mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-15 06:55:13 +08:00
[BRIDGE]: Fix fdb RCU race
br_fdb_get use atomic_inc to increase the refcount of an element found on a RCU protected list, which can lead to the following race: CPU0 CPU1 br_fdb_get: rcu_read_lock __br_fdb_get: find element fdb_delete: hlist_del_rcu br_fdb_put br_fdb_put: atomic_dec_and_test call_rcu(fdb_rcu_free) br_fdb_get: atomic_inc rcu_read_unlock fdb_rcu_free: kmem_cache_free Use atomic_inc_not_zero instead. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
ec25615b9d
commit
b19cbe2a16
@ -197,8 +197,8 @@ struct net_bridge_fdb_entry *br_fdb_get(struct net_bridge *br,
|
||||
|
||||
rcu_read_lock();
|
||||
fdb = __br_fdb_get(br, addr);
|
||||
if (fdb)
|
||||
atomic_inc(&fdb->use_count);
|
||||
if (fdb && !atomic_inc_not_zero(&fdb->use_count))
|
||||
fdb = NULL;
|
||||
rcu_read_unlock();
|
||||
return fdb;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user