btrfs: convert btrfs_delayed_ref_node.refs from atomic_t to refcount_t refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: David Sterba <dsterba@suse.com>

commit: 6df8cdf5bda221f268ac23940bce589ad176993d [log] [tgz]
author: Elena Reshetova <elena.reshetova@intel.com> Fri Mar 03 10:55:15 2017 +0200
committer: David Sterba <dsterba@suse.com> Tue Apr 18 14:07:23 2017 +0200
tree: ecf4b8f44ace50682165d8812ccf75c7d802c87f
parent: 1e4f4714d59e3fdcde29ee12d40d2e96875a026f [diff] [blame]
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index e4aa64c..3748bc54 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c

@@ -4343,7 +4343,7 @@ static int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
 		head = rb_entry(node, struct btrfs_delayed_ref_head,
 				href_node);
 		if (!mutex_trylock(&head->mutex)) {
-			atomic_inc(&head->node.refs);
+			refcount_inc(&head->node.refs);
 			spin_unlock(&delayed_refs->lock);
 
 			mutex_lock(&head->mutex);
commit	6df8cdf5bda221f268ac23940bce589ad176993d	[log] [tgz]
author	Elena Reshetova <elena.reshetova@intel.com>	Fri Mar 03 10:55:15 2017 +0200
committer	David Sterba <dsterba@suse.com>	Tue Apr 18 14:07:23 2017 +0200
tree	ecf4b8f44ace50682165d8812ccf75c7d802c87f
parent	1e4f4714d59e3fdcde29ee12d40d2e96875a026f [diff] [blame]