Hello,
On Wed, Feb 20, 2013 at 07:23:35PM +0200, Andy Shevchenko wrote:
> The guilty commit is cc5b5f6 "events: convert to idr_alloc()" together with
> f49318a "idr: implement lookup hint". In our case the idr_alloc is never
> called, but idr_find is. The hint field is never initialized and therefore
> should not be dereferenced.
>
> Signed-off-by: Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>
> Reported-by: Kirill A. Shutemov <kirill.shutemov@xxxxxxxxxxxxxxx>
> ---
> include/linux/idr.h | 2 +-
> lib/idr.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/idr.h b/include/linux/idr.h
> index aed2a0c..a6f38b5 100644
> --- a/include/linux/idr.h
> +++ b/include/linux/idr.h
> @@ -113,7 +113,7 @@ static inline void *idr_find(struct idr *idr, int id)
> {
> struct idr_layer *hint = rcu_dereference_raw(idr->hint);
>
> - if ((id & ~IDR_MASK) == hint->prefix)
> + if (hint && (id & ~IDR_MASK) == hint->prefix)
> return rcu_dereference_raw(hint->ary[id & IDR_MASK]);
I was thinking more along the line of creating a shared empty layer w/
bogus prefix and then updating free_layer to fallback to it so that we
can avoid the extra if but, yeah, let's do that later. We're already
in merge window.
Acked-by: Tejun Heo <tj@xxxxxxxxxx>
Thanks!
--
tejun
--
To unsubscribe from this list: send the line "unsubscribe linux-next" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
