ext4: convert from atomic_t to refcount_t on ext4_io_end->count

sherlly · tytso · commit 31d21d219b51 · 2021-11-04T10:33:24.000-04:00
refcount_t type and corresponding API can protect refcounters from accidental underflow and overflow and further use-after-free situations. Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Link: https://lore.kernel.org/r/1626674355-55795-1-git-send-email-xiyuyang19@fudan.edu.cn Signed-off-by: Theodore Ts'o <tytso@mit.edu>
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
@@ -17,6 +17,7 @@
 #ifndef _EXT4_H
 #define _EXT4_H
 
+#include <linux/refcount.h>
 #include <linux/types.h>
 #include <linux/blkdev.h>
 #include <linux/magic.h>
@@ -241,7 +242,7 @@ typedef struct ext4_io_end {
 	struct bio		*bio;		/* Linked list of completed
 						 * bios covering the extent */
 	unsigned int		flag;		/* unwritten or not */
-	atomic_t		count;		/* reference counter */
+	refcount_t		count;		/* reference counter */
 	struct list_head	list_vec;	/* list of ext4_io_end_vec */
 } ext4_io_end_t;
 
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
@@ -279,14 +279,14 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags)
 		io_end->inode = inode;
 		INIT_LIST_HEAD(&io_end->list);
 		INIT_LIST_HEAD(&io_end->list_vec);
-		atomic_set(&io_end->count, 1);
+		refcount_set(&io_end->count, 1);
 	}
 	return io_end;
 }
 
 void ext4_put_io_end_defer(ext4_io_end_t *io_end)
 {
-	if (atomic_dec_and_test(&io_end->count)) {
+	if (refcount_dec_and_test(&io_end->count)) {
 		if (!(io_end->flag & EXT4_IO_END_UNWRITTEN) ||
 				list_empty(&io_end->list_vec)) {
 			ext4_release_io_end(io_end);
@@ -300,7 +300,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
 {
 	int err = 0;
 
-	if (atomic_dec_and_test(&io_end->count)) {
+	if (refcount_dec_and_test(&io_end->count)) {
 		if (io_end->flag & EXT4_IO_END_UNWRITTEN) {
 			err = ext4_convert_unwritten_io_end_vec(io_end->handle,
 								io_end);
@@ -314,7 +314,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
 
 ext4_io_end_t *ext4_get_io_end(ext4_io_end_t *io_end)
 {
-	atomic_inc(&io_end->count);
+	refcount_inc(&io_end->count);
 	return io_end;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -279,14 +279,14 @@ ext4_io_end_t ext4_init_io_end(struct inode inode, gfp_t flags)`
`279`	`279`	`io_end->inode = inode;`
`280`	`280`	`INIT_LIST_HEAD(&io_end->list);`
`281`	`281`	`INIT_LIST_HEAD(&io_end->list_vec);`
`282`		`- atomic_set(&io_end->count, 1);`
	`282`	`+ refcount_set(&io_end->count, 1);`
`283`	`283`	`}`
`284`	`284`	`return io_end;`
`285`	`285`	`}`
`286`	`286`
`287`	`287`	`void ext4_put_io_end_defer(ext4_io_end_t *io_end)`
`288`	`288`	`{`
`289`		`- if (atomic_dec_and_test(&io_end->count)) {`
	`289`	`+ if (refcount_dec_and_test(&io_end->count)) {`
`290`	`290`	`if (!(io_end->flag & EXT4_IO_END_UNWRITTEN) \|\|`
`291`	`291`	`list_empty(&io_end->list_vec)) {`
`292`	`292`	`ext4_release_io_end(io_end);`
`@@ -300,7 +300,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)`
`300`	`300`	`{`
`301`	`301`	`int err = 0;`
`302`	`302`
`303`		`- if (atomic_dec_and_test(&io_end->count)) {`
	`303`	`+ if (refcount_dec_and_test(&io_end->count)) {`
`304`	`304`	`if (io_end->flag & EXT4_IO_END_UNWRITTEN) {`
`305`	`305`	`err = ext4_convert_unwritten_io_end_vec(io_end->handle,`
`306`	`306`	`io_end);`
`@@ -314,7 +314,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)`
`314`	`314`
`315`	`315`	`ext4_io_end_t ext4_get_io_end(ext4_io_end_t io_end)`
`316`	`316`	`{`
`317`		`- atomic_inc(&io_end->count);`
	`317`	`+ refcount_inc(&io_end->count);`
`318`	`318`	`return io_end;`
`319`	`319`	`}`
`320`	`320`