On 3/8/21 7:16 AM, Pavel Begunkov wrote: > From: "Matthew Wilcox (Oracle)" <willy@xxxxxxxxxxxxx> > > You can't call idr_remove() from within a idr_for_each() callback, > but you can call xa_erase() from an xa_for_each() loop, so switch the > entire personality_idr from the IDR to the XArray. This manifests as a > use-after-free as idr_for_each() attempts to walk the rest of the node > after removing the last entry from it. I applied this one yesterday, just forgot to reply here. I agree with Matthew's optimization, though I suspect we'll have a few creds at most and it won't make much of a difference in real life. Buffers would likely be a lot more plentiful, so it's worth keeping in mind for that one. -- Jens Axboe
