Skip to content

Commit

Permalink
[BRIDGE]: Fix fdb RCU race
Browse files Browse the repository at this point in the history 
br_fdb_get use atomic_inc to increase the refcount of an element found
on a RCU protected list, which can lead to the following race:

CPU0					CPU1

					br_fdb_get:   rcu_read_lock
					__br_fdb_get: find element
fdb_delete:   hlist_del_rcu
	      br_fdb_put
br_fdb_put:   atomic_dec_and_test
	      call_rcu(fdb_rcu_free)	br_fdb_get:   atomic_inc
						      rcu_read_unlock
fdb_rcu_free: kmem_cache_free

Use atomic_inc_not_zero instead.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
  • Loading branch information
Patrick McHardy authored and David S. Miller committed Mar 22, 2007
1 parent ec25615 commit b19cbe2
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions net/bridge/br_fdb.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,8 +197,8 @@ struct net_bridge_fdb_entry *br_fdb_get(struct net_bridge *br,

rcu_read_lock();
fdb = __br_fdb_get(br, addr);
if (fdb)
atomic_inc(&fdb->use_count);
if (fdb && !atomic_inc_not_zero(&fdb->use_count))
fdb = NULL;
rcu_read_unlock();
return fdb;
}
Expand Down

0 comments on commit b19cbe2

Please sign in to comment.