* [PATCH 0/9] v2 ipv4/ipv6 refcount conversions
@ 2017-07-04 6:34 Elena Reshetova
2017-07-04 6:34 ` [PATCH 1/9] net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t Elena Reshetova
` (9 more replies)
0 siblings, 10 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova
Changes in v2:
* rebase on top of net-next
* currently by default refcount_t = atomic_t (*) and uses all
atomic standard operations unless CONFIG_REFCOUNT_FULL is enabled.
This is a compromise for the systems that are critical on
performance (such as net) and cannot accept even slight delay
on the refcounter operations.
This series, for ipv4/ipv6 network components, replaces atomic_t reference
counters with the new refcount_t type and API (see include/linux/refcount.h).
By doing this we prevent intentional or accidental
underflows or overflows that can led to use-after-free vulnerabilities.
The patches are fully independent and can be cherry-picked separately.
In order to try with refcount functionality enabled in run-time,
CONFIG_REFCOUNT_FULL must be enabled.
NOTE: automatic kernel builder for some reason doesn't like all my
network branches and regularly times out the builds on these branches.
Suggestion for "waiting a day for a good coverage" doesn't work, as
we have seen with generic network conversions. So please wait for the
full report from kernel test rebot before merging further up.
This has been compile-tested in 116 configs, but 71 timed out (including
all s390-related configs again). I am trying to see if they can fix
build coverage for me in meanwhile.
* The respective change is currently merged into -next as
"locking/refcount: Create unchecked atomic_t implementation".
Elena Reshetova (9):
net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t
net, ipv6: convert inet6_dev.refcnt from atomic_t to refcount_t
net, ipv6: convert inet6_ifaddr.refcnt from atomic_t to refcount_t
net, ipv6: convert ifmcaddr6.mca_refcnt from atomic_t to refcount_t
net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t
net, ipv6: convert xfrm6_tunnel_spi.refcnt from atomic_t to refcount_t
net, ipv6: convert ip6addrlbl_entry.refcnt from atomic_t to refcount_t
net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t
net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t
include/net/addrconf.h | 14 +++++++-------
include/net/cipso_ipv4.h | 3 ++-
include/net/if_inet6.h | 9 +++++----
include/net/ip_fib.h | 7 ++++---
include/net/ipv6.h | 7 ++++---
net/ipv4/cipso_ipv4.c | 12 ++++++------
net/ipv4/fib_semantics.c | 2 +-
net/ipv4/fib_trie.c | 2 +-
net/ipv6/addrconf.c | 4 ++--
net/ipv6/addrlabel.c | 9 +++++----
net/ipv6/anycast.c | 6 +++---
net/ipv6/exthdrs.c | 4 ++--
net/ipv6/ipv6_sockglue.c | 2 +-
net/ipv6/mcast.c | 18 +++++++++---------
net/ipv6/xfrm6_tunnel.c | 8 ++++----
15 files changed, 56 insertions(+), 51 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 1/9] net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
@ 2017-07-04 6:34 ` Elena Reshetova
2017-07-04 6:34 ` [PATCH 2/9] net, ipv6: convert inet6_dev.refcnt " Elena Reshetova
` (8 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/ipv6.h | 7 ++++---
net/ipv6/exthdrs.c | 4 ++--
net/ipv6/ipv6_sockglue.c | 2 +-
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 3e505bb..6eac5cf 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -16,6 +16,7 @@
#include <linux/ipv6.h>
#include <linux/hardirq.h>
#include <linux/jhash.h>
+#include <linux/refcount.h>
#include <net/if_inet6.h>
#include <net/ndisc.h>
#include <net/flow.h>
@@ -203,7 +204,7 @@ extern rwlock_t ip6_ra_lock;
*/
struct ipv6_txoptions {
- atomic_t refcnt;
