【openEuler-1.0-LTS】ext4: convert from atomic_t to refcount_t on ext4_io_end->count

【环境信息】
硬件信息：不涉及
软件信息：openEuler-1.0-LTS、5.10-OLK、openEuler-22.03-LTS
【问题描述】
将atomic_t替换为refcount_t，refcount_t会对值进行检查，更早触发触发UAF告警防止后续出现的underflow问题。
refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

【补丁信息】

diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 16e2b719d47c..6efc710b07bf 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -17,6 +17,7 @@
 #ifndef _EXT4_H
 #define _EXT4_H

+#include <linux/refcount.h>
 #include <linux/types.h>
 #include <linux/blkdev.h>
 #include <linux/magic.h>
@@ -231,7 +232,7 @@ typedef struct ext4_io_end {
        struct bio              *bio;           /* Linked list of completed
                                                 * bios covering the extent */
        unsigned int            flag;           /* unwritten or not */
-       atomic_t                count;          /* reference counter */
+       refcount_t              count;          /* reference counter */
        loff_t                  offset;         /* offset in the file */
        ssize_t                 size;           /* size of the extent */
 } ext4_io_end_t;
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index 3de933354a08..98f548da9e01 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -256,14 +256,14 @@ ext4_io_end_t *ext4_init_io_end(struct inode *inode, gfp_t flags)
        if (io) {
                io->inode = inode;
                INIT_LIST_HEAD(&io->list);
-               atomic_set(&io->count, 1);
+               refcount_set(&io_end->count, 1);
        }
        return io;
 }

 void ext4_put_io_end_defer(ext4_io_end_t *io_end)
 {
-       if (atomic_dec_and_test(&io_end->count)) {
+       if (refcount_dec_and_test(&io_end->count)) {
                if (!(io_end->flag & EXT4_IO_END_UNWRITTEN) || !io_end->size) {
                        ext4_release_io_end(io_end);
                        return;
@@ -276,7 +276,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)
 {
        int err = 0;

-       if (atomic_dec_and_test(&io_end->count)) {
+       if (refcount_dec_and_test(&io_end->count)) {
                if (io_end->flag & EXT4_IO_END_UNWRITTEN) {
                        err = ext4_convert_unwritten_extents(io_end->handle,
                                                io_end->inode, io_end->offset,
@@ -291,7 +291,7 @@ int ext4_put_io_end(ext4_io_end_t *io_end)

 ext4_io_end_t *ext4_get_io_end(ext4_io_end_t *io_end)
 {
-       atomic_inc(&io_end->count);
+       refcount_inc(&io_end->count);
        return io_end;
 }

Hi linan888, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: Kernel, and any of the maintainers: @YangYingliang , @pi3orama , @成坚 (CHENG Jian) , @jiaoff , @zhengzengkai , @Qiuuuuu , @刘勇强 , @Xie XiuQi

GVP openEuler / kernel

内容风险标识

评论 (1)

GVPopenEuler / kernel

内容风险标识