Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] cxgb3: Convert from atomic_t to refcount_t on l2t_entry->refcnt
@ 2021-07-17 10:16 Xiyu Yang
  2021-07-18 10:42 ` Leon Romanovsky
  0 siblings, 1 reply; 2+ messages in thread
From: Xiyu Yang @ 2021-07-17 10:16 UTC (permalink / raw)
  To: Raju Rangoju, David S. Miller, Jakub Kicinski, netdev, linux-kernel
  Cc: yuanxzhang, Xiyu Yang, Xin Tan

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 drivers/net/ethernet/chelsio/cxgb3/l2t.c | 15 ++++++++-------
 drivers/net/ethernet/chelsio/cxgb3/l2t.h | 10 +++++++---
 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.c b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
index 9749d1239f58..0f2a47bc20d8 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
@@ -225,10 +225,11 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
 
 	/* there's definitely a free entry */
 	for (e = d->rover, end = &d->l2tab[d->nentries]; e != end; ++e)
-		if (atomic_read(&e->refcnt) == 0)
+		if (refcount_read(&e->refcnt) == 0)
 			goto found;
 
-	for (e = &d->l2tab[1]; atomic_read(&e->refcnt); ++e) ;
+	for (e = &d->l2tab[1]; refcount_read(&e->refcnt); ++e)
+		;
 found:
 	d->rover = e + 1;
 	atomic_dec(&d->nfree);
@@ -264,7 +265,7 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
 void t3_l2e_free(struct l2t_data *d, struct l2t_entry *e)
 {
 	spin_lock_bh(&e->lock);
-	if (atomic_read(&e->refcnt) == 0) {	/* hasn't been recycled */
+	if (refcount_read(&e->refcnt) == 0) {	/* hasn't been recycled */
 		if (e->neigh) {
 			neigh_release(e->neigh);
 			e->neigh = NULL;
@@ -335,7 +336,7 @@ struct l2t_entry *t3_l2t_get(struct t3cdev *cdev, struct dst_entry *dst,
 		if (e->addr == addr && e->ifindex == ifidx &&
 		    e->smt_idx == smt_idx) {
 			l2t_hold(d, e);
-			if (atomic_read(&e->refcnt) == 1)
+			if (refcount_read(&e->refcnt) == 1)
 				reuse_entry(e, neigh);
 			goto done_unlock;
 		}
@@ -350,7 +351,7 @@ struct l2t_entry *t3_l2t_get(struct t3cdev *cdev, struct dst_entry *dst,
 		e->addr = addr;
 		e->ifindex = ifidx;
 		e->smt_idx = smt_idx;
-		atomic_set(&e->refcnt, 1);
+		refcount_set(&e->refcnt, 1);
 		neigh_replace(e, neigh);
 		if (is_vlan_dev(neigh->dev))
 			e->vlan = vlan_dev_vlan_id(neigh->dev);
@@ -418,7 +419,7 @@ void t3_l2t_update(struct t3cdev *dev, struct neighbour *neigh)
 	__skb_queue_head_init(&arpq);
 
 	read_unlock(&d->lock);
-	if (atomic_read(&e->refcnt)) {
+	if (refcount_read(&e->refcnt)) {
 		if (neigh != e->neigh)
 			neigh_replace(e, neigh);
 
@@ -459,7 +460,7 @@ struct l2t_data *t3_init_l2t(unsigned int l2t_capacity)
 		d->l2tab[i].state = L2T_STATE_UNUSED;
 		__skb_queue_head_init(&d->l2tab[i].arpq);
 		spin_lock_init(&d->l2tab[i].lock);
-		atomic_set(&d->l2tab[i].refcnt, 0);
+		refcount_set(&d->l2tab[i].refcnt, 0);
 	}
 	return d;
 }
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
index ea75f275023f..bbdaa4a6aba2 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -35,6 +35,7 @@
 #include <linux/spinlock.h>
 #include "t3cdev.h"
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 
 enum {
 	L2T_STATE_VALID,	/* entry is up to date */
@@ -66,7 +67,7 @@ struct l2t_entry {
 	struct l2t_entry *next;	/* next l2t_entry on chain */
 	struct sk_buff_head arpq;	/* queue of packets awaiting resolution */
 	spinlock_t lock;
-	atomic_t refcnt;	/* entry reference count */
+	refcount_t refcnt;	/* entry reference count */
 	u8 dmac[6];		/* neighbour's MAC address */
 };
 
@@ -133,7 +134,7 @@ static inline void l2t_release(struct t3cdev *t, struct l2t_entry *e)
 	rcu_read_lock();
 	d = L2DATA(t);
 
-	if (atomic_dec_and_test(&e->refcnt) && d)
+	if (refcount_dec_and_test(&e->refcnt) && d)
 		t3_l2e_free(d, e);
 
 	rcu_read_unlock();
@@ -141,7 +142,10 @@ static inline void l2t_release(struct t3cdev *t, struct l2t_entry *e)
 
 static inline void l2t_hold(struct l2t_data *d, struct l2t_entry *e)
 {
-	if (d && atomic_add_return(1, &e->refcnt) == 1)	/* 0 -> 1 transition */
+	if (!d)
+		return;
+	refcount_inc(&e->refcnt);
+	if (refcount_read(&e->refcnt) == 1)	/* 0 -> 1 transition */
 		atomic_dec(&d->nfree);
 }
 
-- 
2.7.4


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] cxgb3: Convert from atomic_t to refcount_t on l2t_entry->refcnt
  2021-07-17 10:16 [PATCH] cxgb3: Convert from atomic_t to refcount_t on l2t_entry->refcnt Xiyu Yang
@ 2021-07-18 10:42 ` Leon Romanovsky
  0 siblings, 0 replies; 2+ messages in thread
From: Leon Romanovsky @ 2021-07-18 10:42 UTC (permalink / raw)
  To: Xiyu Yang
  Cc: Raju Rangoju, David S. Miller, Jakub Kicinski, netdev,
	linux-kernel, yuanxzhang, Xin Tan

On Sat, Jul 17, 2021 at 06:16:15PM +0800, Xiyu Yang wrote:
> refcount_t type and corresponding API can protect refcounters from
> accidental underflow and overflow and further use-after-free situations.
> 
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
> ---
>  drivers/net/ethernet/chelsio/cxgb3/l2t.c | 15 ++++++++-------
>  drivers/net/ethernet/chelsio/cxgb3/l2t.h | 10 +++++++---
>  2 files changed, 15 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.c b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
> index 9749d1239f58..0f2a47bc20d8 100644
> --- a/drivers/net/ethernet/chelsio/cxgb3/l2t.c
> +++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.c
> @@ -225,10 +225,11 @@ static struct l2t_entry *alloc_l2e(struct l2t_data *d)
>  
>  	/* there's definitely a free entry */
>  	for (e = d->rover, end = &d->l2tab[d->nentries]; e != end; ++e)
> -		if (atomic_read(&e->refcnt) == 0)
> +		if (refcount_read(&e->refcnt) == 0)

All those atomic_t to refcount_t patches can't be right, refcount_t can't be 0.

Thanks

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-07-18 10:42 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-17 10:16 [PATCH] cxgb3: Convert from atomic_t to refcount_t on l2t_entry->refcnt Xiyu Yang
2021-07-18 10:42 ` Leon Romanovsky

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).