(&node->refcount);
 		mutex_unlock(&node->lock);
 	}
 }
@@ -218,7 +218,7 @@ static void tree_put_node(struct fs_node *node)
 	struct fs_node *parent_node = node->parent;
 
 	lock_ref_node(parent_node);
-	if (atomic_dec_and_test(&node->refcount)) {
+	if (refcount_dec_and_test(&node->refcount)) {
 		if (parent_node)
 			list_del_init(&node->list);
 		if (node->remove_func)
@@ -233,8 +233,8 @@ static void tree_put_node(struct fs_node *node)
 
 static int tree_remove_node(struct fs_node *node)
 {
-	if (atomic_read(&node->refcount) > 1) {
-		atomic_dec(&node->refcount);
+	if (refcount_read(&node->refcount) > 1) {
+		refcount_dec(&node->refcount);
 		return -EEXIST;
 	}
 	tree_put_node(node);
@@ -982,7 +982,7 @@ static void destroy_flow_handle(struct fs_fte *fte,
 				int i)
 {
 	for (; --i >= 0;) {
-		if (atomic_dec_and_test(&handle->rule[i]->node.refcount)) {
+		if (refcount_dec_and_test(&handle->rule[i]->node.refcount)) {
 			fte->dests_size--;
 			list_del(&handle->rule[i]->node.list);
 			kfree(handle->rule[i]);
@@ -1013,7 +1013,7 @@ create_flow_handle(struct fs_fte *fte,
 		if (dest) {
 			rule = find_flow_rule(fte, dest + i);
 			if (rule) {
-				atomic_inc(&rule->node.refcount);
+				refcount_inc(&rule->node.refcount);
 				goto rule_found;
 			}
 		}
@@ -1282,7 +1282,7 @@ static struct mlx5_flow_handle *add_rule_fg(struct mlx5_flow_group *fg,
 	list_add(&fte->node.list, prev);
 add_rules:
 	for (i = 0; i < handle->num_rules; i++) {
-		if (atomic_read(&handle->rule[i]->node.refcount) == 1)
+		if (refcount_read(&handle->rule[i]->node.refcount) == 1)
 			tree_add_node(&handle->rule[i]->node, &fte->node);
 	}
 unlock_fte:
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
index 8e668c6..86bc743b 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
@@ -33,6 +33,7 @@
 #ifndef _MLX5_FS_CORE_
 #define _MLX5_FS_CORE_
 
+#include <linux/refcount.h>
 #include <linux/mlx5/fs.h>
 
 enum fs_node_type {
@@ -80,7 +81,7 @@ struct fs_node {
 	struct fs_node		*root;
 	/* lock the node for writing and traversing */
 	struct mutex		lock;
-	atomic_t		refcount;
+	refcount_t		refcount;
 	void			(*remove_func)(struct fs_node *);
 };
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 08/16] drivers, net, hamradio: convert sixpack.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (6 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 07/16] drivers, net, mlx5: convert fs_node.refcount " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 09/16] drivers, net: convert masces_rx_sa.refcnt " Elena Reshetova
                   ` (7 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/hamradio/6pack.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 922bf44..ea6c975 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -35,7 +35,7 @@
 #include <linux/tcp.h>
 #include <linux/semaphore.h>
 #include <linux/compat.h>
-#include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #define SIXPACK_VERSION    "Revision: 0.3.0"
 
@@ -120,7 +120,7 @@ struct sixpack {
 
 	struct timer_list	tx_t;
 	struct timer_list	resync_t;
-	atomic_t		refcnt;
+	refcount_t		refcnt;
 	struct semaphore	dead_sem;
 	spinlock_t		lock;
 };
@@ -381,7 +381,7 @@ static struct sixpack *sp_get(struct tty_struct *tty)
 	read_lock(&disc_data_lock);
 	sp = tty->disc_data;
 	if (sp)
-		atomic_inc(&sp->refcnt);
+		refcount_inc(&sp->refcnt);
 	read_unlock(&disc_data_lock);
 
 	return sp;
@@ -389,7 +389,7 @@ static struct sixpack *sp_get(struct tty_struct *tty)
 
 static void sp_put(struct sixpack *sp)
 {
-	if (atomic_dec_and_test(&sp->refcnt))
+	if (refcount_dec_and_test(&sp->refcnt))
 		up(&sp->dead_sem);
 }
 
@@ -580,7 +580,7 @@ static int sixpack_open(struct tty_struct *tty)
 	sp->dev = dev;
 
 	spin_lock_init(&sp->lock);
-	atomic_set(&sp->refcnt, 1);
+	refcount_set(&sp->refcnt, 1);
 	sema_init(&sp->dead_sem, 0);
 
