Hi,
The pattern of wait_event(percpu_ref_is_zero()) may cause
percpu_ref_exit() to be called before ->release() is done, so
user-after-free may be caused, fix the issue by draining ->release()
in percpu_ref_exit().
Ming Lei (3):
lib/percpu-refcount: support to exit refcount automatically during
releasing
lib/percpu-refcount: apply PERCPU_REF_AUTO_EXIT
lib/percpu-refcount: drain ->release() in perpcu_ref_exit()
drivers/infiniband/ulp/rtrs/rtrs-srv.c | 4 +--
include/linux/percpu-refcount.h | 36 ++++++++++++++++++++++++--
lib/percpu-refcount.c | 31 +++++++++++++++++++---
mm/memcontrol.c | 5 ++--
4 files changed, 66 insertions(+), 10 deletions(-)
--
2.38.1
