| Message ID | 20201009040356.43802-1-ming.lei@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | percpu_ref: don't refer to ref->data if it isn't allocated | expand |
On Fri, Oct 09, 2020 at 12:03:56PM +0800, Ming Lei wrote: > We can't check ref->data->confirm_switch directly in __percpu_ref_exit(), since > ref->data may not be allocated in one not-initialized refcount. > > Fixes: 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") > Signed-off-by: Ming Lei <ming.lei@redhat.com> Please don't forget: Reported-by: syzbot+fd15ff734dace9e16437@syzkaller.appspotmail.com
On 10/8/20 10:03 PM, Ming Lei wrote: > We can't check ref->data->confirm_switch directly in __percpu_ref_exit(), since > ref->data may not be allocated in one not-initialized refcount. Added with reported-by.
diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c index b6350d13538a..e59eda07305e 100644 --- a/lib/percpu-refcount.c +++ b/lib/percpu-refcount.c @@ -109,7 +109,7 @@ static void __percpu_ref_exit(struct percpu_ref *ref) if (percpu_count) { /* non-NULL confirm_switch indicates switching in progress */ - WARN_ON_ONCE(ref->data->confirm_switch); + WARN_ON_ONCE(ref->data && ref->data->confirm_switch); free_percpu(percpu_count); ref->percpu_count_ptr = __PERCPU_REF_ATOMIC_DEAD; }
We can't check ref->data->confirm_switch directly in __percpu_ref_exit(), since ref->data may not be allocated in one not-initialized refcount. Fixes: 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") Signed-off-by: Ming Lei <ming.lei@redhat.com> --- lib/percpu-refcount.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)