 	/* !!! length of the buffers. MTU is IP MTU, not PACLEN!  */
@@ -676,7 +676,7 @@ static void sixpack_close(struct tty_struct *tty)
 	 * We have now ensured that nobody can start using ap from now on, but
 	 * we have to wait for all existing users to finish.
 	 */
-	if (!atomic_dec_and_test(&sp->refcnt))
+	if (!refcount_dec_and_test(&sp->refcnt))
 		down(&sp->dead_sem);
 
 	/* We must stop the queue to avoid potentially scribbling
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 09/16] drivers, net: convert masces_rx_sa.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (7 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 08/16] drivers, net, hamradio: convert sixpack.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 10/16] drivers, net: convert masces_rx_sc.refcnt " Elena Reshetova
                   ` (6 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/macsec.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index ff0a5ed..bc0b00a 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -16,6 +16,7 @@
 #include <crypto/aead.h>
 #include <linux/etherdevice.h>
 #include <linux/rtnetlink.h>
+#include <linux/refcount.h>
 #include <net/genetlink.h>
 #include <net/sock.h>
 #include <net/gro_cells.h>
@@ -146,7 +147,7 @@ struct macsec_rx_sa {
 	struct macsec_key key;
 	spinlock_t lock;
 	u32 next_pn;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	bool active;
 	struct macsec_rx_sa_stats __percpu *stats;
 	struct macsec_rx_sc *sc;
@@ -314,7 +315,7 @@ static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
 	if (!sa || !sa->active)
 		return NULL;
 
-	if (!atomic_inc_not_zero(&sa->refcnt))
+	if (!refcount_inc_not_zero(&sa->refcnt))
 		return NULL;
 
 	return sa;
@@ -350,7 +351,7 @@ static void free_rxsa(struct rcu_head *head)
 
 static void macsec_rxsa_put(struct macsec_rx_sa *sa)
 {
-	if (atomic_dec_and_test(&sa->refcnt))
+	if (refcount_dec_and_test(&sa->refcnt))
 		call_rcu(&sa->rcu, free_rxsa);
 }
 
@@ -1324,7 +1325,7 @@ static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
 
 	rx_sa->active = false;
 	rx_sa->next_pn = 1;
-	atomic_set(&rx_sa->refcnt, 1);
+	refcount_set(&rx_sa->refcnt, 1);
 	spin_lock_init(&rx_sa->lock);
 
 	return 0;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 10/16] drivers, net: convert masces_rx_sc.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (8 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 09/16] drivers, net: convert masces_rx_sa.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 11/16] drivers, net: convert masces_tx_sa.refcnt " Elena Reshetova
                   ` (5 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/macsec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index bc0b00a..1869223 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -172,7 +172,7 @@ struct macsec_rx_sc {
 	bool active;
 	struct macsec_rx_sa __rcu *sa[MACSEC_NUM_AN];
 	struct pcpu_rx_sc_stats __percpu *stats;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	struct rcu_head rcu_head;
 };
 
@@ -331,12 +331,12 @@ static void free_rx_sc_rcu(struct rcu_head *head)
 
 static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
 {
-	return atomic_inc_not_zero(&sc->refcnt) ? sc : NULL;
+	return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL;
 }
 
 static void macsec_rxsc_put(struct macsec_rx_sc *sc)
 {
-	if (atomic_dec_and_test(&sc->refcnt))
+	if (refcount_dec_and_test(&sc->refcnt))
 		call_rcu(&sc->rcu_head, free_rx_sc_rcu);
 }
 
@@ -1396,7 +1396,7 @@ static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
 
 	rx_sc->sci = sci;
 	rx_sc->active = true;
-	atomic_set(&rx_sc->refcnt, 1);
+	refcount_set(&rx_sc->refcnt, 1);
 
 	secy = &macsec_priv(dev)->secy;
 	rcu_assign_pointer(rx_sc->next, secy->rx_sc);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 11/16] drivers, net: convert masces_tx_sa.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (9 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 10/16] drivers, net: convert masces_rx_sc.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 12/16] drivers, net, ppp: convert asyncppp.refcnt " Elena Reshetova
                   ` (4 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/macsec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
index 1869223..2851dda 100644
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@@ -188,7 +188,7 @@ struct macsec_tx_sa {
 	struct macsec_key key;
 	spinlock_t lock;
 	u32 next_pn;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	bool active;
 	struct macsec_tx_sa_stats __percpu *stats;
 	struct rcu_head rcu;
@@ -362,7 +362,7 @@ static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
 	if (!sa || !sa->active)
 		return NULL;
 
