mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 e65f7ee39b
			
		
	
	
		e65f7ee39b
		
	
	
	
	
		
			
			atomic_t variables are currently used to implement reference counters with the following properties: - counter is initialized to 1 using atomic_set() - a resource is freed upon counter reaching zero - once counter reaches zero, its further increments aren't allowed - counter schema uses basic atomic operations (set, inc, inc_not_zero, dec_and_test, etc.) Such atomic variables should be converted to a newly provided refcount_t type and API that prevents accidental counter overflows and underflows. This is important since overflows and underflows can lead to use-after-free situation and be exploitable. The variable cn_callback_entry.refcnt is used as pure reference counter. Convert it to refcount_t and fix up the operations. Suggested-by: Kees Cook <keescook@chromium.org> Reviewed-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
		
			
				
	
	
		
			162 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			162 lines
		
	
	
		
			3.8 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  *	cn_queue.c
 | |
|  *
 | |
|  * 2004+ Copyright (c) Evgeniy Polyakov <zbr@ioremap.net>
 | |
|  * All rights reserved.
 | |
|  *
 | |
|  * This program is free software; you can redistribute it and/or modify
 | |
|  * it under the terms of the GNU General Public License as published by
 | |
|  * the Free Software Foundation; either version 2 of the License, or
 | |
|  * (at your option) any later version.
 | |
|  *
 | |
|  * This program is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  * GNU General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU General Public License
 | |
|  * along with this program; if not, write to the Free Software
 | |
|  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 | |
|  *
 | |
|  */
 | |
| 
 | |
| #include <linux/kernel.h>
 | |
| #include <linux/module.h>
 | |
| #include <linux/list.h>
 | |
| #include <linux/workqueue.h>
 | |
| #include <linux/spinlock.h>
 | |
| #include <linux/slab.h>
 | |
| #include <linux/skbuff.h>
 | |
| #include <linux/suspend.h>
 | |
| #include <linux/connector.h>
 | |
| #include <linux/delay.h>
 | |
| 
 | |
| static struct cn_callback_entry *
 | |
| cn_queue_alloc_callback_entry(struct cn_queue_dev *dev, const char *name,
 | |
| 			      struct cb_id *id,
 | |
| 			      void (*callback)(struct cn_msg *,
 | |
| 					       struct netlink_skb_parms *))
 | |
| {
 | |
| 	struct cn_callback_entry *cbq;
 | |
| 
 | |
| 	cbq = kzalloc(sizeof(*cbq), GFP_KERNEL);
 | |
| 	if (!cbq) {
 | |
| 		pr_err("Failed to create new callback queue.\n");
 | |
| 		return NULL;
 | |
| 	}
 | |
| 
 | |
| 	refcount_set(&cbq->refcnt, 1);
 | |
| 
 | |
| 	atomic_inc(&dev->refcnt);
 | |
| 	cbq->pdev = dev;
 | |
| 
 | |
| 	snprintf(cbq->id.name, sizeof(cbq->id.name), "%s", name);
 | |
| 	memcpy(&cbq->id.id, id, sizeof(struct cb_id));
 | |
| 	cbq->callback = callback;
 | |
| 	return cbq;
 | |
