Hello!
On 3/18/2017 3:58 PM, Elena Reshetova wrote:
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <[email protected]>
Signed-off-by: Hans Liljestrand <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Signed-off-by: David Windsor <[email protected]>
[...]
diff --git a/net/core/filter.c b/net/core/filter.c
index ebaeaf2..62267e2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
[...]
@@ -1179,12 +1179,13 @@ static int __sk_attach_prog(struct bpf_prog *prog,
struct sock *sk)
return -ENOMEM;
fp->prog = prog;
- atomic_set(&fp->refcnt, 0);
+ refcount_set(&fp->refcnt, 1);
if (!sk_filter_charge(sk, fp)) {
kfree(fp);
return -ENOMEM;
}
+ refcount_set(&fp->refcnt, 1);
Why do it twice?
[...]
MBR, Sergei