-	if (!atomic_inc_not_zero(&sa->refcnt))
+	if (!refcount_inc_not_zero(&sa->refcnt))
 		return NULL;
 
 	return sa;
@@ -379,7 +379,7 @@ static void free_txsa(struct rcu_head *head)
 
 static void macsec_txsa_put(struct macsec_tx_sa *sa)
 {
-	if (atomic_dec_and_test(&sa->refcnt))
+	if (refcount_dec_and_test(&sa->refcnt))
 		call_rcu(&sa->rcu, free_txsa);
 }
 
@@ -1422,7 +1422,7 @@ static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
 	}
 
 	tx_sa->active = false;
-	atomic_set(&tx_sa->refcnt, 1);
+	refcount_set(&tx_sa->refcnt, 1);
 	spin_lock_init(&tx_sa->lock);
 
 	return 0;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 12/16] drivers, net, ppp: convert asyncppp.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (10 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 11/16] drivers, net: convert masces_tx_sa.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 13/16] drivers, net, ppp: convert ppp_file.refcnt " Elena Reshetova
                   ` (3 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ppp/ppp_async.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ppp/ppp_async.c b/drivers/net/ppp/ppp_async.c
index feb9569..2d08f7e 100644
--- a/drivers/net/ppp/ppp_async.c
+++ b/drivers/net/ppp/ppp_async.c
@@ -69,7 +69,7 @@ struct asyncppp {
 
 	struct tasklet_struct tsk;
 
-	atomic_t	refcnt;
+	refcount_t	refcnt;
 	struct semaphore dead_sem;
 	struct ppp_channel chan;	/* interface to generic ppp layer */
 	unsigned char	obuf[OBUFSIZE];
@@ -140,14 +140,14 @@ static struct asyncppp *ap_get(struct tty_struct *tty)
 	read_lock(&disc_data_lock);
 	ap = tty->disc_data;
 	if (ap != NULL)
-		atomic_inc(&ap->refcnt);
+		refcount_inc(&ap->refcnt);
 	read_unlock(&disc_data_lock);
 	return ap;
 }
 
 static void ap_put(struct asyncppp *ap)
 {
-	if (atomic_dec_and_test(&ap->refcnt))
+	if (refcount_dec_and_test(&ap->refcnt))
 		up(&ap->dead_sem);
 }
 
@@ -185,7 +185,7 @@ ppp_asynctty_open(struct tty_struct *tty)
 	skb_queue_head_init(&ap->rqueue);
 	tasklet_init(&ap->tsk, ppp_async_process, (unsigned long) ap);
 
-	atomic_set(&ap->refcnt, 1);
+	refcount_set(&ap->refcnt, 1);
 	sema_init(&ap->dead_sem, 0);
 
 	ap->chan.private = ap;
@@ -234,7 +234,7 @@ ppp_asynctty_close(struct tty_struct *tty)
 	 * our channel ops (i.e. ppp_async_send/ioctl) are in progress
 	 * by the time it returns.
 	 */
-	if (!atomic_dec_and_test(&ap->refcnt))
+	if (!refcount_dec_and_test(&ap->refcnt))
 		down(&ap->dead_sem);
 	tasklet_kill(&ap->tsk);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 13/16] drivers, net, ppp: convert ppp_file.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (11 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 12/16] drivers, net, ppp: convert asyncppp.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 14/16] drivers, net, ppp: convert syncppp.refcnt " Elena Reshetova
                   ` (2 subsequent siblings)
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ppp/ppp_generic.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index f9c0e62..7b1352c 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -51,6 +51,7 @@
 #include <asm/unaligned.h>
 #include <net/slhc_vj.h>
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #include <linux/nsproxy.h>
 #include <net/net_namespace.h>
@@ -84,7 +85,7 @@ struct ppp_file {
 	struct sk_buff_head xq;		/* pppd transmit queue */
 	struct sk_buff_head rq;		/* receive queue for pppd */
 	wait_queue_head_t rwait;	/* for poll on reading /dev/ppp */
-	atomic_t	refcnt;		/* # refs (incl /dev/ppp attached) */
+	refcount_t	refcnt;		/* # refs (incl /dev/ppp attached) */
 	int		hdrlen;		/* space to leave for headers */
 	int		index;		/* interface unit / channel number */
 	int		dead;		/* unit/channel has been shut down */
@@ -407,7 +408,7 @@ static int ppp_release(struct inode *unused, struct file *file)
 				unregister_netdevice(ppp->dev);
 			rtnl_unlock();
 		}
-		if (atomic_dec_and_test(&pf->refcnt)) {
+		if (refcount_dec_and_test(&pf->refcnt)) {
 			switch (pf->kind) {
 			case INTERFACE:
 				ppp_destroy_interface(PF_TO_PPP(pf));
@@ -880,7 +881,7 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
 		mutex_lock(&pn->all_ppp_mutex);
 		ppp = ppp_find_unit(pn, unit);
 		if (ppp) {
-			atomic_inc(&ppp->file.refcnt);
+			refcount_inc(&ppp->file.refcnt);
 			file->private_data = &ppp->file;
 			err = 0;
 		}
@@ -895,7 +896,7 @@ static int ppp_unattached_ioctl(struct net *net, struct ppp_file *pf,
 		spin_lock_bh(&pn->all_channels_lock);
 		chan = ppp_find_channel(pn, unit);
 		if (chan) {
-			atomic_inc(&chan->file.refcnt);
+			refcount_inc(&chan->file.refcnt);
 			file->private_data = &chan->file;
 			err = 0;
 		}
@@ -2641,7 +2642,7 @@ ppp_unregister_channel(struct ppp_channel *chan)
 
