tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fs, nfs: convert pnfs_layout_segment.pls_refcount from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>

authored by

Elena Reshetova and committed by
Anna Schumaker eba6dd69 a2a5dea7

+8 -8
+6 -6
fs/nfs/pnfs.c
··· 450 450 { 451 451 INIT_LIST_HEAD(&lseg->pls_list); 452 452 INIT_LIST_HEAD(&lseg->pls_lc_list); 453 - atomic_set(&lseg->pls_refcount, 1); 453 + refcount_set(&lseg->pls_refcount, 1); 454 454 set_bit(NFS_LSEG_VALID, &lseg->pls_flags); 455 455 lseg->pls_layout = lo; 456 456 lseg->pls_range = *range; ··· 507 507 return; 508 508 509 509 dprintk("%s: lseg %p ref %d valid %d\n", __func__, lseg, 510 - atomic_read(&lseg->pls_refcount), 510 + refcount_read(&lseg->pls_refcount), 511 511 test_bit(NFS_LSEG_VALID, &lseg->pls_flags)); 512 512 513 513 lo = lseg->pls_layout; 514 514 inode = lo->plh_inode; 515 515 516 - if (atomic_dec_and_lock(&lseg->pls_refcount, &inode->i_lock)) { 516 + if (refcount_dec_and_lock(&lseg->pls_refcount, &inode->i_lock)) { 517 517 if (test_bit(NFS_LSEG_VALID, &lseg->pls_flags)) { 518 518 spin_unlock(&inode->i_lock); 519 519 return; ··· 551 551 static bool pnfs_lseg_dec_and_remove_zero(struct pnfs_layout_segment *lseg, 552 552 struct list_head *tmp_list) 553 553 { 554 - if (!atomic_dec_and_test(&lseg->pls_refcount)) 554 + if (!refcount_dec_and_test(&lseg->pls_refcount)) 555 555 return false; 556 556 pnfs_layout_remove_lseg(lseg->pls_layout, lseg); 557 557 list_add(&lseg->pls_list, tmp_list); ··· 570 570 * outstanding io is finished. 571 571 */ 572 572 dprintk("%s: lseg %p ref %d\n", __func__, lseg, 573 - atomic_read(&lseg->pls_refcount)); 573 + refcount_read(&lseg->pls_refcount)); 574 574 if (pnfs_lseg_dec_and_remove_zero(lseg, tmp_list)) 575 575 rv = 1; 576 576 } ··· 1546 1546 } 1547 1547 1548 1548 dprintk("%s:Return lseg %p ref %d\n", 1549 - __func__, ret, ret ? atomic_read(&ret->pls_refcount) : 0); 1549 + __func__, ret, ret ? refcount_read(&ret->pls_refcount) : 0); 1550 1550 return ret; 1551 1551 } 1552 1552
+2 -2
fs/nfs/pnfs.h
··· 64 64 struct list_head pls_list; 65 65 struct list_head pls_lc_list; 66 66 struct pnfs_layout_range pls_range; 67 - atomic_t pls_refcount; 67 + refcount_t pls_refcount; 68 68 u32 pls_seq; 69 69 unsigned long pls_flags; 70 70 struct pnfs_layout_hdr *pls_layout; ··· 394 394 pnfs_get_lseg(struct pnfs_layout_segment *lseg) 395 395 { 396 396 if (lseg) { 397 - atomic_inc(&lseg->pls_refcount); 397 + refcount_inc(&lseg->pls_refcount); 398 398 smp_mb__after_atomic(); 399 399 } 400 400 return lseg;