+ refcount_t refcnt;
/* Length of this structure */
int tot_len;
@@ -265,7 +266,7 @@ static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
rcu_read_lock();
opt = rcu_dereference(np->opt);
if (opt) {
- if (!atomic_inc_not_zero(&opt->refcnt))
+ if (!refcount_inc_not_zero(&opt->refcnt))
opt = NULL;
else
opt = rcu_pointer_handoff(opt);
@@ -276,7 +277,7 @@ static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
static inline void txopt_put(struct ipv6_txoptions *opt)
{
- if (opt && atomic_dec_and_test(&opt->refcnt))
+ if (opt && refcount_dec_and_test(&opt->refcnt))
kfree_rcu(opt, rcu);
}
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 0460af22..4996d73 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -971,7 +971,7 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt)
*((char **)&opt2->dst1opt) += dif;
if (opt2->srcrt)
*((char **)&opt2->srcrt) += dif;
- atomic_set(&opt2->refcnt, 1);
+ refcount_set(&opt2->refcnt, 1);
}
return opt2;
}
@@ -1056,7 +1056,7 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt,
return ERR_PTR(-ENOBUFS);
memset(opt2, 0, tot_len);
- atomic_set(&opt2->refcnt, 1);
+ refcount_set(&opt2->refcnt, 1);
opt2->tot_len = tot_len;
p = (char *)(opt2 + 1);
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index a531ba0..85404e7 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -505,7 +505,7 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname,
break;
memset(opt, 0, sizeof(*opt));
- atomic_set(&opt->refcnt, 1);
+ refcount_set(&opt->refcnt, 1);
opt->tot_len = sizeof(*opt) + optlen;
retv = -EFAULT;
if (copy_from_user(opt+1, optval, optlen))
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/9] net, ipv6: convert inet6_dev.refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
2017-07-04 6:34 ` [PATCH 1/9] net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t Elena Reshetova
@ 2017-07-04 6:34 ` Elena Reshetova
2017-07-04 6:34 ` [PATCH 3/9] net, ipv6: convert inet6_ifaddr.refcnt " Elena Reshetova
` (7 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/addrconf.h | 8 ++++----
include/net/if_inet6.h | 3 ++-
net/ipv6/addrconf.c | 2 +-
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index d0889cb..620bd9a 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -316,7 +316,7 @@ static inline struct inet6_dev *in6_dev_get(const struct net_device *dev)
rcu_read_lock();
idev = rcu_dereference(dev->ip6_ptr);
if (idev)
- atomic_inc(&idev->refcnt);
+ refcount_inc(&idev->refcnt);
rcu_read_unlock();
return idev;
}
@@ -332,18 +332,18 @@ void in6_dev_finish_destroy(struct inet6_dev *idev);
static inline void in6_dev_put(struct inet6_dev *idev)
{
- if (atomic_dec_and_test(&idev->refcnt))
+ if (refcount_dec_and_test(&idev->refcnt))
in6_dev_finish_destroy(idev);
}
static inline void __in6_dev_put(struct inet6_dev *idev)
{
- atomic_dec(&idev->refcnt);
+ refcount_dec(&idev->refcnt);
}
static inline void in6_dev_hold(struct inet6_dev *idev)
{
- atomic_inc(&idev->refcnt);
+ refcount_inc(&idev->refcnt);
}
void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp);
diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h
index f656f90..e7a17b2 100644
--- a/include/net/if_inet6.h
+++ b/include/net/if_inet6.h
@@ -17,6 +17,7 @@
#include <net/snmp.h>
#include <linux/ipv6.h>
+#include <linux/refcount.h>
/* inet6_dev.if_flags */
@@ -187,7 +188,7 @@ struct inet6_dev {
struct ifacaddr6 *ac_list;
rwlock_t lock;
- atomic_t refcnt;
+ refcount_t refcnt;
__u32 if_flags;
int dead;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 114fb64..2365f12 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -426,7 +426,7 @@ static struct inet6_dev *ipv6_add_dev(struct net_device *dev)