 	pch->file.dead = 1;
 	wake_up_interruptible(&pch->file.rwait);
-	if (atomic_dec_and_test(&pch->file.refcnt))
+	if (refcount_dec_and_test(&pch->file.refcnt))
 		ppp_destroy_channel(pch);
 }
 
@@ -3011,7 +3012,7 @@ init_ppp_file(struct ppp_file *pf, int kind)
 	pf->kind = kind;
 	skb_queue_head_init(&pf->xq);
 	skb_queue_head_init(&pf->rq);
-	atomic_set(&pf->refcnt, 1);
+	refcount_set(&pf->refcnt, 1);
 	init_waitqueue_head(&pf->rwait);
 }
 
@@ -3128,7 +3129,7 @@ ppp_connect_channel(struct channel *pch, int unit)
 	list_add_tail(&pch->clist, &ppp->channels);
 	++ppp->n_channels;
 	pch->ppp = ppp;
-	atomic_inc(&ppp->file.refcnt);
+	refcount_inc(&ppp->file.refcnt);
 	ppp_unlock(ppp);
 	ret = 0;
 
@@ -3159,7 +3160,7 @@ ppp_disconnect_channel(struct channel *pch)
 		if (--ppp->n_channels == 0)
 			wake_up_interruptible(&ppp->file.rwait);
 		ppp_unlock(ppp);
-		if (atomic_dec_and_test(&ppp->file.refcnt))
+		if (refcount_dec_and_test(&ppp->file.refcnt))
 			ppp_destroy_interface(ppp);
 		err = 0;
 	}
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 14/16] drivers, net, ppp: convert syncppp.refcnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (12 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 13/16] drivers, net, ppp: convert ppp_file.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-03-28  8:56 ` [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt " Elena Reshetova
  2017-03-28  8:56 ` [PATCH 16/16] drivers, net, intersil: convert request_context.refcount " Elena Reshetova
  15 siblings, 0 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/ppp/ppp_synctty.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ppp/ppp_synctty.c b/drivers/net/ppp/ppp_synctty.c
index 9ae5398..4a643f8 100644
--- a/drivers/net/ppp/ppp_synctty.c
+++ b/drivers/net/ppp/ppp_synctty.c
@@ -46,6 +46,7 @@
 #include <linux/init.h>
 #include <linux/interrupt.h>
 #include <linux/slab.h>
+#include <linux/refcount.h>
 #include <asm/unaligned.h>
 #include <linux/uaccess.h>
 
@@ -72,7 +73,7 @@ struct syncppp {
 
 	struct tasklet_struct tsk;
 
-	atomic_t	refcnt;
+	refcount_t	refcnt;
 	struct completion dead_cmp;
 	struct ppp_channel chan;	/* interface to generic ppp layer */
 };
@@ -141,14 +142,14 @@ static struct syncppp *sp_get(struct tty_struct *tty)
 	read_lock(&disc_data_lock);
 	ap = tty->disc_data;
 	if (ap != NULL)
-		atomic_inc(&ap->refcnt);
+		refcount_inc(&ap->refcnt);
 	read_unlock(&disc_data_lock);
 	return ap;
 }
 
 static void sp_put(struct syncppp *ap)
 {
-	if (atomic_dec_and_test(&ap->refcnt))
+	if (refcount_dec_and_test(&ap->refcnt))
 		complete(&ap->dead_cmp);
 }
 
@@ -182,7 +183,7 @@ ppp_sync_open(struct tty_struct *tty)
 	skb_queue_head_init(&ap->rqueue);
 	tasklet_init(&ap->tsk, ppp_sync_process, (unsigned long) ap);
 
