[dm-devel] [PATCH] dm io: Convert from atomic_t to refcount_t on io->count

Tue, 20 Jul 2021 04:51:40 -0700 

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Signed-off-by: Xiyu Yang <[email protected]>
Signed-off-by: Xin Tan <[email protected]>
---
 drivers/md/dm-io.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 2d3cda0acacb..f296bba86d14 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -5,6 +5,7 @@
  * This file is released under the GPL.
  */
 
+#include <linux/refcount.h>
 #include "dm-core.h"
 
 #include <linux/device-mapper.h>
@@ -32,7 +33,7 @@ struct dm_io_client {
  */
 struct io {
        unsigned long error_bits;
-       atomic_t count;
+       refcount_t count;
        struct dm_io_client *client;
        io_notify_fn callback;
        void *context;
@@ -130,7 +131,7 @@ static void dec_count(struct io *io, unsigned int region, 
blk_status_t error)
        if (error)
                set_bit(region, &io->error_bits);
 
-       if (atomic_dec_and_test(&io->count))
+       if (refcount_dec_and_test(&io->count))
                complete_io(io);
 }
 
@@ -319,7 +320,7 @@ static void do_region(int op, int op_flags, unsigned region,
                special_cmd_max_sectors = q->limits.max_write_same_sectors;
        if ((op == REQ_OP_DISCARD || op == REQ_OP_WRITE_ZEROES ||
             op == REQ_OP_WRITE_SAME) && special_cmd_max_sectors == 0) {
-               atomic_inc(&io->count);
+               refcount_inc(&io->count);
                dec_count(io, region, BLK_STS_NOTSUPP);
                return;
        }
@@ -382,7 +383,7 @@ static void do_region(int op, int op_flags, unsigned region,
                        dp->next_page(dp);
                }
 
-               atomic_inc(&io->count);
+               refcount_inc(&io->count);
                submit_bio(bio);
        } while (remaining);
 }
@@ -445,7 +446,7 @@ static int sync_io(struct dm_io_client *client, unsigned 
int num_regions,
 
        io = mempool_alloc(&client->pool, GFP_NOIO);
        io->error_bits = 0;
-       atomic_set(&io->count, 1); /* see dispatch_io() */
+       refcount_set(&io->count, 1); /* see dispatch_io() */
        io->client = client;
        io->callback = sync_io_complete;
        io->context = &sio;
@@ -477,7 +478,7 @@ static int async_io(struct dm_io_client *client, unsigned 
int num_regions,
 
        io = mempool_alloc(&client->pool, GFP_NOIO);
        io->error_bits = 0;
-       atomic_set(&io->count, 1); /* see dispatch_io() */
+       refcount_set(&io->count, 1); /* see dispatch_io() */
        io->client = client;
        io->callback = fn;
        io->context = context;
-- 
2.7.4

--
dm-devel mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/dm-devel

Reply via email to