net: convert sock.sk_wmem_alloc from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Reshetova, Elena <elena.reshetova@intel.com> 2017-06-30 06:08:00 -0400
committer: David S. Miller <davem@davemloft.net> 2017-07-01 10:39:08 -0400
commit: 14afee4b6092fde451ee17604e5f5c89da33e71e (patch)
tree: 19be7a1d72a1b25c5e5366c1213cdda982aacca2 /net/unix
parent: 2638595afccf6554bfe55268ff9b2d3ac3dff2e6 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 1a0c961f4ffe..7c2e21ebbedc 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -442,7 +442,7 @@ static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
 static int unix_writable(const struct sock *sk)
 {
        return sk->sk_state != TCP_LISTEN &&
-               (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
+               (refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
 }
 static void unix_write_space(struct sock *sk)
@@ -487,7 +487,7 @@ static void unix_sock_destructor(struct sock *sk)
        skb_queue_purge(&sk->sk_receive_queue);
-        WARN_ON(atomic_read(&sk->sk_wmem_alloc));
+        WARN_ON(refcount_read(&sk->sk_wmem_alloc));
        WARN_ON(!sk_unhashed(sk));
        WARN_ON(sk->sk_socket);
        if (!sock_flag(sk, SOCK_DEAD)) {
@@ -2033,7 +2033,7 @@ alloc_skb:
        skb->len += size;
        skb->data_len += size;
        skb->truesize += size;
-        atomic_add(size, &sk->sk_wmem_alloc);
+        refcount_add(size, &sk->sk_wmem_alloc);
        if (newskb) {
                err = unix_scm_to_skb(&scm, skb, false);
author	Reshetova, Elena <elena.reshetova@intel.com>	2017-06-30 06:08:00 -0400
committer	David S. Miller <davem@davemloft.net>	2017-07-01 10:39:08 -0400
commit	14afee4b6092fde451ee17604e5f5c89da33e71e (patch)
tree	19be7a1d72a1b25c5e5366c1213cdda982aacca2 /net/unix
parent	2638595afccf6554bfe55268ff9b2d3ac3dff2e6 (diff)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 1a0c961f4ffe..7c2e21ebbedc 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c
@@ -442,7 +442,7 @@ static int unix_dgram_peer_wake_me(struct sock sk, struct sock other)
442	static int unix_writable(const struct sock *sk)	442	static int unix_writable(const struct sock *sk)
443	{	443	{
444	return sk->sk_state != TCP_LISTEN &&	444	return sk->sk_state != TCP_LISTEN &&
445	(atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;	445	(refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
446	}	446	}
447		447
448	static void unix_write_space(struct sock *sk)	448	static void unix_write_space(struct sock *sk)
@@ -487,7 +487,7 @@ static void unix_sock_destructor(struct sock *sk)
487		487
488	skb_queue_purge(&sk->sk_receive_queue);	488	skb_queue_purge(&sk->sk_receive_queue);
489		489
490	WARN_ON(atomic_read(&sk->sk_wmem_alloc));	490	WARN_ON(refcount_read(&sk->sk_wmem_alloc));
491	WARN_ON(!sk_unhashed(sk));	491	WARN_ON(!sk_unhashed(sk));
492	WARN_ON(sk->sk_socket);	492	WARN_ON(sk->sk_socket);
493	if (!sock_flag(sk, SOCK_DEAD)) {	493	if (!sock_flag(sk, SOCK_DEAD)) {
@@ -2033,7 +2033,7 @@ alloc_skb:
2033	skb->len += size;	2033	skb->len += size;
2034	skb->data_len += size;	2034	skb->data_len += size;
2035	skb->truesize += size;	2035	skb->truesize += size;
2036	atomic_add(size, &sk->sk_wmem_alloc);	2036	refcount_add(size, &sk->sk_wmem_alloc);
2037		2037
2038	if (newskb) {	2038	if (newskb) {
2039	err = unix_scm_to_skb(&scm, skb, false);	2039	err = unix_scm_to_skb(&scm, skb, false);