-	atomic_set(&ap->refcnt, 1);
+	refcount_set(&ap->refcnt, 1);
 	init_completion(&ap->dead_cmp);
 
 	ap->chan.private = ap;
@@ -232,7 +233,7 @@ ppp_sync_close(struct tty_struct *tty)
 	 * our channel ops (i.e. ppp_sync_send/ioctl) are in progress
 	 * by the time it returns.
 	 */
-	if (!atomic_dec_and_test(&ap->refcnt))
+	if (!refcount_dec_and_test(&ap->refcnt))
 		wait_for_completion(&ap->dead_cmp);
 	tasklet_kill(&ap->tsk);
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (13 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 14/16] drivers, net, ppp: convert syncppp.refcnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-04-03 11:38   ` Kalle Valo
  2017-05-22 15:24   ` [15/16] hostap: " Kalle Valo
  2017-03-28  8:56 ` [PATCH 16/16] drivers, net, intersil: convert request_context.refcount " Elena Reshetova
  15 siblings, 2 replies; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/wireless/intersil/hostap/hostap_hw.c   | 12 ++++++------
 drivers/net/wireless/intersil/hostap/hostap_wlan.h |  3 ++-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/intersil/hostap/hostap_hw.c b/drivers/net/wireless/intersil/hostap/hostap_hw.c
index 04dfd040..d4f0b73 100644
--- a/drivers/net/wireless/intersil/hostap/hostap_hw.c
+++ b/drivers/net/wireless/intersil/hostap/hostap_hw.c
@@ -190,7 +190,7 @@ static inline void __hostap_cmd_queue_free(local_info_t *local,
 		}
 	}
 
-	if (atomic_dec_and_test(&entry->usecnt) && entry->del_req)
+	if (refcount_dec_and_test(&entry->usecnt) && entry->del_req)
 		kfree(entry);
 }
 
@@ -228,7 +228,7 @@ static void prism2_clear_cmd_queue(local_info_t *local)
 	spin_lock_irqsave(&local->cmdlock, flags);
 	list_for_each_safe(ptr, n, &local->cmd_queue) {
 		entry = list_entry(ptr, struct hostap_cmd_queue, list);
-		atomic_inc(&entry->usecnt);
+		refcount_inc(&entry->usecnt);
 		printk(KERN_DEBUG "%s: removed pending cmd_queue entry "
 		       "(type=%d, cmd=0x%04x, param0=0x%04x)\n",
 		       local->dev->name, entry->type, entry->cmd,
@@ -350,7 +350,7 @@ static int hfa384x_cmd(struct net_device *dev, u16 cmd, u16 param0,
 	if (entry == NULL)
 		return -ENOMEM;
 
-	atomic_set(&entry->usecnt, 1);
+	refcount_set(&entry->usecnt, 1);
 	entry->type = CMD_SLEEP;
 	entry->cmd = cmd;
 	entry->param0 = param0;
@@ -516,7 +516,7 @@ static int hfa384x_cmd_callback(struct net_device *dev, u16 cmd, u16 param0,
 	if (entry == NULL)
 		return -ENOMEM;
 
-	atomic_set(&entry->usecnt, 1);
+	refcount_set(&entry->usecnt, 1);
 	entry->type = CMD_CALLBACK;
 	entry->cmd = cmd;
 	entry->param0 = param0;
@@ -666,7 +666,7 @@ static void prism2_cmd_ev(struct net_device *dev)
 	if (!list_empty(&local->cmd_queue)) {
 		entry = list_entry(local->cmd_queue.next,
 				   struct hostap_cmd_queue, list);
-		atomic_inc(&entry->usecnt);
+		refcount_inc(&entry->usecnt);
 		list_del_init(&entry->list);
 		local->cmd_queue_len--;
 
@@ -718,7 +718,7 @@ static void prism2_cmd_ev(struct net_device *dev)
 			entry = NULL;
 		}
 		if (entry)
-			atomic_inc(&entry->usecnt);
+			refcount_inc(&entry->usecnt);
 	}
 	spin_unlock(&local->cmdlock);
 
diff --git a/drivers/net/wireless/intersil/hostap/hostap_wlan.h b/drivers/net/wireless/intersil/hostap/hostap_wlan.h
index ca25283..5352adb 100644
--- a/drivers/net/wireless/intersil/hostap/hostap_wlan.h
+++ b/drivers/net/wireless/intersil/hostap/hostap_wlan.h
@@ -6,6 +6,7 @@
 #include <linux/netdevice.h>
 #include <linux/etherdevice.h>
 #include <linux/mutex.h>
+#include <linux/refcount.h>
 #include <net/iw_handler.h>
 #include <net/ieee80211_radiotap.h>
 #include <net/lib80211.h>
@@ -557,7 +558,7 @@ struct hostap_cmd_queue {
 	u16 resp0, res;
 	volatile int issued, issuing;
 
-	atomic_t usecnt;
+	refcount_t usecnt;
 	int del_req;
 };
 
