From: Bodo Stroesser Date: Tue, 29 Apr 2008 10:18:13 +0000 (-0700) Subject: bridge: kernel panic when unloading bridge module X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=d69efb16891ddfa6c0b527f912a7193054d50281;p=GitHub%2FLineageOS%2Fandroid_kernel_samsung_universal7580.git bridge: kernel panic when unloading bridge module There is a race condition when unloading bridge and netfilter. The problem happens if __fake_rtable is in use by a skb coming in, while someone starts to unload bridge.ko. br_netfilter_fini() is called at the beginning of unload in br_deinit() while skbs still are being forwarded and transferred to local ip stack. Thus there is a possibility of the __fake_rtable pointer not being removed in a skb that goes up to ip stack. This results in a kernel panic, as ip_rcv() calls the input-function of __fake_rtable, which is NULL. Moving the call of br_netfilter_fini() to the end of br_deinit() solves the problem. Signed-off-by: Bodo Stroesser Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- diff --git a/net/bridge/br.c b/net/bridge/br.c index a9018287312..8f3c58e5f7a 100644 --- a/net/bridge/br.c +++ b/net/bridge/br.c @@ -76,7 +76,6 @@ static void __exit br_deinit(void) rcu_assign_pointer(br_stp_sap->rcv_func, NULL); br_netlink_fini(); - br_netfilter_fini(); unregister_netdevice_notifier(&br_device_notifier); brioctl_set(NULL); @@ -84,6 +83,7 @@ static void __exit br_deinit(void) synchronize_net(); + br_netfilter_fini(); llc_sap_put(br_stp_sap); br_fdb_get_hook = NULL; br_fdb_put_hook = NULL;