}
/* One reference from device. */
- in6_dev_hold(ndev);
+ refcount_set(&ndev->refcnt, 1);
if (dev->flags & (IFF_NOARP | IFF_LOOPBACK))
ndev->cnf.accept_dad = -1;
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/9] net, ipv6: convert inet6_ifaddr.refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
2017-07-04 6:34 ` [PATCH 1/9] net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t Elena Reshetova
2017-07-04 6:34 ` [PATCH 2/9] net, ipv6: convert inet6_dev.refcnt " Elena Reshetova
@ 2017-07-04 6:34 ` Elena Reshetova
2017-07-04 6:34 ` [PATCH 4/9] net, ipv6: convert ifmcaddr6.mca_refcnt " Elena Reshetova
` (6 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/addrconf.h | 6 +++---
include/net/if_inet6.h | 2 +-
net/ipv6/addrconf.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/net/addrconf.h b/include/net/addrconf.h
index 620bd9a..6df79e9 100644
--- a/include/net/addrconf.h
+++ b/include/net/addrconf.h
@@ -350,18 +350,18 @@ void inet6_ifa_finish_destroy(struct inet6_ifaddr *ifp);
static inline void in6_ifa_put(struct inet6_ifaddr *ifp)
{
- if (atomic_dec_and_test(&ifp->refcnt))
+ if (refcount_dec_and_test(&ifp->refcnt))
inet6_ifa_finish_destroy(ifp);
}
static inline void __in6_ifa_put(struct inet6_ifaddr *ifp)
{
- atomic_dec(&ifp->refcnt);
+ refcount_dec(&ifp->refcnt);
}
static inline void in6_ifa_hold(struct inet6_ifaddr *ifp)
{
- atomic_inc(&ifp->refcnt);
+ refcount_inc(&ifp->refcnt);
}
diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h
index e7a17b2..2b41cb8 100644
--- a/include/net/if_inet6.h
+++ b/include/net/if_inet6.h
@@ -46,7 +46,7 @@ struct inet6_ifaddr {
/* In seconds, relative to tstamp. Expiry is at tstamp + HZ * lft. */
__u32 valid_lft;
__u32 prefered_lft;
- atomic_t refcnt;
+ refcount_t refcnt;
spinlock_t lock;
int state;
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 2365f12..3c46e95 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1050,7 +1050,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr,
ifa->idev = idev;
/* For caller */
- in6_ifa_hold(ifa);
+ refcount_set(&ifa->refcnt, 1);
/* Add to big hash table */
hash = inet6_addr_hash(addr);
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 4/9] net, ipv6: convert ifmcaddr6.mca_refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (2 preceding siblings ...)
2017-07-04 6:34 ` [PATCH 3/9] net, ipv6: convert inet6_ifaddr.refcnt " Elena Reshetova
@ 2017-07-04 6:34 ` Elena Reshetova
2017-07-04 6:34 ` [PATCH 5/9] net, ipv6: convert ifacaddr6.aca_refcnt " Elena Reshetova
` (5 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/if_inet6.h | 2 +-
net/ipv6/mcast.c | 18 +++++++++---------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h
index 2b41cb8..4bb52ce 100644
--- a/include/net/if_inet6.h
+++ b/include/net/if_inet6.h
@@ -127,7 +127,7 @@ struct ifmcaddr6 {
struct timer_list mca_timer;
unsigned int mca_flags;
int mca_users;
- atomic_t mca_refcnt;
+ refcount_t mca_refcnt;
spinlock_t mca_lock;
unsigned long mca_cstamp;
unsigned long mca_tstamp;
diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c
index e222113..12b7c27 100644
--- a/net/ipv6/mcast.c
+++ b/net/ipv6/mcast.c
@@ -701,7 +701,7 @@ static void igmp6_group_dropped(struct ifmcaddr6 *mc)
spin_lock_bh(&mc->mca_lock);
if (del_timer(&mc->mca_timer))
- atomic_dec(&mc->mca_refcnt);
+ refcount_dec(&mc->mca_refcnt);
spin_unlock_bh(&mc->mca_lock);
}
@@ -819,12 +819,12 @@ static void mld_clear_delrec(struct inet6_dev *idev)
static void mca_get(struct ifmcaddr6 *mc)
{
- atomic_inc(&mc->mca_refcnt);
+ refcount_inc(&mc->mca_refcnt);
