summaryrefslogtreecommitdiff
path: root/net/core
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2010-09-27 08:18:27 +0400
committerDavid S. Miller <davem@davemloft.net>2010-09-28 08:30:44 +0400
commit7fa7cb7109d07c29ab28bb877bc7049a0150dbe5 (patch)
treeba618177a1d57189d5f485a5182a96f4e97b971f /net/core
parent15fc1f7056ebdc57e23f99077fec89e63e6fa941 (diff)
downloadlinux-7fa7cb7109d07c29ab28bb877bc7049a0150dbe5.tar.xz
fib: use atomic_inc_not_zero() in fib_rules_lookup
It seems we dont use appropriate refcount increment in an rcu_read_lock() protected section. fib_rule_get() might increment a null refcount and bad things could happen. While fib_nl_delrule() respects an rcu grace period before calling fib_rule_put(), fib_rules_cleanup_ops() calls fib_rule_put() without a grace period. Note : after this patch, we might avoid the synchronize_rcu() call done in fib_nl_delrule() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core')
-rw-r--r--net/core/fib_rules.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 42e84e08a1be..d0787284cb07 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -225,9 +225,11 @@ jumped:
err = ops->action(rule, fl, flags, arg);
if (err != -EAGAIN) {
- fib_rule_get(rule);
- arg->rule = rule;
- goto out;
+ if (likely(atomic_inc_not_zero(&rule->refcnt))) {
+ arg->rule = rule;
+ goto out;
+ }
+ break;
}
}