tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Bluetooth: convert rfcomm_dlc.refcnt from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

authored by

Elena Reshetova and committed by
Marcel Holtmann dab6b5da 92322599

+7 -5
+5 -3
include/net/bluetooth/rfcomm.h
··· 21 21 SOFTWARE IS DISCLAIMED. 22 22 */ 23 23 24 + #include <linux/refcount.h> 25 + 24 26 #ifndef __RFCOMM_H 25 27 #define __RFCOMM_H 26 28 ··· 176 174 struct mutex lock; 177 175 unsigned long state; 178 176 unsigned long flags; 179 - atomic_t refcnt; 177 + refcount_t refcnt; 180 178 u8 dlci; 181 179 u8 addr; 182 180 u8 priority; ··· 249 247 250 248 static inline void rfcomm_dlc_hold(struct rfcomm_dlc *d) 251 249 { 252 - atomic_inc(&d->refcnt); 250 + refcount_inc(&d->refcnt); 253 251 } 254 252 255 253 static inline void rfcomm_dlc_put(struct rfcomm_dlc *d) 256 254 { 257 - if (atomic_dec_and_test(&d->refcnt)) 255 + if (refcount_dec_and_test(&d->refcnt)) 258 256 rfcomm_dlc_free(d); 259 257 } 260 258
+2 -2
net/bluetooth/rfcomm/core.c
··· 311 311 312 312 skb_queue_head_init(&d->tx_queue); 313 313 mutex_init(&d->lock); 314 - atomic_set(&d->refcnt, 1); 314 + refcount_set(&d->refcnt, 1); 315 315 316 316 rfcomm_dlc_clear_state(d); 317 317 ··· 342 342 { 343 343 struct rfcomm_session *s = d->session; 344 344 345 - BT_DBG("dlc %p refcnt %d session %p", d, atomic_read(&d->refcnt), s); 345 + BT_DBG("dlc %p refcnt %d session %p", d, refcount_read(&d->refcnt), s); 346 346 347 347 list_del(&d->list); 348 348 d->session = NULL;