refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.
Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
fs/ext4/ext4.h | 3 ++-
fs/ext4/page-io.c | 8 ++++----
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 3c51e243450d..e5b3575da7e9 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -17,6 +17,7 @@
#ifndef _EXT4_H
#define _EXT4_H
+#include <linux/refcount.h>
#include <linux/types.h>
#include <linux/blkdev.h>
#include <linux/magic.h>
@@ -241,7 +242,7 @@ typedef struct ext4_io_end {
struct bio *bio; /* Linked list of completed
* bios covering the extent */
unsigned int flag; /* unwritten or not */
- atomic_t count; /* reference counter */
+ refcount_t count; /* reference counter */
struct list_head list_vec; /* list of ext4_io_end_vec */
} ext4_io_end_t;
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index f038d578d8d8..9cb261714991 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -279,14 +279,14 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags)
io_end->inode = inode;
INIT_LIST_HEAD(&io_end->list);
INIT_LIST_HEAD(&io_end->list_vec);
- atomic_set(&io_end->count, 1);
+ refcount_set(&io_end->count, 1);
}
return io_end;
}
void ext4_put_io_end_defer(ext4_io_end_t *io_end)
{
- if (atomic_dec_and_test(&io_end->count)) {
+ if (refcount_dec_and_test(&io_end->count)) {
if (!(io_end->flag & EXT4_IO_END_UNWRITTEN) ||
list_empty(&io_end->list_vec)) {
ext4_release_io_end(io_end);
@@ -300,7 +300,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
{
int err = 0;
- if (atomic_dec_and_test(&io_end->count)) {
+ if (refcount_dec_and_test(&io_end->count)) {
if (io_end->flag & EXT4_IO_END_UNWRITTEN) {
err = ext4_convert_unwritten_io_end_vec(io_end->handle,
io_end);
@@ -314,7 +314,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
ext4_io_end_t *ext4_get_io_end(ext4_io_end_t *io_end)
{
- atomic_inc(&io_end->count);
+ refcount_inc(&io_end->count);
return io_end;
}
--
2.7.4
On Mon 19-07-21 13:59:14, Xiyu Yang wrote:
> refcount_t type and corresponding API can protect refcounters from
> accidental underflow and overflow and further use-after-free situations.
>
> Signed-off-by: Xiyu Yang <[email protected]>
> Signed-off-by: Xin Tan <[email protected]>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <[email protected]>
Honza
> ---
> fs/ext4/ext4.h | 3 ++-
> fs/ext4/page-io.c | 8 ++++----
> 2 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 3c51e243450d..e5b3575da7e9 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -17,6 +17,7 @@
> #ifndef _EXT4_H
> #define _EXT4_H
>
> +#include <linux/refcount.h>
> #include <linux/types.h>
> #include <linux/blkdev.h>
> #include <linux/magic.h>
> @@ -241,7 +242,7 @@ typedef struct ext4_io_end {
> struct bio *bio; /* Linked list of completed
> * bios covering the extent */
> unsigned int flag; /* unwritten or not */
> - atomic_t count; /* reference counter */
> + refcount_t count; /* reference counter */
> struct list_head list_vec; /* list of ext4_io_end_vec */
> } ext4_io_end_t;
>
> diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
> index f038d578d8d8..9cb261714991 100644
> --- a/fs/ext4/page-io.c
> +++ b/fs/ext4/page-io.c
> @@ -279,14 +279,14 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags)
> io_end->inode = inode;
> INIT_LIST_HEAD(&io_end->list);
> INIT_LIST_HEAD(&io_end->list_vec);
> - atomic_set(&io_end->count, 1);
> + refcount_set(&io_end->count, 1);
> }
> return io_end;
> }
>
> void ext4_put_io_end_defer(ext4_io_end_t *io_end)
> {
> - if (atomic_dec_and_test(&io_end->count)) {
> + if (refcount_dec_and_test(&io_end->count)) {
> if (!(io_end->flag & EXT4_IO_END_UNWRITTEN) ||
> list_empty(&io_end->list_vec)) {
> ext4_release_io_end(io_end);
> @@ -300,7 +300,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
> {
> int err = 0;
>
> - if (atomic_dec_and_test(&io_end->count)) {
> + if (refcount_dec_and_test(&io_end->count)) {
> if (io_end->flag & EXT4_IO_END_UNWRITTEN) {
> err = ext4_convert_unwritten_io_end_vec(io_end->handle,
> io_end);
> @@ -314,7 +314,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
>
> ext4_io_end_t *ext4_get_io_end(ext4_io_end_t *io_end)
> {
> - atomic_inc(&io_end->count);
> + refcount_inc(&io_end->count);
> return io_end;
> }
>
> --
> 2.7.4
>
--
Jan Kara <[email protected]>
SUSE Labs, CR
On Mon, 19 Jul 2021 13:59:14 +0800, Xiyu Yang wrote:
> refcount_t type and corresponding API can protect refcounters from
> accidental underflow and overflow and further use-after-free situations.
>
>
Applied, thanks!
[1/1] ext4: Convert from atomic_t to refcount_t on ext4_io_end->count
commit: 6333c4e6167b01a27a6d13bd7bbeb9451d4067c1
Best regards,
--
Theodore Ts'o <[email protected]>