target/iblock: convert iblock_req.pending from atomic_t to refcount_t

refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
author: Elena Reshetova <elena.reshetova@intel.com> 2017-03-06 09:21:11 -0500
committer: Nicholas Bellinger <nab@linux-iscsi.org> 2017-05-02 01:20:43 -0400
commit: 5981c245a890db6a6e16fb6d3838cc9fc9fdf0ff (patch)
tree: a1aa3f65fa046e1ac40b923e97b8b2f36b347c08
parent: a5d68ba85801a78c892a0eb8efb711e293ed314b (diff)
2 files changed, 8 insertions, 7 deletions
diff --git a/drivers/target/target_core_iblock.c b/drivers/target/target_core_iblock.c
index d316ed537d59..bb069ebe4aa6 100644
--- a/drivers/target/target_core_iblock.c
+++ b/drivers/target/target_core_iblock.c
@@ -279,7 +279,7 @@ static void iblock_complete_cmd(struct se_cmd *cmd)
        struct iblock_req *ibr = cmd->priv;
        u8 status;
-        if (!atomic_dec_and_test(&ibr->pending))
+        if (!refcount_dec_and_test(&ibr->pending))
                return;
        if (atomic_read(&ibr->ib_bio_err_cnt))
@@ -487,7 +487,7 @@ iblock_execute_write_same(struct se_cmd *cmd)
        bio_list_init(&list);
        bio_list_add(&list, bio);
-        atomic_set(&ibr->pending, 1);
+        refcount_set(&ibr->pending, 1);
        while (sectors) {
                while (bio_add_page(bio, sg_page(sg), sg->length, sg->offset)
@@ -498,7 +498,7 @@ iblock_execute_write_same(struct se_cmd *cmd)
                        if (!bio)
                                goto fail_put_bios;
-                        atomic_inc(&ibr->pending);
+                        refcount_inc(&ibr->pending);
                        bio_list_add(&list, bio);
                }
@@ -706,7 +706,7 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
        cmd->priv = ibr;
        if (!sgl_nents) {
-                atomic_set(&ibr->pending, 1);
+                refcount_set(&ibr->pending, 1);
                iblock_complete_cmd(cmd);
                return 0;
        }
@@ -719,7 +719,7 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
        bio_list_init(&list);
        bio_list_add(&list, bio);
-        atomic_set(&ibr->pending, 2);
+        refcount_set(&ibr->pending, 2);
        bio_cnt = 1;
        for_each_sg(sgl, sg, sgl_nents, i) {
@@ -740,7 +740,7 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents,
                        if (!bio)
                                goto fail_put_bios;
-                        atomic_inc(&ibr->pending);
+                        refcount_inc(&ibr->pending);
                        bio_list_add(&list, bio);
                        bio_cnt++;
                }
diff --git a/drivers/target/target_core_iblock.h b/drivers/target/target_core_iblock.h
index 718d3fcd3e7c..f2a5797217d4 100644
--- a/drivers/target/target_core_iblock.h
+++ b/drivers/target/target_core_iblock.h
@@ -2,6 +2,7 @@
 #define TARGET_CORE_IBLOCK_H
 #include <linux/atomic.h>
+#include <linux/refcount.h>
 #include <target/target_core_base.h>
 #define IBLOCK_VERSION          "4.0"
@@ -10,7 +11,7 @@
 #define IBLOCK_LBA_SHIFT        9
 struct iblock_req {
-        atomic_t pending;
+        refcount_t pending;
        atomic_t ib_bio_err_cnt;
 } ____cacheline_aligned;
author	Elena Reshetova <elena.reshetova@intel.com>	2017-03-06 09:21:11 -0500
committer	Nicholas Bellinger <nab@linux-iscsi.org>	2017-05-02 01:20:43 -0400
commit	5981c245a890db6a6e16fb6d3838cc9fc9fdf0ff (patch)
tree	a1aa3f65fa046e1ac40b923e97b8b2f36b347c08
parent	a5d68ba85801a78c892a0eb8efb711e293ed314b (diff)