fib: use atomic_inc_not_zero() in fib_rules_lookup

It seems we dont use appropriate refcount increment in an rcu_read_lock() protected section. fib_rule_get() might increment a null refcount and bad things could happen. While fib_nl_delrule() respects an rcu grace period before calling fib_rule_put(), fib_rules_cleanup_ops() calls fib_rule_put() without a grace period. Note : after this patch, we might avoid the synchronize_rcu() call done in fib_nl_delrule() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <eric.dumazet@gmail.com> 2010-09-27 00:18:27 -0400
committer: David S. Miller <davem@davemloft.net> 2010-09-28 00:30:44 -0400
commit: 7fa7cb7109d07c29ab28bb877bc7049a0150dbe5 (patch)
tree: ba618177a1d57189d5f485a5182a96f4e97b971f
parent: 15fc1f7056ebdc57e23f99077fec89e63e6fa941 (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 42e84e08a1be..d0787284cb07 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -225,9 +225,11 @@ jumped:
                        err = ops->action(rule, fl, flags, arg);
                if (err != -EAGAIN) {
-                        fib_rule_get(rule);
+                        if (likely(atomic_inc_not_zero(&rule->refcnt))) {
-                        arg->rule = rule;
+                                arg->rule = rule;
-                        goto out;
+                                goto out;
+                        }
+                        break;
                }
        }
author	Eric Dumazet <eric.dumazet@gmail.com>	2010-09-27 00:18:27 -0400
committer	David S. Miller <davem@davemloft.net>	2010-09-28 00:30:44 -0400
commit	7fa7cb7109d07c29ab28bb877bc7049a0150dbe5 (patch)
tree	ba618177a1d57189d5f485a5182a96f4e97b971f
parent	15fc1f7056ebdc57e23f99077fec89e63e6fa941 (diff)