[dm-devel] [PATCH] dm io: Convert from atomic_t to refcount_t on io->count

Xiyu Yang xiyuyang19 at fudan.edu.cn
Mon Jul 19 08:31:02 UTC 2021 

refcount_t type and corresponding API can protect refcounters from
accidental underflow and overflow and further use-after-free situations.

Signed-off-by: Xiyu Yang <xiyuyang19 at fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf at gmail.com>
---
 drivers/md/dm-io.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
index 2d3cda0acacb..f296bba86d14 100644
--- a/drivers/md/dm-io.c
+++ b/drivers/md/dm-io.c
@@ -5,6 +5,7 @@
  * This file is released under the GPL.
  */
 
+#include <linux/refcount.h>
 #include "dm-core.h"
 
 #include <linux/device-mapper.h>
@@ -32,7 +33,7 @@ struct dm_io_client {
  */
 struct io {
 	unsigned long error_bits;
-	atomic_t count;
+	refcount_t count;
 	struct dm_io_client *client;
 	io_notify_fn callback;
 	void *context;
@@ -130,7 +131,7 @@ static void dec_count(struct io *io, unsigned int region, blk_status_t error)
 	if (error)
 		set_bit(region, &io->error_bits);
 
-	if (atomic_dec_and_test(&io->count))
+	if (refcount_dec_and_test(&io->count))
 		complete_io(io);
 }
 
@@ -319,7 +320,7 @@ static void do_region(int op, int op_flags, unsigned region,
 		special_cmd_max_sectors = q->limits.max_write_same_sectors;
 	if ((op == REQ_OP_DISCARD || op == REQ_OP_WRITE_ZEROES ||
 	     op == REQ_OP_WRITE_SAME) && special_cmd_max_sectors == 0) {
-		atomic_inc(&io->count);
+		refcount_inc(&io->count);
 		dec_count(io, region, BLK_STS_NOTSUPP);
 		return;
 	}
@@ -382,7 +383,7 @@ static void do_region(int op, int op_flags, unsigned region,
 			dp->next_page(dp);
 		}
 
-		atomic_inc(&io->count);
+		refcount_inc(&io->count);
 		submit_bio(bio);
 	} while (remaining);
 }
@@ -445,7 +446,7 @@ static int sync_io(struct dm_io_client *client, unsigned int num_regions,
 
 	io = mempool_alloc(&client->pool, GFP_NOIO);
 	io->error_bits = 0;
-	atomic_set(&io->count, 1); /* see dispatch_io() */
+	refcount_set(&io->count, 1); /* see dispatch_io() */
 	io->client = client;
 	io->callback = sync_io_complete;
 	io->context = &sio;
@@ -477,7 +478,7 @@ static int async_io(struct dm_io_client *client, unsigned int num_regions,
 
 	io = mempool_alloc(&client->pool, GFP_NOIO);
 	io->error_bits = 0;
-	atomic_set(&io->count, 1); /* see dispatch_io() */
+	refcount_set(&io->count, 1); /* see dispatch_io() */
 	io->client = client;
 	io->callback = fn;
 	io->context = context;
-- 
2.7.4

More information about the dm-devel mailing list