From: Herbert Xu Date: Sat, 16 Apr 2005 22:24:10 +0000 (-0700) Subject: [PATCH] Fix dst_destroy() race X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6775cab98b89b2caa10dce4b07e2c81999e45517;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git [PATCH] Fix dst_destroy() race When we are not the real parent of the dst (e.g., when we're xfrm_dst and the child is an rtentry), it may already be on the GC list. In fact the current code is buggy to, we need to check dst->flags before the dec as dst may no longer be valid afterwards. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/net/core/dst.c b/net/core/dst.c index 3bf6cc43481..fc434ade527 100644 --- a/net/core/dst.c +++ b/net/core/dst.c @@ -198,13 +198,15 @@ again: dst = child; if (dst) { + int nohash = dst->flags & DST_NOHASH; + if (atomic_dec_and_test(&dst->__refcnt)) { /* We were real parent of this dst, so kill child. */ - if (dst->flags&DST_NOHASH) + if (nohash) goto again; } else { /* Child is still referenced, return it for freeing. */ - if (dst->flags&DST_NOHASH) + if (nohash) return dst; /* Child is still in his hash table */ }