net: convert fib_treeref from int to refcount_t

refcount_t type should be used instead of int when fib_treeref is used as
a reference counter,and avoid use-after-free risks.

Signed-off-by: Yajun Deng <yajun.deng@linux.dev>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20210729071350.28919-1-yajun.deng@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/include/net/dn_fib.h b/include/net/dn_fib.h
index ccc6e9d..ddd6565 100644 (file)
--- a/include/net/dn_fib.h
+++ b/include/net/dn_fib.h
@@ -29,7 +29,7 @@ struct dn_fib_nh {
 struct dn_fib_info {
        struct dn_fib_info      *fib_next;
        struct dn_fib_info      *fib_prev;
-       int                     fib_treeref;
+       refcount_t              fib_treeref;
        refcount_t              fib_clntref;
        int                     fib_dead;
        unsigned int            fib_flags;

diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 3ab2563..21c5386 100644 (file)
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -133,7 +133,7 @@ struct fib_info {
        struct hlist_node       fib_lhash;
        struct list_head        nh_list;
        struct net              *fib_net;
-       int                     fib_treeref;
+       refcount_t              fib_treeref;
        refcount_t              fib_clntref;
        unsigned int            fib_flags;
        unsigned char           fib_dead;

diff --git a/net/decnet/dn_fib.c b/net/decnet/dn_fib.c
index 77fbf8e..387a7e8 100644 (file)
--- a/net/decnet/dn_fib.c
+++ b/net/decnet/dn_fib.c
@@ -102,7 +102,7 @@ void dn_fib_free_info(struct dn_fib_info *fi)
 void dn_fib_release_info(struct dn_fib_info *fi)
 {
        spin_lock(&dn_fib_info_lock);
-       if (fi && --fi->fib_treeref == 0) {
+       if (fi && refcount_dec_and_test(&fi->fib_treeref)) {
                if (fi->fib_next)
                        fi->fib_next->fib_prev = fi->fib_prev;
                if (fi->fib_prev)
@@ -385,11 +385,11 @@ link_it:
        if ((ofi = dn_fib_find_info(fi)) != NULL) {
                fi->fib_dead = 1;
                dn_fib_free_info(fi);
-               ofi->fib_treeref++;
+               refcount_inc(&ofi->fib_treeref);
                return ofi;
        }
 
-       fi->fib_treeref++;
+       refcount_inc(&fi->fib_treeref);
        refcount_set(&fi->fib_clntref, 1);
        spin_lock(&dn_fib_info_lock);
        fi->fib_next = dn_fib_info_list;

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 4c0c33e..fa19f4c 100644 (file)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -260,7 +260,7 @@ EXPORT_SYMBOL_GPL(free_fib_info);
 void fib_release_info(struct fib_info *fi)
 {
        spin_lock_bh(&fib_info_lock);
-       if (fi && --fi->fib_treeref == 0) {
+       if (fi && refcount_dec_and_test(&fi->fib_treeref)) {
                hlist_del(&fi->fib_hash);
                if (fi->fib_prefsrc)
                        hlist_del(&fi->fib_lhash);
@@ -1373,7 +1373,7 @@ struct fib_info *fib_create_info(struct fib_config *cfg,
                if (!cfg->fc_mx) {
                        fi = fib_find_info_nh(net, cfg);
                        if (fi) {
-                               fi->fib_treeref++;
+                               refcount_inc(&fi->fib_treeref);
                                return fi;
                        }
                }
@@ -1547,11 +1547,11 @@ link_it:
        if (ofi) {
                fi->fib_dead = 1;
                free_fib_info(fi);
-               ofi->fib_treeref++;
+               refcount_inc(&ofi->fib_treeref);
                return ofi;
        }
 
-       fi->fib_treeref++;
+       refcount_inc(&fi->fib_treeref);
        refcount_set(&fi->fib_clntref, 1);
        spin_lock_bh(&fib_info_lock);
        hlist_add_head(&fi->fib_hash,