}
static void ma_put(struct ifmcaddr6 *mc)
{
- if (atomic_dec_and_test(&mc->mca_refcnt)) {
+ if (refcount_dec_and_test(&mc->mca_refcnt)) {
in6_dev_put(mc->idev);
kfree(mc);
}
@@ -846,7 +846,7 @@ static struct ifmcaddr6 *mca_alloc(struct inet6_dev *idev,
mc->mca_users = 1;
/* mca_stamp should be updated upon changes */
mc->mca_cstamp = mc->mca_tstamp = jiffies;
- atomic_set(&mc->mca_refcnt, 1);
+ refcount_set(&mc->mca_refcnt, 1);
spin_lock_init(&mc->mca_lock);
/* initial mode is (EX, empty) */
@@ -1065,7 +1065,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime)
return;
if (del_timer(&ma->mca_timer)) {
- atomic_dec(&ma->mca_refcnt);
+ refcount_dec(&ma->mca_refcnt);
delay = ma->mca_timer.expires - jiffies;
}
@@ -1074,7 +1074,7 @@ static void igmp6_group_queried(struct ifmcaddr6 *ma, unsigned long resptime)
ma->mca_timer.expires = jiffies + delay;
if (!mod_timer(&ma->mca_timer, jiffies + delay))
- atomic_inc(&ma->mca_refcnt);
+ refcount_inc(&ma->mca_refcnt);
ma->mca_flags |= MAF_TIMER_RUNNING;
}
@@ -1469,7 +1469,7 @@ int igmp6_event_report(struct sk_buff *skb)
if (ipv6_addr_equal(&ma->mca_addr, &mld->mld_mca)) {
spin_lock(&ma->mca_lock);
if (del_timer(&ma->mca_timer))
- atomic_dec(&ma->mca_refcnt);
+ refcount_dec(&ma->mca_refcnt);
ma->mca_flags &= ~(MAF_LAST_REPORTER|MAF_TIMER_RUNNING);
spin_unlock(&ma->mca_lock);
break;
@@ -2391,12 +2391,12 @@ static void igmp6_join_group(struct ifmcaddr6 *ma)
spin_lock_bh(&ma->mca_lock);
if (del_timer(&ma->mca_timer)) {
- atomic_dec(&ma->mca_refcnt);
+ refcount_dec(&ma->mca_refcnt);
delay = ma->mca_timer.expires - jiffies;
}
if (!mod_timer(&ma->mca_timer, jiffies + delay))
- atomic_inc(&ma->mca_refcnt);
+ refcount_inc(&ma->mca_refcnt);
ma->mca_flags |= MAF_TIMER_RUNNING | MAF_LAST_REPORTER;
spin_unlock_bh(&ma->mca_lock);
}
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 5/9] net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (3 preceding siblings ...)
2017-07-04 6:34 ` [PATCH 4/9] net, ipv6: convert ifmcaddr6.mca_refcnt " Elena Reshetova
@ 2017-07-04 6:34 ` Elena Reshetova
2017-07-04 6:34 ` [PATCH 6/9] net, ipv6: convert xfrm6_tunnel_spi.refcnt " Elena Reshetova
` (4 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/if_inet6.h | 2 +-
net/ipv6/anycast.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/net/if_inet6.h b/include/net/if_inet6.h
index 4bb52ce..d4088d1 100644
--- a/include/net/if_inet6.h
+++ b/include/net/if_inet6.h
@@ -147,7 +147,7 @@ struct ifacaddr6 {
struct rt6_info *aca_rt;
struct ifacaddr6 *aca_next;
int aca_users;
- atomic_t aca_refcnt;
+ refcount_t aca_refcnt;
unsigned long aca_cstamp;
unsigned long aca_tstamp;
};
diff --git a/net/ipv6/anycast.c b/net/ipv6/anycast.c
index 514ac25..0bbab8a 100644
--- a/net/ipv6/anycast.c
+++ b/net/ipv6/anycast.c
@@ -203,12 +203,12 @@ void ipv6_sock_ac_close(struct sock *sk)
static void aca_get(struct ifacaddr6 *aca)
{
- atomic_inc(&aca->aca_refcnt);
+ refcount_inc(&aca->aca_refcnt);
}
static void aca_put(struct ifacaddr6 *ac)
{
- if (atomic_dec_and_test(&ac->aca_refcnt)) {
+ if (refcount_dec_and_test(&ac->aca_refcnt)) {
in6_dev_put(ac->aca_idev);
dst_release(&ac->aca_rt->dst);
kfree(ac);
@@ -232,7 +232,7 @@ static struct ifacaddr6 *aca_alloc(struct rt6_info *rt,
aca->aca_users = 1;
/* aca_tstamp should be updated upon changes */
aca->aca_cstamp = aca->aca_tstamp = jiffies;
- atomic_set(&aca->aca_refcnt, 1);
+ refcount_set(&aca->aca_refcnt, 1);
return aca;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 6/9] net, ipv6: convert xfrm6_tunnel_spi.refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (4 preceding siblings ...)
