Return-Path: Received: from mga02.intel.com ([134.134.136.20]:13939 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752787AbdJTJ4A (ORCPT ); Fri, 20 Oct 2017 05:56:00 -0400 From: Elena Reshetova To: trond.myklebust@primarydata.com Cc: linux-kernel@vger.kernel.org, linux-nfs@vger.kernel.org, anna.schumaker@netapp.com, bfields@fieldses.org, jlayton@poochiereds.net, peterz@infradead.org, keescook@chromium.org, Elena Reshetova Subject: [PATCH 08/11] fs, nfs: convert nfs_cache_defer_req.count from atomic_t to refcount_t Date: Fri, 20 Oct 2017 12:53:35 +0300 Message-Id: <1508493218-27760-9-git-send-email-elena.reshetova@intel.com> In-Reply-To: <1508493218-27760-1-git-send-email-elena.reshetova@intel.com> References: <1508493218-27760-1-git-send-email-elena.reshetova@intel.com> Sender: linux-nfs-owner@vger.kernel.org List-ID: atomic_t variables are currently used to implement reference counters with the following properties: - counter is initialized to 1 using atomic_set() - a resource is freed upon counter reaching zero - once counter reaches zero, its further increments aren't allowed - counter schema uses basic atomic operations (set, inc, inc_not_zero, dec_and_test, etc.) Such atomic variables should be converted to a newly provided refcount_t type and API that prevents accidental counter overflows and underflows. This is important since overflows and underflows can lead to use-after-free situation and be exploitable. The variable nfs_cache_defer_req.count is used as pure reference counter. Convert it to refcount_t and fix up the operations. Suggested-by: Kees Cook Reviewed-by: David Windsor Reviewed-by: Hans Liljestrand Signed-off-by: Elena Reshetova --- fs/nfs/cache_lib.c | 6 +++--- fs/nfs/cache_lib.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/nfs/cache_lib.c b/fs/nfs/cache_lib.c index 2ae676f..6167f13 100644 --- a/fs/nfs/cache_lib.c +++ b/fs/nfs/cache_lib.c @@ -66,7 +66,7 @@ int nfs_cache_upcall(struct cache_detail *cd, char *entry_name) */ void nfs_cache_defer_req_put(struct nfs_cache_defer_req *dreq) { - if (atomic_dec_and_test(&dreq->count)) + if (refcount_dec_and_test(&dreq->count)) kfree(dreq); } @@ -86,7 +86,7 @@ static struct cache_deferred_req *nfs_dns_cache_defer(struct cache_req *req) dreq = container_of(req, struct nfs_cache_defer_req, req); dreq->deferred_req.revisit = nfs_dns_cache_revisit; - atomic_inc(&dreq->count); + refcount_inc(&dreq->count); return &dreq->deferred_req; } @@ -98,7 +98,7 @@ struct nfs_cache_defer_req *nfs_cache_defer_req_alloc(void) dreq = kzalloc(sizeof(*dreq), GFP_KERNEL); if (dreq) { init_completion(&dreq->completion); - atomic_set(&dreq->count, 1); + refcount_set(&dreq->count, 1); dreq->req.defer = nfs_dns_cache_defer; } return dreq; diff --git a/fs/nfs/cache_lib.h b/fs/nfs/cache_lib.h index 4116d2c..02b378c 100644 --- a/fs/nfs/cache_lib.h +++ b/fs/nfs/cache_lib.h @@ -15,7 +15,7 @@ struct nfs_cache_defer_req { struct cache_req req; struct cache_deferred_req deferred_req; struct completion completion; - atomic_t count; + refcount_t count; }; extern int nfs_cache_upcall(struct cache_detail *cd, char *entry_name); -- 2.7.4