Commit 9af23042 authored by Eric Dumazet's avatar Eric Dumazet Committed by Stefan Bader

ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero

BugLink: https://bugs.launchpad.net/bugs/1836666

[ Upstream commit 65a3c497 ]

Before taking a refcount, make sure the object is not already
scheduled for deletion.

Same fix is needed in ipv6_flowlabel_opt()

Fixes: 18367681 ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 0573703f
...@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label) ...@@ -254,9 +254,9 @@ struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label)
rcu_read_lock_bh(); rcu_read_lock_bh();
for_each_sk_fl_rcu(np, sfl) { for_each_sk_fl_rcu(np, sfl) {
struct ip6_flowlabel *fl = sfl->fl; struct ip6_flowlabel *fl = sfl->fl;
if (fl->label == label) {
if (fl->label == label && atomic_inc_not_zero(&fl->users)) {
fl->lastuse = jiffies; fl->lastuse = jiffies;
atomic_inc(&fl->users);
rcu_read_unlock_bh(); rcu_read_unlock_bh();
return fl; return fl;
} }
...@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen) ...@@ -622,7 +622,8 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
goto done; goto done;
} }
fl1 = sfl->fl; fl1 = sfl->fl;
atomic_inc(&fl1->users); if (!atomic_inc_not_zero(&fl1->users))
fl1 = NULL;
break; break;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment