On Tue, 3 Jul 2018 22:01:38 +0200 Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> wrote:
> refcount_t type and corresponding API should be used instead of atomic_t when
> the variable is used as a reference counter. This allows to avoid accidental
> refcounter overflows that might lead to use-after-free situations.
>
> ...
>
> --- a/mm/backing-dev.c
> +++ b/mm/backing-dev.c
> @@ -438,10 +438,10 @@ wb_congested_get_create(struct backing_dev_info *bdi, int blkcg_id, gfp_t gfp)
> if (new_congested) {
> /* !found and storage for new one already allocated, insert */
> congested = new_congested;
> - new_congested = NULL;
> rb_link_node(&congested->rb_node, parent, node);
> rb_insert_color(&congested->rb_node, &bdi->cgwb_congested_tree);
> - goto found;
> + spin_unlock_irqrestore(&cgwb_lock, flags);
> + return congested;
> }
>
> spin_unlock_irqrestore(&cgwb_lock, flags);
> @@ -451,13 +451,13 @@ wb_congested_get_create(struct backing_dev_info *bdi, int blkcg_id, gfp_t gfp)
> if (!new_congested)
> return NULL;
>
> - atomic_set(&new_congested->refcnt, 0);
> + refcount_set(&new_congested->refcnt, 1);
> new_congested->__bdi = bdi;
> new_congested->blkcg_id = blkcg_id;
> goto retry;
>
> found:
> - atomic_inc(&congested->refcnt);
> + refcount_inc(&congested->refcnt);
> spin_unlock_irqrestore(&cgwb_lock, flags);
> kfree(new_congested);
> return congested;
>
> ...
>
I'm not sure that the restructuring of wb_congested_get_create() was
desirable and it does make the patch harder to review. But it looks
OK to me.
