Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5981c245 authored by Elena Reshetova's avatar Elena Reshetova Committed by Nicholas Bellinger
Browse files

target/iblock: convert iblock_req.pending from atomic_t to refcount_t 



refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.

Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
Signed-off-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Signed-off-by: default avatarDavid Windsor <dwindsor@gmail.com>
Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
parent a5d68ba8

drivers/target/target_core_iblock.c

+6 −6
Original line number Diff line number Diff line
@@ -279,7 +279,7 @@ static void iblock_complete_cmd(struct se_cmd *cmd) 
	struct iblock_req *ibr = cmd->priv;

	u8 status;



	if (!atomic_dec_and_test(&ibr->pending))

	if (!refcount_dec_and_test(&ibr->pending))

		return;



	if (atomic_read(&ibr->ib_bio_err_cnt))
@@ -487,7 +487,7 @@ iblock_execute_write_same(struct se_cmd *cmd) 
	bio_list_init(&list);

	bio_list_add(&list, bio);



	atomic_set(&ibr->pending, 1);

	refcount_set(&ibr->pending, 1);



	while (sectors) {

		while (bio_add_page(bio, sg_page(sg), sg->length, sg->offset)
@@ -498,7 +498,7 @@ iblock_execute_write_same(struct se_cmd *cmd) 
			if (!bio)

				goto fail_put_bios;



			atomic_inc(&ibr->pending);

			refcount_inc(&ibr->pending);

			bio_list_add(&list, bio);

		}
@@ -706,7 +706,7 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, 
	cmd->priv = ibr;



	if (!sgl_nents) {

		atomic_set(&ibr->pending, 1);

		refcount_set(&ibr->pending, 1);

		iblock_complete_cmd(cmd);

		return 0;

	}
@@ -719,7 +719,7 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, 
	bio_list_init(&list);

	bio_list_add(&list, bio);



	atomic_set(&ibr->pending, 2);

	refcount_set(&ibr->pending, 2);

	bio_cnt = 1;



	for_each_sg(sgl, sg, sgl_nents, i) {
@@ -740,7 +740,7 @@ iblock_execute_rw(struct se_cmd *cmd, struct scatterlist *sgl, u32 sgl_nents, 
			if (!bio)

				goto fail_put_bios;



			atomic_inc(&ibr->pending);

			refcount_inc(&ibr->pending);

			bio_list_add(&list, bio);

			bio_cnt++;

		}

drivers/target/target_core_iblock.h

+2 −1
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#define TARGET_CORE_IBLOCK_H



#include <linux/atomic.h>

#include <linux/refcount.h>

#include <target/target_core_base.h>



#define IBLOCK_VERSION		"4.0"
@@ -10,7 +11,7 @@ 
#define IBLOCK_LBA_SHIFT	9



struct iblock_req {

	atomic_t pending;

	refcount_t pending;

	atomic_t ib_bio_err_cnt;

} ____cacheline_aligned;