2017-07-04 6:34 ` [PATCH 5/9] net, ipv6: convert ifacaddr6.aca_refcnt " Elena Reshetova
@ 2017-07-04 6:34 ` Elena Reshetova
2017-07-04 6:35 ` [PATCH 7/9] net, ipv6: convert ip6addrlbl_entry.refcnt " Elena Reshetova
` (3 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:34 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
net/ipv6/xfrm6_tunnel.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index d7b731a..4e438bc 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -59,7 +59,7 @@ struct xfrm6_tunnel_spi {
struct hlist_node list_byspi;
xfrm_address_t addr;
u32 spi;
- atomic_t refcnt;
+ refcount_t refcnt;
struct rcu_head rcu_head;
};
@@ -160,7 +160,7 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
memcpy(&x6spi->addr, saddr, sizeof(x6spi->addr));
x6spi->spi = spi;
- atomic_set(&x6spi->refcnt, 1);
+ refcount_set(&x6spi->refcnt, 1);
hlist_add_head_rcu(&x6spi->list_byspi, &xfrm6_tn->spi_byspi[index]);
@@ -178,7 +178,7 @@ __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
spin_lock_bh(&xfrm6_tunnel_spi_lock);
x6spi = __xfrm6_tunnel_spi_lookup(net, saddr);
if (x6spi) {
- atomic_inc(&x6spi->refcnt);
+ refcount_inc(&x6spi->refcnt);
spi = x6spi->spi;
} else
spi = __xfrm6_tunnel_alloc_spi(net, saddr);
@@ -207,7 +207,7 @@ static void xfrm6_tunnel_free_spi(struct net *net, xfrm_address_t *saddr)
list_byaddr)
{
if (xfrm6_addr_equal(&x6spi->addr, saddr)) {
- if (atomic_dec_and_test(&x6spi->refcnt)) {
+ if (refcount_dec_and_test(&x6spi->refcnt)) {
hlist_del_rcu(&x6spi->list_byaddr);
hlist_del_rcu(&x6spi->list_byspi);
call_rcu(&x6spi->rcu_head, x6spi_destroy_rcu);
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 7/9] net, ipv6: convert ip6addrlbl_entry.refcnt from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (5 preceding siblings ...)
2017-07-04 6:34 ` [PATCH 6/9] net, ipv6: convert xfrm6_tunnel_spi.refcnt " Elena Reshetova
@ 2017-07-04 6:35 ` Elena Reshetova
2017-07-04 6:35 ` [PATCH 8/9] net, ipv4: convert cipso_v4_doi.refcount " Elena Reshetova
` (2 subsequent siblings)
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:35 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
net/ipv6/addrlabel.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/addrlabel.c b/net/ipv6/addrlabel.c
index 07cd7d2..7a428f6 100644
--- a/net/ipv6/addrlabel.c
+++ b/net/ipv6/addrlabel.c
@@ -18,6 +18,7 @@
#include <linux/if_addrlabel.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
+#include <linux/refcount.h>
#if 0
#define ADDRLABEL(x...) printk(x)
@@ -36,7 +37,7 @@ struct ip6addrlbl_entry {
int addrtype;
u32 label;
struct hlist_node list;
- atomic_t refcnt;
+ refcount_t refcnt;
struct rcu_head rcu;
};
@@ -137,12 +138,12 @@ static void ip6addrlbl_free_rcu(struct rcu_head *h)
static bool ip6addrlbl_hold(struct ip6addrlbl_entry *p)
{
- return atomic_inc_not_zero(&p->refcnt);
+ return refcount_inc_not_zero(&p->refcnt);
}
static inline void ip6addrlbl_put(struct ip6addrlbl_entry *p)
{
- if (atomic_dec_and_test(&p->refcnt))
+ if (refcount_dec_and_test(&p->refcnt))
call_rcu(&p->rcu, ip6addrlbl_free_rcu);
}
@@ -236,7 +237,7 @@ static struct ip6addrlbl_entry *ip6addrlbl_alloc(struct net *net,
newp->label = label;
INIT_HLIST_NODE(&newp->list);
write_pnet(&newp->lbl_net, net);
- atomic_set(&newp->refcnt, 1);
+ refcount_set(&newp->refcnt, 1);
return newp;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 8/9] net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (6 preceding siblings ...)
