Re: [PATCH] net: convert sk_filter.refcnt from atomic_t to refcount_t

From: Sergei Shtylyov
Date: Sat Mar 18 2017 - 13:28:04 EST

Next message: Milian Wolff: "Re: [PATCH v5 0/5] perf report: Show inline stack"
Previous message: Herbert Xu: "Re: [PATCH 0/5] mm subsystem refcounter conversions"
In reply to: Elena Reshetova: "[PATCH] net: convert sk_filter.refcnt from atomic_t to refcount_t"
Next in thread: Reshetova, Elena: "RE: [PATCH] net: convert sk_filter.refcnt from atomic_t to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello!

On 3/18/2017 3:58 PM, Elena Reshetova wrote:

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@xxxxxxxxx>
Signed-off-by: Hans Liljestrand <ishkamiel@xxxxxxxxx>
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: David Windsor <dwindsor@xxxxxxxxx>

[...]

diff --git a/net/core/filter.c b/net/core/filter.c
index ebaeaf2..62267e2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c

[...]

@@ -1179,12 +1179,13 @@ static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk)
return -ENOMEM;

fp->prog = prog;
- atomic_set(&fp->refcnt, 0);
+ refcount_set(&fp->refcnt, 1);

if (!sk_filter_charge(sk, fp)) {
kfree(fp);
return -ENOMEM;
}
+ refcount_set(&fp->refcnt, 1);

Why do it twice?

[...]

MBR, Sergei

Next message: Milian Wolff: "Re: [PATCH v5 0/5] perf report: Show inline stack"
Previous message: Herbert Xu: "Re: [PATCH 0/5] mm subsystem refcounter conversions"
In reply to: Elena Reshetova: "[PATCH] net: convert sk_filter.refcnt from atomic_t to refcount_t"
Next in thread: Reshetova, Elena: "RE: [PATCH] net: convert sk_filter.refcnt from atomic_t to refcount_t"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]