diff options
| author | Reshetova, Elena <elena.reshetova@intel.com> | 2017-06-30 06:07:58 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-07-01 10:39:07 -0400 |
| commit | 633547973ffc32fd2c815639d4675e1531f0896f (patch) | |
| tree | 751ca7a379366af93f578d9f35f48339d4d2dd9b /net/core/skbuff.c | |
| parent | 53869cebce4bc53f71a080e7830600d4ae1ab712 (diff) | |
net: convert sk_buff.users from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/skbuff.c')
| -rw-r--r-- | net/core/skbuff.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f75897a33fa4..45dc6620dd74 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -176,7 +176,7 @@ struct sk_buff *__alloc_skb_head(gfp_t gfp_mask, int node) | |||
| 176 | memset(skb, 0, offsetof(struct sk_buff, tail)); | 176 | memset(skb, 0, offsetof(struct sk_buff, tail)); |
| 177 | skb->head = NULL; | 177 | skb->head = NULL; |
| 178 | skb->truesize = sizeof(struct sk_buff); | 178 | skb->truesize = sizeof(struct sk_buff); |
| 179 | atomic_set(&skb->users, 1); | 179 | refcount_set(&skb->users, 1); |
| 180 | 180 | ||
| 181 | skb->mac_header = (typeof(skb->mac_header))~0U; | 181 | skb->mac_header = (typeof(skb->mac_header))~0U; |
| 182 | out: | 182 | out: |
| @@ -247,7 +247,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t gfp_mask, | |||
| 247 | /* Account for allocated memory : skb + skb->head */ | 247 | /* Account for allocated memory : skb + skb->head */ |
| 248 | skb->truesize = SKB_TRUESIZE(size); | 248 | skb->truesize = SKB_TRUESIZE(size); |
| 249 | skb->pfmemalloc = pfmemalloc; | 249 | skb->pfmemalloc = pfmemalloc; |
| 250 | atomic_set(&skb->users, 1); | 250 | refcount_set(&skb->users, 1); |
| 251 | skb->head = data; | 251 | skb->head = data; |
| 252 | skb->data = data; | 252 | skb->data = data; |
| 253 | skb_reset_tail_pointer(skb); | 253 | skb_reset_tail_pointer(skb); |
| @@ -314,7 +314,7 @@ struct sk_buff *__build_skb(void *data, unsigned int frag_size) | |||
| 314 | 314 | ||
| 315 | memset(skb, 0, offsetof(struct sk_buff, tail)); | 315 | memset(skb, 0, offsetof(struct sk_buff, tail)); |
| 316 | skb->truesize = SKB_TRUESIZE(size); | 316 | skb->truesize = SKB_TRUESIZE(size); |
| 317 | atomic_set(&skb->users, 1); | 317 | refcount_set(&skb->users, 1); |
| 318 | skb->head = data; | 318 | skb->head = data; |
| 319 | skb->data = data; | 319 | skb->data = data; |
| 320 | skb_reset_tail_pointer(skb); | 320 | skb_reset_tail_pointer(skb); |
| @@ -915,7 +915,7 @@ static struct sk_buff *__skb_clone(struct sk_buff *n, struct sk_buff *skb) | |||
| 915 | C(head_frag); | 915 | C(head_frag); |
| 916 | C(data); | 916 | C(data); |
| 917 | C(truesize); | 917 | C(truesize); |
| 918 | atomic_set(&n->users, 1); | 918 | refcount_set(&n->users, 1); |
| 919 | 919 | ||
| 920 | atomic_inc(&(skb_shinfo(skb)->dataref)); | 920 | atomic_inc(&(skb_shinfo(skb)->dataref)); |
| 921 | skb->cloned = 1; | 921 | skb->cloned = 1; |