ceph: convert ceph_cap_snap.nref from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 68c78be19d5b..60185434162a 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1389,7 +1389,7 @@ static void __ceph_flush_snaps(struct ceph_inode_info *ci,
                 first_tid = cf->tid + 1;
 
                 capsnap = container_of(cf, struct ceph_cap_snap, cap_flush);
-                atomic_inc(&capsnap->nref);
+                refcount_inc(&capsnap->nref);
                 spin_unlock(&ci->i_ceph_lock);
 
                 dout("__flush_snaps %p capsnap %p tid %llu %s\n",
@@ -2202,7 +2202,7 @@ static void __kick_flushing_caps(struct ceph_mds_client *mdsc,
                              inode, capsnap, cf->tid,
                              ceph_cap_string(capsnap->dirty));
 
-                        atomic_inc(&capsnap->nref);
+                        refcount_inc(&capsnap->nref);
                         spin_unlock(&ci->i_ceph_lock);
 
                         ret = __send_flush_snap(inode, session, capsnap, cap->mseq,