[BRIDGE]: Fix fdb RCU race
authorPatrick McHardy <kaber@trash.net>
Thu, 22 Mar 2007 19:25:20 +0000 (12:25 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 22 Mar 2007 19:25:20 +0000 (12:25 -0700)
br_fdb_get use atomic_inc to increase the refcount of an element found
on a RCU protected list, which can lead to the following race:

CPU0 CPU1

br_fdb_get:   rcu_read_lock
__br_fdb_get: find element
fdb_delete:   hlist_del_rcu
      br_fdb_put
br_fdb_put:   atomic_dec_and_test
      call_rcu(fdb_rcu_free) br_fdb_get:   atomic_inc
      rcu_read_unlock
fdb_rcu_free: kmem_cache_free

Use atomic_inc_not_zero instead.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/bridge/br_fdb.c

index def2e403f932e25342c556040f129bba9b6830a1..8d566c13cc73e42a41933005ecf8da07f56b49f9 100644 (file)
@@ -197,8 +197,8 @@ struct net_bridge_fdb_entry *br_fdb_get(struct net_bridge *br,
 
        rcu_read_lock();
        fdb = __br_fdb_get(br, addr);
-       if (fdb)
-               atomic_inc(&fdb->use_count);
+       if (fdb && !atomic_inc_not_zero(&fdb->use_count))
+               fdb = NULL;
        rcu_read_unlock();
        return fdb;
 }