ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
authorEric Dumazet <edumazet@google.com>
Thu, 6 Jun 2019 21:32:34 +0000 (14:32 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sun, 9 Jun 2019 20:07:14 +0000 (13:07 -0700)
Before taking a refcount, make sure the object is not already
scheduled for deletion.

Same fix is needed in ipv6_flowlabel_opt()

Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv6/ip6_flowlabel.c

index 2f3eb7dc45daa5012b4b29f34b0542e00c60d135..545e339b8c4fb5a372d4193361b4f5c9f9dd3b0b 100644 (file)
@@ -250,9 +250,9 @@ struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label)
        rcu_read_lock_bh();
        for_each_sk_fl_rcu(np, sfl) {
                struct ip6_flowlabel *fl = sfl->fl;
-               if (fl->label == label) {
+
+               if (fl->label == label && atomic_inc_not_zero(&fl->users)) {
                        fl->lastuse = jiffies;
-                       atomic_inc(&fl->users);
                        rcu_read_unlock_bh();
                        return fl;
                }
@@ -618,7 +618,8 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
                                                goto done;
                                        }
                                        fl1 = sfl->fl;
-                                       atomic_inc(&fl1->users);
+                                       if (!atomic_inc_not_zero(&fl1->users))
+                                               fl1 = NULL;
                                        break;
                                }
                        }