All of lore.kernel.org
 help / color / mirror / Atom feed
From: Elena Reshetova <elena.reshetova@intel.com>
To: linux-kernel@vger.kernel.org
Cc: linux-fsdevel@vger.kernel.org, linux-btrfs@vger.kernel.org,
	peterz@infradead.org, gregkh@linuxfoundation.org, jbacik@fb.com,
	clm@fb.com, dsterba@suse.com,
	Elena Reshetova <elena.reshetova@intel.com>,
	Hans Liljestrand <ishkamiel@gmail.com>,
	Kees Cook <keescook@chromium.org>,
	David Windsor <dwindsor@gmail.com>
Subject: [PATCH 07/17] fs, btrfs: convert btrfs_delayed_node.refs from atomic_t to refcount_t
Date: Fri,  3 Mar 2017 10:55:16 +0200	[thread overview]
Message-ID: <1488531326-21271-8-git-send-email-elena.reshetova@intel.com> (raw)
In-Reply-To: <1488531326-21271-1-git-send-email-elena.reshetova@intel.com>

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
---
 fs/btrfs/delayed-inode.c | 28 ++++++++++++++--------------
 fs/btrfs/delayed-inode.h |  3 ++-
 2 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
index 1aff676..7396c36 100644
--- a/fs/btrfs/delayed-inode.c
+++ b/fs/btrfs/delayed-inode.c
@@ -52,7 +52,7 @@ static inline void btrfs_init_delayed_node(
 {
 	delayed_node->root = root;
 	delayed_node->inode_id = inode_id;
-	atomic_set(&delayed_node->refs, 0);
+	refcount_set(&delayed_node->refs, 0);
 	delayed_node->ins_root = RB_ROOT;
 	delayed_node->del_root = RB_ROOT;
 	mutex_init(&delayed_node->mutex);
@@ -81,7 +81,7 @@ static struct btrfs_delayed_node *btrfs_get_delayed_node(
 
 	node = READ_ONCE(btrfs_inode->delayed_node);
 	if (node) {
-		atomic_inc(&node->refs);
+		refcount_inc(&node->refs);
 		return node;
 	}
 
@@ -89,14 +89,14 @@ static struct btrfs_delayed_node *btrfs_get_delayed_node(
 	node = radix_tree_lookup(&root->delayed_nodes_tree, ino);
 	if (node) {
 		if (btrfs_inode->delayed_node) {
-			atomic_inc(&node->refs);	/* can be accessed */
+			refcount_inc(&node->refs);	/* can be accessed */
 			BUG_ON(btrfs_inode->delayed_node != node);
 			spin_unlock(&root->inode_lock);
 			return node;
 		}
 		btrfs_inode->delayed_node = node;
 		/* can be accessed and cached in the inode */
-		atomic_add(2, &node->refs);
+		refcount_add(2, &node->refs);
 		spin_unlock(&root->inode_lock);
 		return node;
 	}
@@ -125,7 +125,7 @@ static struct btrfs_delayed_node *btrfs_get_or_create_delayed_node(
 	btrfs_init_delayed_node(node, root, ino);
 
 	/* cached in the btrfs inode and can be accessed */
-	atomic_add(2, &node->refs);
+	refcount_set(&node->refs, 2);
 
 	ret = radix_tree_preload(GFP_NOFS);
 	if (ret) {
@@ -166,7 +166,7 @@ static void btrfs_queue_delayed_node(struct btrfs_delayed_root *root,
 	} else {
 		list_add_tail(&node->n_list, &root->node_list);
 		list_add_tail(&node->p_list, &root->prepare_list);
-		atomic_inc(&node->refs);	/* inserted into list */
+		refcount_inc(&node->refs);	/* inserted into list */
 		root->nodes++;
 		set_bit(BTRFS_DELAYED_NODE_IN_LIST, &node->flags);
 	}
@@ -180,7 +180,7 @@ static void btrfs_dequeue_delayed_node(struct btrfs_delayed_root *root,
 	spin_lock(&root->lock);
 	if (test_bit(BTRFS_DELAYED_NODE_IN_LIST, &node->flags)) {
 		root->nodes--;
-		atomic_dec(&node->refs);	/* not in the list */
+		refcount_dec(&node->refs);	/* not in the list */
 		list_del_init(&node->n_list);
 		if (!list_empty(&node->p_list))
 			list_del_init(&node->p_list);
@@ -201,7 +201,7 @@ static struct btrfs_delayed_node *btrfs_first_delayed_node(
 
 	p = delayed_root->node_list.next;
 	node = list_entry(p, struct btrfs_delayed_node, n_list);
-	atomic_inc(&node->refs);
+	refcount_inc(&node->refs);
 out:
 	spin_unlock(&delayed_root->lock);
 
@@ -228,7 +228,7 @@ static struct btrfs_delayed_node *btrfs_next_delayed_node(
 		p = node->n_list.next;
 
 	next = list_entry(p, struct btrfs_delayed_node, n_list);
-	atomic_inc(&next->refs);
+	refcount_inc(&next->refs);
 out:
 	spin_unlock(&delayed_root->lock);
 
@@ -253,11 +253,11 @@ static void __btrfs_release_delayed_node(
 		btrfs_dequeue_delayed_node(delayed_root, delayed_node);
 	mutex_unlock(&delayed_node->mutex);
 