2017-07-04 6:35 ` [PATCH 7/9] net, ipv6: convert ip6addrlbl_entry.refcnt " Elena Reshetova
@ 2017-07-04 6:35 ` Elena Reshetova
2017-07-04 6:35 ` [PATCH 9/9] net, ipv4: convert fib_info.fib_clntref " Elena Reshetova
2017-07-04 8:39 ` [PATCH 0/9] v2 ipv4/ipv6 refcount conversions David Miller
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:35 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/cipso_ipv4.h | 3 ++-
net/ipv4/cipso_ipv4.c | 12 ++++++------
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index a34b141..880adb2 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -41,6 +41,7 @@
#include <net/netlabel.h>
#include <net/request_sock.h>
#include <linux/atomic.h>
+#include <linux/refcount.h>
#include <asm/unaligned.h>
/* known doi values */
@@ -85,7 +86,7 @@ struct cipso_v4_doi {
} map;
u8 tags[CIPSO_V4_TAG_MAXCNT];
- atomic_t refcount;
+ refcount_t refcount;
struct list_head list;
struct rcu_head rcu;
};
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index c204477..c4c6e19 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -375,7 +375,7 @@ static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
struct cipso_v4_doi *iter;
list_for_each_entry_rcu(iter, &cipso_v4_doi_list, list)
- if (iter->doi == doi && atomic_read(&iter->refcount))
+ if (iter->doi == doi && refcount_read(&iter->refcount))
return iter;
return NULL;
}
@@ -429,7 +429,7 @@ int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
}
}
- atomic_set(&doi_def->refcount, 1);
+ refcount_set(&doi_def->refcount, 1);
spin_lock(&cipso_v4_doi_list_lock);
if (cipso_v4_doi_search(doi_def->doi)) {
@@ -533,7 +533,7 @@ int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info)
ret_val = -ENOENT;
goto doi_remove_return;
}
- if (!atomic_dec_and_test(&doi_def->refcount)) {
+ if (!refcount_dec_and_test(&doi_def->refcount)) {
spin_unlock(&cipso_v4_doi_list_lock);
ret_val = -EBUSY;
goto doi_remove_return;
@@ -576,7 +576,7 @@ struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi)
doi_def = cipso_v4_doi_search(doi);
if (!doi_def)
goto doi_getdef_return;
- if (!atomic_inc_not_zero(&doi_def->refcount))
+ if (!refcount_inc_not_zero(&doi_def->refcount))
doi_def = NULL;
doi_getdef_return:
@@ -597,7 +597,7 @@ void cipso_v4_doi_putdef(struct cipso_v4_doi *doi_def)
if (!doi_def)
return;
- if (!atomic_dec_and_test(&doi_def->refcount))
+ if (!refcount_dec_and_test(&doi_def->refcount))
return;
spin_lock(&cipso_v4_doi_list_lock);
list_del_rcu(&doi_def->list);
@@ -630,7 +630,7 @@ int cipso_v4_doi_walk(u32 *skip_cnt,
rcu_read_lock();
list_for_each_entry_rcu(iter_doi, &cipso_v4_doi_list, list)
- if (atomic_read(&iter_doi->refcount) > 0) {
+ if (refcount_read(&iter_doi->refcount) > 0) {
if (doi_cnt++ < *skip_cnt)
continue;
ret_val = callback(iter_doi, cb_arg);
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 9/9] net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (7 preceding siblings ...)
