提交 186debd6 编写于 作者: E Elena Reshetova 提交者: David Sterba

btrfs: convert scrub_block.refs from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: NElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: NHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NDavid Windsor <dwindsor@gmail.com>
Signed-off-by: NDavid Sterba <dsterba@suse.com>
上级 6f615018
...@@ -112,7 +112,7 @@ struct scrub_block { ...@@ -112,7 +112,7 @@ struct scrub_block {
struct scrub_page *pagev[SCRUB_MAX_PAGES_PER_BLOCK]; struct scrub_page *pagev[SCRUB_MAX_PAGES_PER_BLOCK];
int page_count; int page_count;
atomic_t outstanding_pages; atomic_t outstanding_pages;
atomic_t refs; /* free mem on transition to zero */ refcount_t refs; /* free mem on transition to zero */
struct scrub_ctx *sctx; struct scrub_ctx *sctx;
struct scrub_parity *sparity; struct scrub_parity *sparity;
struct { struct {
...@@ -1998,12 +1998,12 @@ static int scrub_checksum_super(struct scrub_block *sblock) ...@@ -1998,12 +1998,12 @@ static int scrub_checksum_super(struct scrub_block *sblock)
static void scrub_block_get(struct scrub_block *sblock) static void scrub_block_get(struct scrub_block *sblock)
{ {
atomic_inc(&sblock->refs); refcount_inc(&sblock->refs);
} }
static void scrub_block_put(struct scrub_block *sblock) static void scrub_block_put(struct scrub_block *sblock)
{ {
if (atomic_dec_and_test(&sblock->refs)) { if (refcount_dec_and_test(&sblock->refs)) {
int i; int i;
if (sblock->sparity) if (sblock->sparity)
...@@ -2255,7 +2255,7 @@ static int scrub_pages(struct scrub_ctx *sctx, u64 logical, u64 len, ...@@ -2255,7 +2255,7 @@ static int scrub_pages(struct scrub_ctx *sctx, u64 logical, u64 len,
/* one ref inside this function, plus one for each page added to /* one ref inside this function, plus one for each page added to
* a bio later on */ * a bio later on */
atomic_set(&sblock->refs, 1); refcount_set(&sblock->refs, 1);
sblock->sctx = sctx; sblock->sctx = sctx;
sblock->no_io_error_seen = 1; sblock->no_io_error_seen = 1;
...@@ -2555,7 +2555,7 @@ static int scrub_pages_for_parity(struct scrub_parity *sparity, ...@@ -2555,7 +2555,7 @@ static int scrub_pages_for_parity(struct scrub_parity *sparity,
/* one ref inside this function, plus one for each page added to /* one ref inside this function, plus one for each page added to
* a bio later on */ * a bio later on */
atomic_set(&sblock->refs, 1); refcount_set(&sblock->refs, 1);
sblock->sctx = sctx; sblock->sctx = sctx;
sblock->no_io_error_seen = 1; sblock->no_io_error_seen = 1;
sblock->sparity = sparity; sblock->sparity = sparity;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册