| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOQ4uxjoyv1x9Wk0a9-3GyErDVFL_1ZyzcEn7B14VzD4ke0mAw@mail.gmail.com>
Date: Fri, 22 Aug 2025 14:10:05 +0200
From: Amir Goldstein <amir73il@...il.com>
To: Josef Bacik <josef@...icpanda.com>
Cc: linux-fsdevel@...r.kernel.org, linux-btrfs@...r.kernel.org,
kernel-team@...com, linux-ext4@...r.kernel.org, linux-xfs@...r.kernel.org,
brauner@...nel.org, viro@...iv.linux.org.uk
Subject: Re: [PATCH 20/50] fs: convert i_count to refcount_t
On Fri, Aug 22, 2025 at 12:54 AM Josef Bacik <josef@...icpanda.com> wrote:
>
> Now that we do not allow i_count to drop to 0 and be used we can convert
> it to a refcount_t and benefit from the protections those helpers add.
>
> Signed-off-by: Josef Bacik <josef@...icpanda.com>
> ---
> arch/powerpc/platforms/cell/spufs/file.c | 2 +-
> fs/btrfs/inode.c | 4 ++--
> fs/ceph/mds_client.c | 2 +-
> fs/ext4/ialloc.c | 4 ++--
> fs/fs-writeback.c | 2 +-
> fs/hpfs/inode.c | 2 +-
> fs/inode.c | 11 ++++++-----
> fs/nfs/inode.c | 4 ++--
> fs/notify/fsnotify.c | 2 +-
> fs/ubifs/super.c | 2 +-
> fs/xfs/xfs_inode.c | 2 +-
> fs/xfs/xfs_trace.h | 2 +-
> include/linux/fs.h | 4 ++--
> include/trace/events/filelock.h | 2 +-
> security/landlock/fs.c | 2 +-
> 15 files changed, 24 insertions(+), 23 deletions(-)
>
You missed a spot in fs/smb/client/inode.c
that is using inode->i_count.counter directly.
Thanks,
Amir.
> diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
> index d5a2c77bc908..3f768b003838 100644
> --- a/arch/powerpc/platforms/cell/spufs/file.c
> +++ b/arch/powerpc/platforms/cell/spufs/file.c
> @@ -1430,7 +1430,7 @@ static int spufs_mfc_open(struct inode *inode, struct file *file)
> if (ctx->owner != current->mm)
> return -EINVAL;
>
> - if (atomic_read(&inode->i_count) != 1)
> + if (refcount_read(&inode->i_count) != 1)
> return -EBUSY;
>
> mutex_lock(&ctx->mapping_lock);
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index bbbcd96e8f5c..e85e38df3ea0 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -3418,7 +3418,7 @@ void btrfs_add_delayed_iput(struct btrfs_inode *inode)
> struct btrfs_fs_info *fs_info = inode->root->fs_info;
> unsigned long flags;
>
> - if (atomic_add_unless(&inode->vfs_inode.i_count, -1, 1)) {
> + if (refcount_dec_not_one(&inode->vfs_inode.i_count)) {
> iobj_put(&inode->vfs_inode);
> return;
> }
> @@ -4559,7 +4559,7 @@ static void btrfs_prune_dentries(struct btrfs_root *root)
>
> inode = btrfs_find_first_inode(root, min_ino);
> while (inode) {
> - if (atomic_read(&inode->vfs_inode.i_count) > 1)
> + if (refcount_read(&inode->vfs_inode.i_count) > 1)
> d_prune_aliases(&inode->vfs_inode);
>
> min_ino = btrfs_ino(inode) + 1;
> diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
> index 0f497c39ff82..ff666d18f6ad 100644
> --- a/fs/ceph/mds_client.c
> +++ b/fs/ceph/mds_client.c
> @@ -2221,7 +2221,7 @@ static int trim_caps_cb(struct inode *inode, int mds, void *arg)
> int count;
> dput(dentry);
> d_prune_aliases(inode);
> - count = atomic_read(&inode->i_count);
> + count = refcount_read(&inode->i_count);
> if (count == 1)
> (*remaining)--;
> doutc(cl, "%p %llx.%llx cap %p pruned, count now %d\n",
> diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
> index df4051613b29..9a3c7f22a57e 100644
> --- a/fs/ext4/ialloc.c
> +++ b/fs/ext4/ialloc.c
> @@ -252,10 +252,10 @@ void ext4_free_inode(handle_t *handle, struct inode *inode)
> "nonexistent device\n", __func__, __LINE__);
> return;
> }
> - if (atomic_read(&inode->i_count) > 1) {
> + if (refcount_read(&inode->i_count) > 1) {
> ext4_msg(sb, KERN_ERR, "%s:%d: inode #%lu: count=%d",
> __func__, __LINE__, inode->i_ino,
> - atomic_read(&inode->i_count));
> + refcount_read(&inode->i_count));
> return;
> }
> if (inode->i_nlink) {
> diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
