btrfs: convert extent_map.refs from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.com>

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 27fdb250b4467f65a8c6a42d06835f3bb3a36aec..3649932e48d574015da2ce8212a72f3e04cf7269 100644 (file)
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -2859,7 +2859,7 @@ __get_extent_map(struct inode *inode, struct page *page, size_t pg_offset,
                em = *em_cached;
                if (extent_map_in_tree(em) && start >= em->start &&
                    start < extent_map_end(em)) {
-                       atomic_inc(&em->refs);
+                       refcount_inc(&em->refs);
                        return em;
                }
 
@@ -2870,7 +2870,7 @@ __get_extent_map(struct inode *inode, struct page *page, size_t pg_offset,
        em = get_extent(BTRFS_I(inode), page, pg_offset, start, len, 0);
        if (em_cached && !IS_ERR_OR_NULL(em)) {
                BUG_ON(*em_cached);
-               atomic_inc(&em->refs);
+               refcount_inc(&em->refs);
                *em_cached = em;
        }
        return em;

diff --git a/fs/btrfs/extent_map.c b/fs/btrfs/extent_map.c
index 26f9ac719d20b4bff1a6b0a456ca45dd1752b4c7..69850155870c067d82768c67f3895a2e7a7c487d 100644 (file)
--- a/fs/btrfs/extent_map.c
+++ b/fs/btrfs/extent_map.c
@@ -55,7 +55,7 @@ struct extent_map *alloc_extent_map(void)
        em->flags = 0;
        em->compress_type = BTRFS_COMPRESS_NONE;
        em->generation = 0;
-       atomic_set(&em->refs, 1);
+       refcount_set(&em->refs, 1);
        INIT_LIST_HEAD(&em->list);
        return em;
 }
@@ -71,8 +71,8 @@ void free_extent_map(struct extent_map *em)
 {
        if (!em)
                return;
-       WARN_ON(atomic_read(&em->refs) == 0);
-       if (atomic_dec_and_test(&em->refs)) {
+       WARN_ON(refcount_read(&em->refs) == 0);
+       if (refcount_dec_and_test(&em->refs)) {
                WARN_ON(extent_map_in_tree(em));
                WARN_ON(!list_empty(&em->list));
                if (test_bit(EXTENT_FLAG_FS_MAPPING, &em->flags))
@@ -322,7 +322,7 @@ static inline void setup_extent_mapping(struct extent_map_tree *tree,
                                        struct extent_map *em,
                                        int modified)
 {
-       atomic_inc(&em->refs);
+       refcount_inc(&em->refs);
        em->mod_start = em->start;
        em->mod_len = em->len;
 
@@ -381,7 +381,7 @@ __lookup_extent_mapping(struct extent_map_tree *tree,
        if (strict && !(end > em->start && start < extent_map_end(em)))
                return NULL;
 
-       atomic_inc(&em->refs);
+       refcount_inc(&em->refs);
        return em;
 }
 

diff --git a/fs/btrfs/extent_map.h b/fs/btrfs/extent_map.h
index eb8b8fae036bc3c67ceea03220cdca503626546f..a67b2def54131f10326c71092f80f2cd2d706212 100644 (file)
--- a/fs/btrfs/extent_map.h
+++ b/fs/btrfs/extent_map.h
@@ -2,6 +2,7 @@
 #define __EXTENTMAP__
 
 #include <linux/rbtree.h>
+#include <linux/refcount.h>
 
 #define EXTENT_MAP_LAST_BYTE ((u64)-4)
 #define EXTENT_MAP_HOLE ((u64)-3)
@@ -41,7 +42,7 @@ struct extent_map {
                 */
                struct map_lookup *map_lookup;
        };
-       atomic_t refs;
+       refcount_t refs;
        unsigned int compress_type;
        struct list_head list;
 };

diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index a59674c3e69efb76d27d6705b41ca76d94e82e15..ccfe9fe7754a8d4d80fd3e5b1f0a1d2f2118e4e6 100644 (file)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4196,7 +4196,7 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans,
                if (em->generation <= test_gen)
                        continue;
                /* Need a ref to keep it from getting evicted from cache */
-               atomic_inc(&em->refs);
+               refcount_inc(&em->refs);
                set_bit(EXTENT_FLAG_LOGGING, &em->flags);
                list_add_tail(&em->list, &extents);
                num++;

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index 0f670604716757117fa38e6bbf5ecd1f8054bb00..dce59fb59b0c274856719474f52edf3932ce22d6 100644 (file)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -4839,7 +4839,7 @@ static int __btrfs_alloc_chunk(struct btrfs_trans_handle *trans,
        ret = add_extent_mapping(em_tree, em, 0);
        if (!ret) {
                list_add_tail(&em->list, &trans->transaction->pending_chunks);
-               atomic_inc(&em->refs);
+               refcount_inc(&em->refs);
        }
        write_unlock(&em_tree->lock);
        if (ret) {

diff --git a/include/trace/events/btrfs.h b/include/trace/events/btrfs.h
index a3c3cab643a9528dd5f8ad50dfac29b53384f1db..9dd29e806fed73e72308dfe6ec3df379d609ac43 100644 (file)
--- a/include/trace/events/btrfs.h
+++ b/include/trace/events/btrfs.h
@@ -213,7 +213,7 @@ TRACE_EVENT_CONDITION(btrfs_get_extent,
                __entry->block_start    = map->block_start;
                __entry->block_len      = map->block_len;
                __entry->flags          = map->flags;
-               __entry->refs           = atomic_read(&map->refs);
+               __entry->refs           = refcount_read(&map->refs);
                __entry->compress_type  = map->compress_type;
        ),