From: Eric Dumazet <eric.duma...@gmail.com>
Date: Thu, 24 Aug 2017 21:12:28 -0700
> From: Eric Dumazet <eduma...@google.com>
>
> syzkaller reported a refcount_t warning [1]
>
> Issue here is that noop_qdisc refcnt was never really considered as
> a true refcount, since qdisc_destroy() found TCQ_F_BUILTIN set :
>
> if (qdisc->flags & TCQ_F_BUILTIN ||
> !refcount_dec_and_test(&qdisc->refcnt)))
> return;
>
> Meaning that all atomic_inc() we did on noop_qdisc.refcnt were not
> really needed, but harmless until refcount_t came.
>
> To fix this problem, we simply need to not increment noop_qdisc.refcnt,
> since we never decrement it.
>
> [1]
> refcount_t: increment on 0; use-after-free.
...
> Fixes: 7b9364050246 ("net, sched: convert Qdisc.refcnt from atomic_t to
> refcount_t")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
> Cc: Reshetova, Elena <elena.reshet...@intel.com>
Applied.
