From: Patrick McHardy Date: Thu, 22 Mar 2007 19:25:20 +0000 (-0700) Subject: [BRIDGE]: Fix fdb RCU race X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=b19cbe2a1695c09c74f83646c4b82b51123b3690;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git [BRIDGE]: Fix fdb RCU race br_fdb_get use atomic_inc to increase the refcount of an element found on a RCU protected list, which can lead to the following race: CPU0 CPU1 br_fdb_get: rcu_read_lock __br_fdb_get: find element fdb_delete: hlist_del_rcu br_fdb_put br_fdb_put: atomic_dec_and_test call_rcu(fdb_rcu_free) br_fdb_get: atomic_inc rcu_read_unlock fdb_rcu_free: kmem_cache_free Use atomic_inc_not_zero instead. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index def2e403f932..8d566c13cc73 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c @@ -197,8 +197,8 @@ struct net_bridge_fdb_entry *br_fdb_get(struct net_bridge *br, rcu_read_lock(); fdb = __br_fdb_get(br, addr); - if (fdb) - atomic_inc(&fdb->use_count); + if (fdb && !atomic_inc_not_zero(&fdb->use_count)) + fdb = NULL; rcu_read_unlock(); return fdb; }