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* [PATCH 16/16] drivers, net, intersil: convert request_context.refcount from atomic_t to refcount_t
  2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
                   ` (14 preceding siblings ...)
  2017-03-28  8:56 ` [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt " Elena Reshetova
@ 2017-03-28  8:56 ` Elena Reshetova
  2017-04-03 11:41   ` Kalle Valo
  15 siblings, 1 reply; 24+ messages in thread
From: Elena Reshetova @ 2017-03-28  8:56 UTC (permalink / raw)
  To: netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
index 98e1380..95dd03e 100644
--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
+++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
@@ -64,6 +64,7 @@
 #include <linux/etherdevice.h>
 #include <linux/wireless.h>
 #include <linux/firmware.h>
+#include <linux/refcount.h>
 
 #include "mic.h"
 #include "orinoco.h"
@@ -268,7 +269,7 @@ enum ezusb_state {
 
 struct request_context {
 	struct list_head list;
-	atomic_t refcount;
+	refcount_t refcount;
 	struct completion done;	/* Signals that CTX is dead */
 	int killed;
 	struct urb *outurb;	/* OUT for req pkt */
@@ -298,7 +299,7 @@ static inline u8 ezusb_reply_inc(u8 count)
 
 static void ezusb_request_context_put(struct request_context *ctx)
 {
-	if (!atomic_dec_and_test(&ctx->refcount))
+	if (!refcount_dec_and_test(&ctx->refcount))
 		return;
 
 	WARN_ON(!ctx->done.done);
@@ -328,7 +329,7 @@ static void ezusb_request_timerfn(u_long _ctx)
 	} else {
 		ctx->state = EZUSB_CTX_RESP_TIMEOUT;
 		dev_dbg(&ctx->outurb->dev->dev, "couldn't unlink\n");
-		atomic_inc(&ctx->refcount);
+		refcount_inc(&ctx->refcount);
 		ctx->killed = 1;
 		ezusb_ctx_complete(ctx);
 		ezusb_request_context_put(ctx);
@@ -361,7 +362,7 @@ static struct request_context *ezusb_alloc_ctx(struct ezusb_priv *upriv,
 	ctx->out_rid = out_rid;
 	ctx->in_rid = in_rid;
 
-	atomic_set(&ctx->refcount, 1);
+	refcount_set(&ctx->refcount, 1);
 	init_completion(&ctx->done);
 
 	setup_timer(&ctx->timer, ezusb_request_timerfn, (u_long)ctx);
@@ -469,7 +470,7 @@ static void ezusb_req_queue_run(struct ezusb_priv *upriv)
 	list_move_tail(&ctx->list, &upriv->req_active);
 
 	if (ctx->state == EZUSB_CTX_QUEUED) {
-		atomic_inc(&ctx->refcount);
+		refcount_inc(&ctx->refcount);
 		result = usb_submit_urb(ctx->outurb, GFP_ATOMIC);
 		if (result) {
 			ctx->state = EZUSB_CTX_REQSUBMIT_FAIL;
@@ -507,7 +508,7 @@ static void ezusb_req_enqueue_run(struct ezusb_priv *upriv,
 		spin_unlock_irqrestore(&upriv->req_lock, flags);
 		goto done;
 	}
-	atomic_inc(&ctx->refcount);
+	refcount_inc(&ctx->refcount);
 	list_add_tail(&ctx->list, &upriv->req_pending);
 	spin_unlock_irqrestore(&upriv->req_lock, flags);
 
@@ -1464,7 +1465,7 @@ static inline void ezusb_delete(struct ezusb_priv *upriv)
 		int err;
 
 		ctx = list_entry(item, struct request_context, list);
-		atomic_inc(&ctx->refcount);
+		refcount_inc(&ctx->refcount);
 
 		ctx->outurb->transfer_flags |= URB_ASYNC_UNLINK;
 		err = usb_unlink_urb(ctx->outurb);
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 24+ messages in thread

* RE: [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount from atomic_t to refcount_t
  2017-03-28  8:56 ` [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
@ 2017-03-28  9:33   ` David Laight
  2017-03-28 14:00     ` Reshetova, Elena
  0 siblings, 1 reply; 24+ messages in thread
From: David Laight @ 2017-03-28  9:33 UTC (permalink / raw)
  To: 'Elena Reshetova', netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Hans Liljestrand, David Windsor

From: Elena Reshetova
> Sent: 28 March 2017 09:57
> 
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.

I can't help feeling that you ought to find a scheme
that will detect extra decrements and extra increments
before the counter wraps 32 bits.

If an extra reference is requested every 100us it takes 4.8 days
for the counter to increment back to zero.
Simple tests aren't doing to find that - but it can easily happen
on a system that is running for several years.

	David

^ permalink raw reply	[flat|nested] 24+ messages in thread

* RE: [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount from atomic_t to refcount_t
  2017-03-28  9:33   ` David Laight
@ 2017-03-28 14:00     ` Reshetova, Elena
  0 siblings, 0 replies; 24+ messages in thread
From: Reshetova, Elena @ 2017-03-28 14:00 UTC (permalink / raw)
  To: David Laight, netdev
  Cc: linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, kvalo, peterz,
	keescook, gregkh, Hans Liljestrand, David Windsor


> From: Elena Reshetova
> > Sent: 28 March 2017 09:57
> >
> > refcount_t type and corresponding API should be
> > used instead of atomic_t when the variable is used as
> > a reference counter. This allows to avoid accidental
> > refcounter overflows that might lead to use-after-free
> > situations.
> 
> I can't help feeling that you ought to find a scheme
> that will detect extra decrements and extra increments
> before the counter wraps 32 bits.
> 
> If an extra reference is requested every 100us it takes 4.8 days
> for the counter to increment back to zero.
> Simple tests aren't doing to find that - but it can easily happen
> on a system that is running for several years.

So, you are proposing to try detecting this case instead of preventing overflows?
Not sure how this would look like in a generic form...



> 
> 	David

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt from atomic_t to refcount_t
  2017-03-28  8:56 ` [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt " Elena Reshetova
@ 2017-04-03 11:38   ` Kalle Valo
  2017-05-22 15:24   ` [15/16] hostap: " Kalle Valo
  1 sibling, 0 replies; 24+ messages in thread
From: Kalle Valo @ 2017-04-03 11:38 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, peterz,
	keescook, gregkh, Hans Liljestrand, David Windsor

Elena Reshetova <elena.reshetova@intel.com> writes:

> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  drivers/net/wireless/intersil/hostap/hostap_hw.c   | 12 ++++++------
>  drivers/net/wireless/intersil/hostap/hostap_wlan.h |  3 ++-
>  2 files changed, 8 insertions(+), 7 deletions(-)

The prefix should be "hostap:", I'll fix that.

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH 16/16] drivers, net, intersil: convert request_context.refcount from atomic_t to refcount_t
  2017-03-28  8:56 ` [PATCH 16/16] drivers, net, intersil: convert request_context.refcount " Elena Reshetova
@ 2017-04-03 11:41   ` Kalle Valo
  2017-04-04 10:07     ` Reshetova, Elena
  0 siblings, 1 reply; 24+ messages in thread
From: Kalle Valo @ 2017-04-03 11:41 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, peterz,
	keescook, gregkh, Hans Liljestrand, David Windsor

Elena Reshetova <elena.reshetova@intel.com> writes:

> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
>
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>
> ---
>  drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)

The prefix should be "orinoco_usb:", I'll fix that.

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 24+ messages in thread

* RE: [PATCH 16/16] drivers, net, intersil: convert request_context.refcount from atomic_t to refcount_t
  2017-04-03 11:41   ` Kalle Valo
@ 2017-04-04 10:07     ` Reshetova, Elena
  2017-04-05 10:33       ` Kalle Valo
  0 siblings, 1 reply; 24+ messages in thread
From: Reshetova, Elena @ 2017-04-04 10:07 UTC (permalink / raw)
  To: Kalle Valo
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, peterz,
	keescook, gregkh, Hans Liljestrand, David Windsor


> Elena Reshetova <elena.reshetova@intel.com> writes:
>=20
> > refcount_t type and corresponding API should be
> > used instead of atomic_t when the variable is used as
> > a reference counter. This allows to avoid accidental
> > refcounter overflows that might lead to use-after-free
> > situations.
> >
> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> > Signed-off-by: Kees Cook <keescook@chromium.org>
> > Signed-off-by: David Windsor <dwindsor@gmail.com>
> > ---
> >  drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 15 ++++++++-----=
--
> >  1 file changed, 8 insertions(+), 7 deletions(-)
>=20
> The prefix should be "orinoco_usb:", I'll fix that.

Thanks for both! Will you take the patches in?

Best Regards,
Elena.

