[PATCH net-next 01/15] net: convert lcs_reply.refcnt from atomic_t to refcount_t

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, linux-s390@vger.kernel.org,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Heiko Carstens <heiko.carstens@de.ibm.com>,
	Stefan Raspl <raspl@linux.vnet.ibm.com>,
	Ursula Braun <ubraun@linux.vnet.ibm.com>,
	Julian Wiedmann <jwi@linux.vnet.ibm.com>
Subject: [PATCH net-next 01/15] net: convert lcs_reply.refcnt from atomic_t to refcount_t
Date: Wed, 20 Dec 2017 20:10:55 +0100	[thread overview]
Message-ID: <20171220191109.90487-2-jwi@linux.vnet.ibm.com> (raw)
In-Reply-To: <20171220191109.90487-1-jwi@linux.vnet.ibm.com>

From: Elena Reshetova <elena.reshetova@intel.com>

atomic_t variables are currently used to implement reference
counters with the following properties:
 - counter is initialized to 1 using atomic_set()
 - a resource is freed upon counter reaching zero
 - once counter reaches zero, its further
   increments aren't allowed
 - counter schema uses basic atomic operations
   (set, inc, inc_not_zero, dec_and_test, etc.)

Such atomic variables should be converted to a newly provided
refcount_t type and API that prevents accidental counter overflows
and underflows. This is important since overflows and underflows
can lead to use-after-free situation and be exploitable.

The variable lcs_reply.refcnt is used as pure reference counter.
Convert it to refcount_t and fix up the operations.

Suggested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: David Windsor <dwindsor@gmail.com>
Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
[jwi: removed the WARN_ONs. Use CONFIG_REFCOUNT_FULL if you care.]
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
---
 drivers/s390/net/lcs.c | 10 +++-------
 drivers/s390/net/lcs.h |  3 ++-
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c
index 92ae84a927fc..0ee8f33efb54 100644
--- a/drivers/s390/net/lcs.c
+++ b/drivers/s390/net/lcs.c
@@ -756,18 +756,14 @@ lcs_get_lancmd(struct lcs_card *card, int count)
 static void
 lcs_get_reply(struct lcs_reply *reply)
 {
-	WARN_ON(atomic_read(&reply->refcnt) <= 0);
-	atomic_inc(&reply->refcnt);
+	refcount_inc(&reply->refcnt);
 }
 
 static void
 lcs_put_reply(struct lcs_reply *reply)
 {
-        WARN_ON(atomic_read(&reply->refcnt) <= 0);
-        if (atomic_dec_and_test(&reply->refcnt)) {
+	if (refcount_dec_and_test(&reply->refcnt))
 		kfree(reply);
-	}
-
 }
 
 static struct lcs_reply *
@@ -780,7 +776,7 @@ lcs_alloc_reply(struct lcs_cmd *cmd)
 	reply = kzalloc(sizeof(struct lcs_reply), GFP_ATOMIC);
 	if (!reply)
 		return NULL;
-	atomic_set(&reply->refcnt,1);
+	refcount_set(&reply->refcnt, 1);
 	reply->sequence_no = cmd->sequence_no;
 	reply->received = 0;
 	reply->rc = 0;
diff --git a/drivers/s390/net/lcs.h b/drivers/s390/net/lcs.h
index fbc8b90b1f85..bd52caa3b11b 100644
--- a/drivers/s390/net/lcs.h
+++ b/drivers/s390/net/lcs.h
@@ -5,6 +5,7 @@
 #include <linux/netdevice.h>
 #include <linux/skbuff.h>
 #include <linux/workqueue.h>
+#include <linux/refcount.h>
 #include <asm/ccwdev.h>
 
 #define LCS_DBF_TEXT(level, name, text) \
@@ -271,7 +272,7 @@ struct lcs_buffer {
 struct lcs_reply {
 	struct list_head list;
 	__u16 sequence_no;
-	atomic_t refcnt;
+	refcount_t refcnt;
 	/* Callback for completion notification. */
 	void (*callback)(struct lcs_card *, struct lcs_cmd *);
 	wait_queue_head_t wait_q;
-- 
2.13.5

next prev parent reply	other threads:[~2017-12-20 19:10 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-12-20 19:10 [PATCH net-next 00/15] s390/net: updates 2017-12-20 Julian Wiedmann
2017-12-20 19:10 ` Julian Wiedmann [this message]
2017-12-20 19:10 ` [PATCH net-next 02/15] qeth: convert qeth_reply.refcnt from atomic_t to refcount_t Julian Wiedmann
2017-12-20 19:10 ` [PATCH net-next 03/15] s390/qeth: use ip*_eth_mc_map helpers Julian Wiedmann
2017-12-20 19:10 ` [PATCH net-next 04/15] s390/qeth: drop CONFIG_QETH_IPV6 Julian Wiedmann
2017-12-20 19:10 ` [PATCH net-next 05/15] s390/qeth: don't keep track of MAC address's cast type Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 06/15] s390/qeth: consolidate qeth MAC address helpers Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 07/15] s390/qeth: use ether_addr_* helpers Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 08/15] s390/qeth: align L2 and L3 set_rx_mode() implementations Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 09/15] s390/qeth: robustify qeth_get_ip_version() Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 10/15] s390/qeth: clean up l3_get_cast_type() Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 11/15] s390/qeth: recognize non-IP multicast on L3 transmit Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 12/15] s390/qeth: unionize next-hop field in qeth L3 header Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 13/15] s390/qeth: streamline l3_fill_header() Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 14/15] s390/qeth: pass full data length to l3_fill_header() Julian Wiedmann
2017-12-20 19:11 ` [PATCH net-next 15/15] s390/qeth: replace open-coded in*_pton() Julian Wiedmann
2017-12-20 20:24 ` [PATCH net-next 00/15] s390/net: updates 2017-12-20 David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:92ae84a927f dfblob:0ee8f33efb5 dfblob:fbc8b90b1f8
dfblob:bd52caa3b11 )
 OR (
bs:"[PATCH net-next 01/15] net: convert lcs_reply.refcnt from atomic_t to refcount_t" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171220191109.90487-2-jwi@linux.vnet.ibm.com \
    --to=jwi@linux.vnet.ibm.com \
    --cc=davem@davemloft.net \
    --cc=heiko.carstens@de.ibm.com \
    --cc=linux-s390@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=raspl@linux.vnet.ibm.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=ubraun@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.