| }
 | |
| 
 | |
| void cn_queue_release_callback(struct cn_callback_entry *cbq)
 | |
| {
 | |
| 	if (!refcount_dec_and_test(&cbq->refcnt))
 | |
| 		return;
 | |
| 
 | |
| 	atomic_dec(&cbq->pdev->refcnt);
 | |
| 	kfree(cbq);
 | |
| }
 | |
| 
 | |
| int cn_cb_equal(struct cb_id *i1, struct cb_id *i2)
 | |
| {
 | |
| 	return ((i1->idx == i2->idx) && (i1->val == i2->val));
 | |
| }
 | |
| 
 | |
| int cn_queue_add_callback(struct cn_queue_dev *dev, const char *name,
 | |
| 			  struct cb_id *id,
 | |
| 			  void (*callback)(struct cn_msg *,
 | |
| 					   struct netlink_skb_parms *))
 | |
| {
 | |
| 	struct cn_callback_entry *cbq, *__cbq;
 | |
| 	int found = 0;
 | |
| 
 | |
| 	cbq = cn_queue_alloc_callback_entry(dev, name, id, callback);
 | |
| 	if (!cbq)
 | |
| 		return -ENOMEM;
 | |
| 
 | |
| 	spin_lock_bh(&dev->queue_lock);
 | |
| 	list_for_each_entry(__cbq, &dev->queue_list, callback_entry) {
 | |
| 		if (cn_cb_equal(&__cbq->id.id, id)) {
 | |
| 			found = 1;
 | |
| 			break;
 | |
| 		}
 | |
| 	}
 | |
| 	if (!found)
 | |
| 		list_add_tail(&cbq->callback_entry, &dev->queue_list);
 | |
| 	spin_unlock_bh(&dev->queue_lock);
 | |
| 
 | |
| 	if (found) {
 | |
| 		cn_queue_release_callback(cbq);
 | |
| 		return -EINVAL;
 | |
| 	}
 | |
| 
 | |
| 	cbq->seq = 0;
 | |
| 	cbq->group = cbq->id.id.idx;
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 | |
| void cn_queue_del_callback(struct cn_queue_dev *dev, struct cb_id *id)
 | |
| {
 | |
| 	struct cn_callback_entry *cbq, *n;
 | |
| 	int found = 0;
 | |
| 
 | |
| 	spin_lock_bh(&dev->queue_lock);
 | |
| 	list_for_each_entry_safe(cbq, n, &dev->queue_list, callback_entry) {
 | |
| 		if (cn_cb_equal(&cbq->id.id, id)) {
 | |
| 			list_del(&cbq->callback_entry);
 | |
| 			found = 1;
 | |
| 			break;
 | |
| 		}
 | |
| 	}
 | |
| 	spin_unlock_bh(&dev->queue_lock);
 | |
| 
 | |
| 	if (found)
 | |
| 		cn_queue_release_callback(cbq);
 | |
| }
 | |
| 
 | |
| struct cn_queue_dev *cn_queue_alloc_dev(const char *name, struct sock *nls)
 | |
| {
 | |
| 	struct cn_queue_dev *dev;
 | |
| 
 | |
| 	dev = kzalloc(sizeof(*dev), GFP_KERNEL);
 | |
| 	if (!dev)
 | |
| 		return NULL;
 | |
| 
 | |
| 	snprintf(dev->name, sizeof(dev->name), "%s", name);
 | |
| 	atomic_set(&dev->refcnt, 0);
 | |
| 	INIT_LIST_HEAD(&dev->queue_list);
 | |
| 	spin_lock_init(&dev->queue_lock);
 | |
| 
 | |
| 	dev->nls = nls;
 | |
| 
 | |
| 	return dev;
 | |
| }
 | |
| 
 | |
| void cn_queue_free_dev(struct cn_queue_dev *dev)
 | |
| {
 | |
| 	struct cn_callback_entry *cbq, *n;
 | |
| 
 | |
| 	spin_lock_bh(&dev->queue_lock);
 | |
| 	list_for_each_entry_safe(cbq, n, &dev->queue_list, callback_entry)
 | |
| 		list_del(&cbq->callback_entry);
 | |
| 	spin_unlock_bh(&dev->queue_lock);
 | |
| 
 | |
| 	while (atomic_read(&dev->refcnt)) {
 | |
| 		pr_info("Waiting for %s to become free: refcnt=%d.\n",
 | |
| 		       dev->name, atomic_read(&dev->refcnt));
 | |
| 		msleep(1000);
 | |
| 	}
 | |
| 
 | |
| 	kfree(dev);
 | |
| 	dev = NULL;
 | |
| }
 |