2017-07-04 6:35 ` [PATCH 8/9] net, ipv4: convert cipso_v4_doi.refcount " Elena Reshetova
@ 2017-07-04 6:35 ` Elena Reshetova
2017-07-04 8:39 ` [PATCH 0/9] v2 ipv4/ipv6 refcount conversions David Miller
9 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-07-04 6:35 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
include/net/ip_fib.h | 7 ++++---
net/ipv4/fib_semantics.c | 2 +-
net/ipv4/fib_trie.c | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 3dbfd5e..41d580c 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -23,6 +23,7 @@
#include <net/inetpeer.h>
#include <linux/percpu.h>
#include <linux/notifier.h>
+#include <linux/refcount.h>
struct fib_config {
u8 fc_dst_len;
@@ -105,7 +106,7 @@ struct fib_info {
struct hlist_node fib_lhash;
struct net *fib_net;
int fib_treeref;
- atomic_t fib_clntref;
+ refcount_t fib_clntref;
unsigned int fib_flags;
unsigned char fib_dead;
unsigned char fib_protocol;
@@ -430,12 +431,12 @@ void free_fib_info(struct fib_info *fi);
static inline void fib_info_hold(struct fib_info *fi)
{
- atomic_inc(&fi->fib_clntref);
+ refcount_inc(&fi->fib_clntref);
}
static inline void fib_info_put(struct fib_info *fi)
{
- if (atomic_dec_and_test(&fi->fib_clntref))
+ if (refcount_dec_and_test(&fi->fib_clntref))
free_fib_info(fi);
}
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index ff47ea1..22210010 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -1253,7 +1253,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
}
fi->fib_treeref++;
- atomic_inc(&fi->fib_clntref);
+ refcount_set(&fi->fib_clntref, 1);
spin_lock_bh(&fib_info_lock);
hlist_add_head(&fi->fib_hash,
&fib_info_hash[fib_info_hashfn(fi)]);
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index d56659e..64668c6 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1463,7 +1463,7 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
}
if (!(fib_flags & FIB_LOOKUP_NOREF))
- atomic_inc(&fi->fib_clntref);
+ refcount_inc(&fi->fib_clntref);
res->prefix = htonl(n->key);
res->prefixlen = KEYLENGTH - fa->fa_slen;
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 0/9] v2 ipv4/ipv6 refcount conversions
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
` (8 preceding siblings ...)
2017-07-04 6:35 ` [PATCH 9/9] net, ipv4: convert fib_info.fib_clntref " Elena Reshetova
@ 2017-07-04 8:39 ` David Miller
9 siblings, 0 replies; 12+ messages in thread
From: David Miller @ 2017-07-04 8:39 UTC (permalink / raw)
To: elena.reshetova
Cc: netdev, linux-kernel, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Tue, 4 Jul 2017 09:34:53 +0300
> Changes in v2:
> * rebase on top of net-next
> * currently by default refcount_t = atomic_t (*) and uses all
> atomic standard operations unless CONFIG_REFCOUNT_FULL is enabled.
> This is a compromise for the systems that are critical on
> performance (such as net) and cannot accept even slight delay
> on the refcounter operations.
>
> This series, for ipv4/ipv6 network components, replaces atomic_t reference
> counters with the new refcount_t type and API (see include/linux/refcount.h).
> By doing this we prevent intentional or accidental
> underflows or overflows that can led to use-after-free vulnerabilities.
>
> The patches are fully independent and can be cherry-picked separately.
> In order to try with refcount functionality enabled in run-time,
> CONFIG_REFCOUNT_FULL must be enabled.
...
