From: Cong Wang
Date: Thu, 9 Nov 2017 16:43:13 -0800
> After refcnt reaches zero, vlan_vid_del() could free
> dev->vlan_info via RCU:
>
> RCU_INIT_POINTER(dev->vlan_info, NULL);
> call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
>
> However, the pointer 'grp' still points to that mem
On Fri, Nov 10, 2017 at 3:50 AM, Fengguang Wu wrote:
> It works, thank you for fixing this ancient bug!
>
> Tested-by: Fengguang Wu
Thanks for all the 0day work to make people finally figure this out.
Linus
It works, thank you for fixing this ancient bug!
Tested-by: Fengguang Wu
On 11/9/17 4:43 PM, Cong Wang wrote:
After refcnt reaches zero, vlan_vid_del() could free
dev->vlan_info via RCU:
RCU_INIT_POINTER(dev->vlan_info, NULL);
call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
However, the pointer 'grp' still points to that memory
since it is set before
After refcnt reaches zero, vlan_vid_del() could free
dev->vlan_info via RCU:
RCU_INIT_POINTER(dev->vlan_info, NULL);
call_rcu(&vlan_info->rcu, vlan_info_rcu_free);
However, the pointer 'grp' still points to that memory
since it is set before vlan_vid_del():
vlan_info = rt
