Hi Stephen,
I am studying vxlan device driver in 4.10 kernel. I see that vxlan_fdb in
fdb_head list is rcu protected. call_rcu is invoked to free vxlan fdb, which
will defer the vxlan_fdb_free until all rcu reads exist the race condition.
But I don’t find any rcu_read_lock invoked before travelling fdb_head list. In
vxlan_xmit and vxlan_snoop function, vxlan_find_mac function is called to
search the vxlan_fdb of the dst_mac or src_mac. Then information in vxlan_fdb
is used for further process. But as no rcu_read_lock is obtained before the
list travelling, I am wondering if it is possible that vxlan_fdb is freed when
it is being used.
static void vxlan_fdb_destroy(struct vxlan_dev *vxlan, struct vxlan_fdb *f)
{
netdev_dbg(vxlan->dev,
"delete %pM\n", f->eth_addr);
--vxlan->addrcnt;
vxlan_fdb_notify(vxlan, f, first_remote_rtnl(f), RTM_DELNEIGH);
hlist_del_rcu(&f->hlist);
call_rcu(&f->rcu, vxlan_fdb_free);
}
Thanks
Xiaobo