>=20
> --
> Kalle Valo

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [PATCH 16/16] drivers, net, intersil: convert request_context.refcount from atomic_t to refcount_t
  2017-04-04 10:07     ` Reshetova, Elena
@ 2017-04-05 10:33       ` Kalle Valo
  0 siblings, 0 replies; 24+ messages in thread
From: Kalle Valo @ 2017-04-05 10:33 UTC (permalink / raw)
  To: Reshetova, Elena
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, peterz,
	keescook, gregkh, Hans Liljestrand, David Windsor

"Reshetova, Elena" <elena.reshetova@intel.com> writes:

>> Elena Reshetova <elena.reshetova@intel.com> writes:
>> 
>> > refcount_t type and corresponding API should be
>> > used instead of atomic_t when the variable is used as
>> > a reference counter. This allows to avoid accidental
>> > refcounter overflows that might lead to use-after-free
>> > situations.
>> >
>> > Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
>> > Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
>> > Signed-off-by: Kees Cook <keescook@chromium.org>
>> > Signed-off-by: David Windsor <dwindsor@gmail.com>
>> > ---
>> >  drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 15 ++++++++-------
>> >  1 file changed, 8 insertions(+), 7 deletions(-)
>> 
>> The prefix should be "orinoco_usb:", I'll fix that.
>
> Thanks for both! Will you take the patches in?

You mean patches 15 and 16? I didn't even look rest of the patches.

But not sure yet because Dave doesn't seem to like the interface and I
want to follow the discussion first.

-- 
Kalle Valo

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [15/16] hostap: convert hostap_cmd_queue.usecnt from atomic_t to refcount_t
  2017-03-28  8:56 ` [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt " Elena Reshetova
  2017-04-03 11:38   ` Kalle Valo
@ 2017-05-22 15:24   ` Kalle Valo
  1 sibling, 0 replies; 24+ messages in thread
From: Kalle Valo @ 2017-05-22 15:24 UTC (permalink / raw)
  To: Elena Reshetova
  Cc: netdev, linux-kernel, linux-arm-kernel, linux-rdma, linux-hams,
	linux-ppp, linux-wireless, ganeshgr, nbd, blogic, matthias.bgg,
	yishaih, saeedm, matanb, leonro, ajk, paulus, j, peterz,
	keescook, gregkh, Elena Reshetova, Hans Liljestrand,
	David Windsor

Elena Reshetova <elena.reshetova@intel.com> wrote:
> refcount_t type and corresponding API should be
> used instead of atomic_t when the variable is used as
> a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free
> situations.
> 
> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> Signed-off-by: David Windsor <dwindsor@gmail.com>

2 patches applied to wireless-drivers-next.git, thanks.

552aa585faff hostap: convert hostap_cmd_queue.usecnt from atomic_t to refcount_t
0aeffa7041d8 orinoco_usb: convert request_context.refcount from atomic_t to refcount_t

-- 
https://patchwork.kernel.org/patch/9648427/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2017-05-22 15:24 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-28  8:56 [PATCH 00/16] Networking drivers refcount conversions Elena Reshetova
2017-03-28  8:56 ` [PATCH 01/16] drivers, net, ethernet: convert clip_entry.refcnt from atomic_t to refcount_t Elena Reshetova
2017-03-28  8:56 ` [PATCH 02/16] drivers, net, ethernet: convert mtk_eth.dma_refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 03/16] drivers, net, mlx4: convert mlx4_cq.refcount " Elena Reshetova
2017-03-28  8:56 ` [PATCH 04/16] drivers, net, mlx4: convert mlx4_qp.refcount " Elena Reshetova
2017-03-28  8:56 ` [PATCH 05/16] drivers, net, mlx4: convert mlx4_srq.refcount " Elena Reshetova
2017-03-28  8:56 ` [PATCH 06/16] drivers, net, mlx5: convert mlx5_cq.refcount " Elena Reshetova
2017-03-28  9:33   ` David Laight
2017-03-28 14:00     ` Reshetova, Elena
2017-03-28  8:56 ` [PATCH 07/16] drivers, net, mlx5: convert fs_node.refcount " Elena Reshetova
2017-03-28  8:56 ` [PATCH 08/16] drivers, net, hamradio: convert sixpack.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 09/16] drivers, net: convert masces_rx_sa.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 10/16] drivers, net: convert masces_rx_sc.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 11/16] drivers, net: convert masces_tx_sa.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 12/16] drivers, net, ppp: convert asyncppp.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 13/16] drivers, net, ppp: convert ppp_file.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 14/16] drivers, net, ppp: convert syncppp.refcnt " Elena Reshetova
2017-03-28  8:56 ` [PATCH 15/16] drivers, net, intersil: convert hostap_cmd_queue.usecnt " Elena Reshetova
2017-04-03 11:38   ` Kalle Valo
2017-05-22 15:24   ` [15/16] hostap: " Kalle Valo
2017-03-28  8:56 ` [PATCH 16/16] drivers, net, intersil: convert request_context.refcount " Elena Reshetova
2017-04-03 11:41   ` Kalle Valo
2017-04-04 10:07     ` Reshetova, Elena
2017-04-05 10:33       ` Kalle Valo

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).