Hello,
Douglas found and fixed a ref leak bug in percpu_ref_tryget[_live]().
The bug is caused by storing the return value of
atomic_long_inc_not_zero() into an int temp variable before returning
it as a bool. The interim cast to int loses the upper bits and can
lead to false negatives. As percpu_ref uses a high bit to mark a
draining counter, this can happen relatively easily. Fixed by using
bool for the temp variable.
Thanks.
The following changes since commit 1b1bc42c1692e9b62756323c675a44cb1a1f9dbd:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2017-01-27
12:54:16 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu.git for-4.10-fixes
for you to fetch changes up to 966d2b04e070bc040319aaebfec09e0144dc3341:
percpu-refcount: fix reference leak during percpu-atomic transition
(2017-01-28 07:49:42 -0500)
----------------------------------------------------------------
Douglas Miller (1):
percpu-refcount: fix reference leak during percpu-atomic transition
include/linux/percpu-refcount.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/percpu-refcount.h b/include/linux/percpu-refcount.h
index 1c7eec0..3a481a4 100644
--- a/include/linux/percpu-refcount.h
+++ b/include/linux/percpu-refcount.h
@@ -204,7 +204,7 @@ static inline void percpu_ref_get(struct percpu_ref *ref)
static inline bool percpu_ref_tryget(struct percpu_ref *ref)
{
unsigned long __percpu *percpu_count;
- int ret;
+ bool ret;
rcu_read_lock_sched();
@@ -238,7 +238,7 @@ static inline bool percpu_ref_tryget(struct percpu_ref *ref)
static inline bool percpu_ref_tryget_live(struct percpu_ref *ref)
{
unsigned long __percpu *percpu_count;
- int ret = false;
+ bool ret = false;
rcu_read_lock_sched();
--
tejun
