From 6775cab98b89b2caa10dce4b07e2c81999e45517 Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Sat, 16 Apr 2005 15:24:10 -0700 Subject: [PATCH] [PATCH] Fix dst_destroy() race When we are not the real parent of the dst (e.g., when we're xfrm_dst and the child is an rtentry), it may already be on the GC list. In fact the current code is buggy to, we need to check dst->flags before the dec as dst may no longer be valid afterwards. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- net/core/dst.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/core/dst.c b/net/core/dst.c index 3bf6cc434814..fc434ade5270 100644 --- a/net/core/dst.c +++ b/net/core/dst.c @@ -198,13 +198,15 @@ again: dst = child; if (dst) { + int nohash = dst->flags & DST_NOHASH; + if (atomic_dec_and_test(&dst->__refcnt)) { /* We were real parent of this dst, so kill child. */ - if (dst->flags&DST_NOHASH) + if (nohash) goto again; } else { /* Child is still referenced, return it for freeing. */ - if (dst->flags&DST_NOHASH) + if (nohash) return dst; /* Child is still in his hash table */ }