On 2021/5/18 7:03, Saleem, Shiraz wrote: >> Subject: [PATCH for-next 1/6] RDMA/core: Use refcount_t instead of atomic_t for >> reference counting >> >> The refcount_t API will WARN on underflow and overflow of a reference counter, >> and avoid use-after-free risks. Increase refcount_t from 0 to 1 is regarded as there >> is a risk about use-after-free. So it should be set to 1 directly during initialization. >> >> Signed-off-by: Weihang Li <liweihang@xxxxxxxxxx> >> --- >> drivers/infiniband/core/iwcm.c | 9 ++++----- >> drivers/infiniband/core/iwcm.h | 2 +- >> drivers/infiniband/core/iwpm_util.c | 12 ++++++++---- >> drivers/infiniband/core/iwpm_util.h | 2 +- >> drivers/infiniband/core/mad_priv.h | 2 +- >> drivers/infiniband/core/multicast.c | 30 +++++++++++++++--------------- >> drivers/infiniband/core/uverbs.h | 2 +- >> drivers/infiniband/core/uverbs_main.c | 12 ++++++------ >> 8 files changed, 37 insertions(+), 34 deletions(-) >> > > [...] > >> @@ -589,9 +589,9 @@ static struct mcast_group *acquire_group(struct >> mcast_port *port, >> kfree(group); >> group = cur_group; >> } else >> - atomic_inc(&port->refcount); >> + refcount_inc(&port->refcount); >> found: >> - atomic_inc(&group->refcount); >> + refcount_inc(&group->refcount); > > Seems like there is refcount_inc with refcount = 0 when the group is first created? Yes, one of "refcount_inc(&group->refcount)" led to the issue that Leon had reported. I will fix it, thank you. Weihang > >> spin_unlock_irqrestore(&port->lock, flags); >> return group; >> } > >
