ChangeSet 1.2199.14.41, 2005/03/25 09:25:23-08:00, [EMAIL PROTECTED]
[XFRM]: xfrm_policy destructor fix
the patch below fixes a bug that i encountered while running a
PREEMPT_RT kernel, but i believe it should be fixed in the generic
kernel too. xfrm_policy_kill() queues a destroyed policy structure to
the GC list, and unlocks the policy->lock spinlock _after_ that point.
This created a scenario where GC processing got to the new structure
first, and kfree()d it - then the write_unlock_bh() was done on the
already kfreed structure. There is no guarantee that GC processing will
be done after policy->lock has been dropped and softirq processing has
been enabled.
Signed-off-by: Ingo Molnar <[EMAIL PROTECTED]>
Signed-off-by: David S. Miller <[EMAIL PROTECTED]>
xfrm_policy.c | 16 ++++++++++------
1 files changed, 10 insertions(+), 6 deletions(-)
diff -Nru a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
--- a/net/xfrm/xfrm_policy.c 2005-03-26 17:26:37 -08:00
+++ b/net/xfrm/xfrm_policy.c 2005-03-26 17:26:38 -08:00
@@ -301,18 +301,22 @@
static void xfrm_policy_kill(struct xfrm_policy *policy)
{
write_lock_bh(&policy->lock);
- if (policy->dead)
- goto out;
-
+ if (policy->dead) {
+ write_unlock_bh(&policy->lock);
+ return;
+ }
policy->dead = 1;
spin_lock(&xfrm_policy_gc_lock);
list_add(&policy->list, &xfrm_policy_gc_list);
+ /*
+ * Unlock the policy (out of order unlocking), to make sure
+ * the GC context does not free it with an active lock:
+ */
+ write_unlock_bh(&policy->lock);
spin_unlock(&xfrm_policy_gc_lock);
- schedule_work(&xfrm_policy_gc_work);
-out:
- write_unlock_bh(&policy->lock);
+ schedule_work(&xfrm_policy_gc_work);
}
/* Generate new index... KAME seems to generate them ordered by cost
-
To unsubscribe from this list: send the line "unsubscribe bk-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