> index 111a9d8215bf..789c4228412c 100644
> --- a/fs/fs-writeback.c
> +++ b/fs/fs-writeback.c
> @@ -1796,7 +1796,7 @@ static int writeback_single_inode(struct inode *inode,
> int ret = 0;
>
> spin_lock(&inode->i_lock);
> - if (!atomic_read(&inode->i_count))
> + if (!refcount_read(&inode->i_count))
> WARN_ON(!(inode->i_state & (I_WILL_FREE|I_FREEING)));
> else
> WARN_ON(inode->i_state & I_WILL_FREE);
> diff --git a/fs/hpfs/inode.c b/fs/hpfs/inode.c
> index a59e8fa630db..ee23a941d8f5 100644
> --- a/fs/hpfs/inode.c
> +++ b/fs/hpfs/inode.c
> @@ -184,7 +184,7 @@ void hpfs_write_inode(struct inode *i)
> struct hpfs_inode_info *hpfs_inode = hpfs_i(i);
> struct inode *parent;
> if (i->i_ino == hpfs_sb(i->i_sb)->sb_root) return;
> - if (hpfs_inode->i_rddir_off && !atomic_read(&i->i_count)) {
> + if (hpfs_inode->i_rddir_off && !refcount_read(&i->i_count)) {
> if (*hpfs_inode->i_rddir_off)
> pr_err("write_inode: some position still there\n");
> kfree(hpfs_inode->i_rddir_off);
> diff --git a/fs/inode.c b/fs/inode.c
> index 07c8edb4b58a..28d197731914 100644
> --- a/fs/inode.c
> +++ b/fs/inode.c
> @@ -236,7 +236,7 @@ int inode_init_always_gfp(struct super_block *sb, struct inode *inode, gfp_t gfp
> inode->i_state = 0;
> atomic64_set(&inode->i_sequence, 0);
> refcount_set(&inode->i_obj_count, 1);
> - atomic_set(&inode->i_count, 1);
> + refcount_set(&inode->i_count, 1);
> inode->i_op = &empty_iops;
> inode->i_fop = &no_open_fops;
> inode->i_ino = 0;
> @@ -561,7 +561,8 @@ static void init_once(void *foo)
> void ihold(struct inode *inode)
> {
> iobj_get(inode);
> - WARN_ON(atomic_inc_return(&inode->i_count) < 2);
> + refcount_inc(&inode->i_count);
> + WARN_ON(refcount_read(&inode->i_count) < 2);
> }
> EXPORT_SYMBOL(ihold);
>
> @@ -614,7 +615,7 @@ static void __inode_add_lru(struct inode *inode, bool rotate)
>
> if (inode->i_state & (I_FREEING | I_WILL_FREE))
> return;
> - if (atomic_read(&inode->i_count) != 1)
> + if (refcount_read(&inode->i_count) != 1)
> return;
> if (inode->__i_nlink == 0)
> return;
> @@ -2019,7 +2020,7 @@ static void __iput(struct inode *inode, bool skip_lru)
> return;
> BUG_ON(inode->i_state & I_CLEAR);
>
> - if (atomic_add_unless(&inode->i_count, -1, 1)) {
> + if (refcount_dec_not_one(&inode->i_count)) {
> iobj_put(inode);
> return;
> }
> @@ -2039,7 +2040,7 @@ static void __iput(struct inode *inode, bool skip_lru)
> */
> drop = maybe_add_lru(inode, skip_lru);
>
> - if (atomic_dec_and_test(&inode->i_count))
> + if (refcount_dec_and_test(&inode->i_count))
> iput_final(inode, drop);
> else
> spin_unlock(&inode->i_lock);
> diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
> index 338ef77ae423..9cc84f0afa9a 100644
> --- a/fs/nfs/inode.c
> +++ b/fs/nfs/inode.c
> @@ -608,7 +608,7 @@ nfs_fhget(struct super_block *sb, struct nfs_fh *fh, struct nfs_fattr *fattr)
> inode->i_sb->s_id,
> (unsigned long long)NFS_FILEID(inode),
> nfs_display_fhandle_hash(fh),
> - atomic_read(&inode->i_count));
> + refcount_read(&inode->i_count));
>
> out:
> return inode;
> @@ -2229,7 +2229,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
> dfprintk(VFS, "NFS: %s(%s/%lu fh_crc=0x%08x ct=%d info=0x%llx)\n",
> __func__, inode->i_sb->s_id, inode->i_ino,
> nfs_display_fhandle_hash(NFS_FH(inode)),
> - atomic_read(&inode->i_count), fattr->valid);
> + refcount_read(&inode->i_count), fattr->valid);
>
> if (!(fattr->valid & NFS_ATTR_FATTR_FILEID)) {
> /* Only a mounted-on-fileid? Just exit */
> diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c
> index 079b868552c2..0883696f873d 100644
> --- a/fs/notify/fsnotify.c
> +++ b/fs/notify/fsnotify.c
> @@ -66,7 +66,7 @@ static void fsnotify_unmount_inodes(struct super_block *sb)
> * removed all zero refcount inodes, in any case. Test to
> * be sure.
