diff options
| author |   Wei Wang <weiwan@google.com> | 2017-10-06 12:06:04 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2017-10-07 21:22:58 +0100 |
| commit | a94b9367e044ba672c9f4105eb1516ff6ff4948a (patch) | |
| tree | 927b0d73595dac09a94c51498d391bd222352360 /net/ipv6/ip6_fib.c | |
| parent | ipv6: hook up exception table to store dst cache (diff) | |
| download | linux-dev-a94b9367e044ba672c9f4105eb1516ff6ff4948a.tar.xz linux-dev-a94b9367e044ba672c9f4105eb1516ff6ff4948a.zip | |
ipv6: grab rt->rt6i_ref before allocating pcpu rt
After rwlock is replaced with rcu and spinlock, ip6_pol_route() will be
called with only rcu held. That means rt6 route deletion could happen
simultaneously with rt6_make_pcpu_rt(). This could potentially cause
memory leak if rt6_release() is called right before rt6_make_pcpu_rt()
on the same route.
This patch grabs rt->rt6i_ref safely before calling rt6_make_pcpu_rt()
to make sure rt6_release() will not get triggered while
rt6_make_pcpu_rt() is in progress. And rt6_release() is called after
rt6_make_pcpu_rt() is finished.
Note: As we are incrementing rt->rt6i_ref in ip6_pol_route(), there is a
very slim chance that fib6_purge_rt() will be triggered unnecessarily
when deleting a route if ip6_pol_route() running on another thread picks
this route as well and tries to make pcpu cache for it.
Signed-off-by: Wei Wang <weiwan@google.com>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ip6_fib.c')
0 files changed, 0 insertions, 0 deletions