Fix what looks like a RCU race. Untested since this is only
used by ATM, which I don't have.
[BRIDGE]: Fix fdb RCU race
br_fdb_get use atomic_inc to increase the refcount of an element found
on a RCU protected list, which can lead to the following race:
CPU0 CPU1
br_fdb_get: rcu_read_lock
__br_fdb_get: find element
fdb_delete: hlist_del_rcu
br_fdb_put
br_fdb_put: atomic_dec_and_test
call_rcu(fdb_rcu_free) br_fdb_get: atomic_inc
rcu_read_unlock
fdb_rcu_free: kmem_cache_free
Use atomic_inc_not_zero instead.
Signed-off-by: Patrick McHardy <[EMAIL PROTECTED]>
---
commit 6965873e9db0cb3f9a8412bd541a5309dcfb6eb6
tree 152e90dc86fe96ca7cb8f0e280827920ddb62247
parent 8559840c4ca3f2fff73a882803bc8916078fac1f
author Patrick McHardy <[EMAIL PROTECTED]> Thu, 22 Mar 2007 19:20:08 +0100
committer Patrick McHardy <[EMAIL PROTECTED]> Thu, 22 Mar 2007 19:20:08 +0100
net/bridge/br_fdb.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index def2e40..8d566c1 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -197,8 +197,8 @@ struct net_bridge_fdb_entry *br_fdb_get(struct net_bridge
*br,
rcu_read_lock();
fdb = __br_fdb_get(br, addr);
- if (fdb)
- atomic_inc(&fdb->use_count);
+ if (fdb && !atomic_inc_not_zero(&fdb->use_count))
+ fdb = NULL;
rcu_read_unlock();
return fdb;
}
