提交 d69efb16 编写于 作者: B Bodo Stroesser 提交者: David S. Miller

bridge: kernel panic when unloading bridge module

There is a race condition when unloading bridge and netfilter.

The problem happens if __fake_rtable is in use by a skb
coming in, while someone starts to unload bridge.ko.
br_netfilter_fini() is called at the beginning of unload
in br_deinit() while skbs still are being forwarded and
transferred to local ip stack. Thus there is a possibility
of the __fake_rtable pointer not being removed in a skb that
goes up to ip stack. This results in a kernel panic, as
ip_rcv() calls the input-function of __fake_rtable, which
is NULL.

Moving the call of br_netfilter_fini() to the end of
br_deinit() solves the problem.
Signed-off-by: NBodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: NStephen Hemminger <stephen.hemminger@vyatta.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 43af8532
...@@ -76,7 +76,6 @@ static void __exit br_deinit(void) ...@@ -76,7 +76,6 @@ static void __exit br_deinit(void)
rcu_assign_pointer(br_stp_sap->rcv_func, NULL); rcu_assign_pointer(br_stp_sap->rcv_func, NULL);
br_netlink_fini(); br_netlink_fini();
br_netfilter_fini();
unregister_netdevice_notifier(&br_device_notifier); unregister_netdevice_notifier(&br_device_notifier);
brioctl_set(NULL); brioctl_set(NULL);
...@@ -84,6 +83,7 @@ static void __exit br_deinit(void) ...@@ -84,6 +83,7 @@ static void __exit br_deinit(void)
synchronize_net(); synchronize_net();
br_netfilter_fini();
llc_sap_put(br_stp_sap); llc_sap_put(br_stp_sap);
br_fdb_get_hook = NULL; br_fdb_get_hook = NULL;
br_fdb_put_hook = NULL; br_fdb_put_hook = NULL;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册