On Thu, Nov 9, 2017 at 7:51 AM, Girish Moodalbail <girish.moodalb...@oracle.com> wrote: > > Upon receiving NETDEV_DOWN event, we are calling > > vlan_vid_del(dev, htons(ETH_P_8021Q), 0); > > which in turn calls call_rcu() to queue vlan_info_free_rcu() to be called at > some point. This free function frees the array[] > (vlan_info.vlan_grp.vn_devices_array). My guess is that > vlan_info_free_rcu() is being called first and then the array[] is being > accessed in vlan_device_event(). >
Well yes and no. No, RCU itself is not broken and we clearly unpublish the RCU pointer before calling call_rcu(). Yes, I see where it is broken: the grp pointer still points to old dev->vlan_info, we should re-fetch it after vlan_vid_del(). I will send a fix. Thanks!
