diff options
| author | Eric Dumazet <edumazet@google.com> | 2017-08-31 16:48:22 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-09-01 20:22:03 -0700 |
| commit | c1d1b437816f0afa99202be3cb650c9d174667bc (patch) | |
| tree | 14ee9ec0f2e759bb237b2a010aa56989874cc054 /net | |
| parent | db5bce32fbe19f0c7482fb5a40a33178bbe7b11b (diff) | |
| download | linux-c1d1b437816f0afa99202be3cb650c9d174667bc.tar.gz | |
net: convert (struct ubuf_info)->refcnt to refcount_t
refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. v2: added the change in drivers/vhost/net.c as spotted by Willem. Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/skbuff.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a003f953a0a6..68065d7d383f 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -963,7 +963,7 @@ struct ubuf_info *sock_zerocopy_alloc(struct sock *sk, size_t size) uarg->len = 1; uarg->bytelen = size; uarg->zerocopy = 1; - atomic_set(&uarg->refcnt, 1); + refcount_set(&uarg->refcnt, 1); sock_hold(sk); return uarg; @@ -1086,7 +1086,7 @@ EXPORT_SYMBOL_GPL(sock_zerocopy_callback); void sock_zerocopy_put(struct ubuf_info *uarg) { - if (uarg && atomic_dec_and_test(&uarg->refcnt)) { + if (uarg && refcount_dec_and_test(&uarg->refcnt)) { if (uarg->callback) uarg->callback(uarg, uarg->zerocopy); else @@ -1483,7 +1483,7 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail, if (skb_orphan_frags(skb, gfp_mask)) goto nofrags; if (skb_zcopy(skb)) - atomic_inc(&skb_uarg(skb)->refcnt); + refcount_inc(&skb_uarg(skb)->refcnt); for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) skb_frag_ref(skb, i); |