aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-03-22 15:25:20 -0400
committerDavid S. Miller <davem@davemloft.net>2007-03-22 15:25:20 -0400
commitb19cbe2a1695c09c74f83646c4b82b51123b3690 (patch)
tree138761d3360b981292569e318757e53502f8887b
parentec25615b9ddd5c584b4066652840581fdb6c5e7a (diff)
[BRIDGE]: Fix fdb RCU race
br_fdb_get use atomic_inc to increase the refcount of an element found on a RCU protected list, which can lead to the following race: CPU0 CPU1 br_fdb_get: rcu_read_lock __br_fdb_get: find element fdb_delete: hlist_del_rcu br_fdb_put br_fdb_put: atomic_dec_and_test call_rcu(fdb_rcu_free) br_fdb_get: atomic_inc rcu_read_unlock fdb_rcu_free: kmem_cache_free Use atomic_inc_not_zero instead. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/bridge/br_fdb.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index def2e403f932..8d566c13cc73 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -197,8 +197,8 @@ struct net_bridge_fdb_entry *br_fdb_get(struct net_bridge *br,
197 197
198 rcu_read_lock(); 198 rcu_read_lock();
199 fdb = __br_fdb_get(br, addr); 199 fdb = __br_fdb_get(br, addr);
200 if (fdb) 200 if (fdb && !atomic_inc_not_zero(&fdb->use_count))
201 atomic_inc(&fdb->use_count); 201 fdb = NULL;
202 rcu_read_unlock(); 202 rcu_read_unlock();
203 return fdb; 203 return fdb;
204} 204}