> */
> - if (!atomic_read(&inode->i_count)) {
> + if (!refcount_read(&inode->i_count)) {
> spin_unlock(&inode->i_lock);
> continue;
> }
> diff --git a/fs/ubifs/super.c b/fs/ubifs/super.c
> index f3e3b2068608..79526f71fa8a 100644
> --- a/fs/ubifs/super.c
> +++ b/fs/ubifs/super.c
> @@ -358,7 +358,7 @@ static void ubifs_evict_inode(struct inode *inode)
> goto out;
>
> dbg_gen("inode %lu, mode %#x", inode->i_ino, (int)inode->i_mode);
> - ubifs_assert(c, !atomic_read(&inode->i_count));
> + ubifs_assert(c, !refcount_read(&inode->i_count));
>
> truncate_inode_pages_final(&inode->i_data);
>
> diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c
> index 9c39251961a3..06af749fe5f3 100644
> --- a/fs/xfs/xfs_inode.c
> +++ b/fs/xfs/xfs_inode.c
> @@ -1035,7 +1035,7 @@ xfs_itruncate_extents_flags(
> int error = 0;
>
> xfs_assert_ilocked(ip, XFS_ILOCK_EXCL);
> - if (atomic_read(&VFS_I(ip)->i_count))
> + if (refcount_read(&VFS_I(ip)->i_count))
> xfs_assert_ilocked(ip, XFS_IOLOCK_EXCL);
> ASSERT(new_size <= XFS_ISIZE(ip));
> ASSERT(tp->t_flags & XFS_TRANS_PERM_LOG_RES);
> diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
> index ac344e42846c..167d33b8095c 100644
> --- a/fs/xfs/xfs_trace.h
> +++ b/fs/xfs/xfs_trace.h
> @@ -1152,7 +1152,7 @@ DECLARE_EVENT_CLASS(xfs_iref_class,
> TP_fast_assign(
> __entry->dev = VFS_I(ip)->i_sb->s_dev;
> __entry->ino = ip->i_ino;
> - __entry->count = atomic_read(&VFS_I(ip)->i_count);
> + __entry->count = refcount_read(&VFS_I(ip)->i_count);
> __entry->pincount = atomic_read(&ip->i_pincount);
> __entry->iflags = ip->i_flags;
> __entry->caller_ip = caller_ip;
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 8384ed81a5ad..34fb40ba8a94 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -880,7 +880,7 @@ struct inode {
> };
> atomic64_t i_version;
> atomic64_t i_sequence; /* see futex */
> - atomic_t i_count;
> + refcount_t i_count;
> atomic_t i_dio_count;
> atomic_t i_writecount;
> #if defined(CONFIG_IMA) || defined(CONFIG_FILE_LOCKING)
> @@ -3399,7 +3399,7 @@ static inline void iobj_get(struct inode *inode)
> static inline void __iget(struct inode *inode)
> {
> iobj_get(inode);
> - atomic_inc(&inode->i_count);
> + refcount_inc(&inode->i_count);
> }
>
> extern void iget_failed(struct inode *);
> diff --git a/include/trace/events/filelock.h b/include/trace/events/filelock.h
> index b8d1e00a7982..e745436cfcd2 100644
> --- a/include/trace/events/filelock.h
> +++ b/include/trace/events/filelock.h
> @@ -189,7 +189,7 @@ TRACE_EVENT(generic_add_lease,
> __entry->i_ino = inode->i_ino;
> __entry->wcount = atomic_read(&inode->i_writecount);
> __entry->rcount = atomic_read(&inode->i_readcount);
> - __entry->icount = atomic_read(&inode->i_count);
> + __entry->icount = refcount_read(&inode->i_count);
> __entry->owner = fl->c.flc_owner;
> __entry->flags = fl->c.flc_flags;
> __entry->type = fl->c.flc_type;
> diff --git a/security/landlock/fs.c b/security/landlock/fs.c
> index c04f8879ad03..570f851dc469 100644
> --- a/security/landlock/fs.c
> +++ b/security/landlock/fs.c
> @@ -1281,7 +1281,7 @@ static void hook_sb_delete(struct super_block *const sb)
> struct landlock_object *object;
>
> /* Only handles referenced inodes. */
> - if (!atomic_read(&inode->i_count))
> + if (!refcount_read(&inode->i_count))
> continue;
>
> /*
> --
> 2.49.0
>
>
Powered by blists - more mailing lists