[PATCH 0/3] lib/percpu-refcount: fix use-after-free by late ->release

From: Ming Lei
Date: Tue Dec 13 2022 - 21:52:24 EST

Next message: Ming Lei: "[PATCH 1/3] lib/percpu-refcount: support to exit refcount automatically during releasing"
Previous message: Ming Lei: "[PATCH 2/3] lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT"
Next in thread: Ming Lei: "[PATCH 2/3] lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

The pattern of wait_event(percpu_ref_is_zero()) may cause
percpu_ref_exit() to be called before ->release() is done, so
user-after-free may be caused, fix the issue by draining ->release()
in percpu_ref_exit().

Ming Lei (3):
lib/percpu-refcount: support to exit refcount automatically during
releasing
lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT
lib/percpu-refcount: drain ->release() in perpcu_ref_exit()

drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 +--
include/linux/percpu-refcount.h | 36 ++++++++++++++++++++++++--
lib/percpu-refcount.c | 31 +++++++++++++++++++---
mm/memcontrol.c | 5 ++--
4 files changed, 66 insertions(+), 10 deletions(-)

--
2.38.1

Next message: Ming Lei: "[PATCH 1/3] lib/percpu-refcount: support to exit refcount automatically during releasing"
Previous message: Ming Lei: "[PATCH 2/3] lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT"
Next in thread: Ming Lei: "[PATCH 2/3] lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]