From 86884ed574df1d073a7620ce18e62e7dbfff7476 Mon Sep 17 00:00:00 2001
From: Samy Al Bahra <sbahra@appnexus.com>
Date: Sun, 10 Mar 2013 21:37:49 -0400
Subject: [PATCH] ck_fifo_mpmc: Fix NULL deference when re-using nodes.

If a FIFO entry is being re-used, it is possible for NULL
assignment to be triggered due to race with enqueue.
---
 include/ck_fifo.h | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/include/ck_fifo.h b/include/ck_fifo.h
index a787ded..5805c49 100644
--- a/include/ck_fifo.h
+++ b/include/ck_fifo.h
@@ -361,6 +361,14 @@ ck_fifo_mpmc_dequeue(struct ck_fifo_mpmc *fifo,
 			update.generation = tail.generation + 1;
 			ck_pr_cas_ptr_2(&fifo->tail, &tail, &update);
 		} else {
+			/*
+			 * It is possible for head snapshot to have been
+			 * re-used. Avoid deferencing during enqueue
+			 * re-use.
+			 */
+			if (next.pointer == NULL)
+				continue;
+
 			/* Save value before commit. */
 			*(void **)value = ck_pr_load_ptr(&next.pointer->value);
 
@@ -408,6 +416,13 @@ ck_fifo_mpmc_trydequeue(struct ck_fifo_mpmc *fifo,
 		ck_pr_cas_ptr_2(&fifo->tail, &tail, &update);
 		return false;
 	} else {
+		/*
+		 * It is possible for head snapshot to have been
+		 * re-used. Avoid deferencing during enqueue.
+		 */
+		if (next.pointer == NULL)
+			return false;
+
 		/* Save value before commit. */
 		*(void **)value = ck_pr_load_ptr(&next.pointer->value);