fuse: convert fuse_conn.count from atomic_t to refcount_t

refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David Windsor <dwindsor@gmail.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>

2 files changed, 4 insertions, 4 deletions

diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 9d4374032290..6c649f0c58f9 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -449,7 +449,7 @@ struct fuse_conn {
         spinlock_t lock;
 
         /** Refcount */
-        atomic_t count;
+        refcount_t count;
 
         /** Number of fuse_dev's */
         atomic_t dev_count;
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 6fe6a88ecb4a..3961c5f886be 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -608,7 +608,7 @@ void fuse_conn_init(struct fuse_conn *fc)
         memset(fc, 0, sizeof(*fc));
         spin_lock_init(&fc->lock);
         init_rwsem(&fc->killsb);
-        atomic_set(&fc->count, 1);
+        refcount_set(&fc->count, 1);
         atomic_set(&fc->dev_count, 1);
         init_waitqueue_head(&fc->blocked_waitq);
         init_waitqueue_head(&fc->reserved_req_waitq);
@@ -631,7 +631,7 @@ EXPORT_SYMBOL_GPL(fuse_conn_init);
 
 void fuse_conn_put(struct fuse_conn *fc)
 {
-        if (atomic_dec_and_test(&fc->count)) {
+        if (refcount_dec_and_test(&fc->count)) {
                 if (fc->destroy_req)
                         fuse_request_free(fc->destroy_req);
                 fc->release(fc);
@@ -641,7 +641,7 @@ EXPORT_SYMBOL_GPL(fuse_conn_put);
 
 struct fuse_conn *fuse_conn_get(struct fuse_conn *fc)
 {
-        atomic_inc(&fc->count);
+        refcount_inc(&fc->count);
         return fc;
 }
 EXPORT_SYMBOL_GPL(fuse_conn_get);