-	if (atomic_dec_and_test(&delayed_node->refs)) {
+	if (refcount_dec_and_test(&delayed_node->refs)) {
 		bool free = false;
 		struct btrfs_root *root = delayed_node->root;
 		spin_lock(&root->inode_lock);
-		if (atomic_read(&delayed_node->refs) == 0) {
+		if (refcount_read(&delayed_node->refs) == 0) {
 			radix_tree_delete(&root->delayed_nodes_tree,
 					  delayed_node->inode_id);
 			free = true;
@@ -286,7 +286,7 @@ static struct btrfs_delayed_node *btrfs_first_prepared_delayed_node(
 	p = delayed_root->prepare_list.next;
 	list_del_init(p);
 	node = list_entry(p, struct btrfs_delayed_node, p_list);
-	atomic_inc(&node->refs);
+	refcount_inc(&node->refs);
 out:
 	spin_unlock(&delayed_root->lock);
 
@@ -1621,7 +1621,7 @@ bool btrfs_readdir_get_delayed_items(struct inode *inode,
 	 * insert/delete delayed items in this period. So we also needn't
 	 * requeue or dequeue this delayed node.
 	 */
-	atomic_dec(&delayed_node->refs);
+	refcount_dec(&delayed_node->refs);
 
 	return true;
 }
@@ -1963,7 +1963,7 @@ void btrfs_kill_all_delayed_nodes(struct btrfs_root *root)
 		inode_id = delayed_nodes[n - 1]->inode_id + 1;
 
 		for (i = 0; i < n; i++)
-			atomic_inc(&delayed_nodes[i]->refs);
+			refcount_inc(&delayed_nodes[i]->refs);
 		spin_unlock(&root->inode_lock);
 
 		for (i = 0; i < n; i++) {
diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
index 40327cc..d234974 100644
--- a/fs/btrfs/delayed-inode.h
+++ b/fs/btrfs/delayed-inode.h
@@ -26,6 +26,7 @@
 #include <linux/list.h>
 #include <linux/wait.h>
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 
 #include "ctree.h"
 
@@ -67,7 +68,7 @@ struct btrfs_delayed_node {
 	struct rb_root del_root;
 	struct mutex mutex;
 	struct btrfs_inode_item inode_item;
-	atomic_t refs;
+	refcount_t refs;
 	u64 index_cnt;
 	unsigned long flags;
 	int count;
-- 
2.7.4


  parent reply	other threads:[~2017-03-03  9:28 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-03  8:55 [PATCH 00/17] fs, btrfs refcount conversions Elena Reshetova
2017-03-03  8:55 ` [PATCH 01/17] fs, btrfs: convert btrfs_bio.refs from atomic_t to refcount_t Elena Reshetova
2017-03-03  8:55 ` [PATCH 02/17] fs, btrfs: convert btrfs_transaction.use_count " Elena Reshetova
2017-03-03  8:55 ` [PATCH 03/17] fs, btrfs: convert extent_map.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 04/17] fs, btrfs: convert btrfs_ordered_extent.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 05/17] fs, btrfs: convert btrfs_caching_control.count " Elena Reshetova
2017-03-03  8:55 ` [PATCH 06/17] fs, btrfs: convert btrfs_delayed_ref_node.refs " Elena Reshetova
2017-03-03  8:55 ` Elena Reshetova [this message]
2017-03-03  8:55 ` [PATCH 08/17] fs, btrfs: convert btrfs_delayed_item.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 09/17] fs, btrfs: convert btrfs_root.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 10/17] fs, btrfs: convert extent_state.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 11/17] fs, btrfs: convert compressed_bio.pending_bios " Elena Reshetova
2017-03-03  8:55 ` [PATCH 12/17] fs, btrfs: convert scrub_recover.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 13/17] fs, btrfs: convert scrub_page.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 14/17] fs, btrfs: convert scrub_block.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 15/17] fs, btrfs: convert scrub_parity.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 16/17] fs, btrfs: convert scrub_ctx.refs " Elena Reshetova
2017-03-03  8:55 ` [PATCH 17/17] fs, btrfs: convert btrfs_raid_bio.refs " Elena Reshetova
2017-03-06  0:27 ` [PATCH 00/17] fs, btrfs refcount conversions Qu Wenruo
2017-03-06  4:05 ` Qu Wenruo
2017-03-06  9:43   ` Reshetova, Elena
2017-03-07  6:05     ` Qu Wenruo
2017-03-07  7:41       ` Reshetova, Elena
2017-03-07  7:41         ` Reshetova, Elena
2017-03-07  7:49         ` Qu Wenruo
2017-03-09 15:29           ` David Sterba
2017-03-09 16:02 ` David Sterba
2017-03-13 10:54   ` Reshetova, Elena

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1488531326-21271-8-git-send-email-elena.reshetova@intel.com \
    --to=elena.reshetova@intel.com \
    --cc=clm@fb.com \
    --cc=dsterba@suse.com \
    --cc=dwindsor@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=ishkamiel@gmail.com \
    --cc=jbacik@fb.com \
    --cc=keescook@chromium.org \
    --cc=linux-btrfs@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=peterz@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.