Series applied, thanks.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 6/9] net, ipv6: convert xfrm6_tunnel_spi.refcnt from atomic_t to refcount_t
2017-03-16 18:23 [PATCH 0/9] net, ipv4, ipv6 refcounter conversions Elena Reshetova
@ 2017-03-16 18:23 ` Elena Reshetova
0 siblings, 0 replies; 12+ messages in thread
From: Elena Reshetova @ 2017-03-16 18:23 UTC (permalink / raw)
To: netdev
Cc: linux-kernel, davem, jmorris, kaber, yoshfuji, steffen.klassert,
kuznet, peterz, keescook, Elena Reshetova, Hans Liljestrand,
David Windsor
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
net/ipv6/xfrm6_tunnel.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index d7b731a..4e438bc 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -59,7 +59,7 @@ struct xfrm6_tunnel_spi {
struct hlist_node list_byspi;
xfrm_address_t addr;
u32 spi;
- atomic_t refcnt;
+ refcount_t refcnt;
struct rcu_head rcu_head;
};
@@ -160,7 +160,7 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
memcpy(&x6spi->addr, saddr, sizeof(x6spi->addr));
x6spi->spi = spi;
- atomic_set(&x6spi->refcnt, 1);
+ refcount_set(&x6spi->refcnt, 1);
hlist_add_head_rcu(&x6spi->list_byspi, &xfrm6_tn->spi_byspi[index]);
@@ -178,7 +178,7 @@ __be32 xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr)
spin_lock_bh(&xfrm6_tunnel_spi_lock);
x6spi = __xfrm6_tunnel_spi_lookup(net, saddr);
if (x6spi) {
- atomic_inc(&x6spi->refcnt);
+ refcount_inc(&x6spi->refcnt);
spi = x6spi->spi;
} else
spi = __xfrm6_tunnel_alloc_spi(net, saddr);
@@ -207,7 +207,7 @@ static void xfrm6_tunnel_free_spi(struct net *net, xfrm_address_t *saddr)
list_byaddr)
{
if (xfrm6_addr_equal(&x6spi->addr, saddr)) {
- if (atomic_dec_and_test(&x6spi->refcnt)) {
+ if (refcount_dec_and_test(&x6spi->refcnt)) {
hlist_del_rcu(&x6spi->list_byaddr);
hlist_del_rcu(&x6spi->list_byspi);
call_rcu(&x6spi->rcu_head, x6spi_destroy_rcu);
--
2.7.4
^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2017-07-04 8:39 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-07-04 6:34 [PATCH 0/9] v2 ipv4/ipv6 refcount conversions Elena Reshetova
2017-07-04 6:34 ` [PATCH 1/9] net, ipv6: convert ipv6_txoptions.refcnt from atomic_t to refcount_t Elena Reshetova
2017-07-04 6:34 ` [PATCH 2/9] net, ipv6: convert inet6_dev.refcnt " Elena Reshetova
2017-07-04 6:34 ` [PATCH 3/9] net, ipv6: convert inet6_ifaddr.refcnt " Elena Reshetova
2017-07-04 6:34 ` [PATCH 4/9] net, ipv6: convert ifmcaddr6.mca_refcnt " Elena Reshetova
2017-07-04 6:34 ` [PATCH 5/9] net, ipv6: convert ifacaddr6.aca_refcnt " Elena Reshetova
2017-07-04 6:34 ` [PATCH 6/9] net, ipv6: convert xfrm6_tunnel_spi.refcnt " Elena Reshetova
2017-07-04 6:35 ` [PATCH 7/9] net, ipv6: convert ip6addrlbl_entry.refcnt " Elena Reshetova
2017-07-04 6:35 ` [PATCH 8/9] net, ipv4: convert cipso_v4_doi.refcount " Elena Reshetova
2017-07-04 6:35 ` [PATCH 9/9] net, ipv4: convert fib_info.fib_clntref " Elena Reshetova
2017-07-04 8:39 ` [PATCH 0/9] v2 ipv4/ipv6 refcount conversions David Miller
-- strict thread matches above, loose matches on Subject: below --
2017-03-16 18:23 [PATCH 0/9] net, ipv4, ipv6 refcounter conversions Elena Reshetova
2017-03-16 18:23 ` [PATCH 6/9] net, ipv6: convert xfrm6_tunnel_spi.refcnt from atomic_t to refcount_t Elena Reshetova
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).