diff options
author | Bodo Stroesser <bstroesser@fujitsu-siemens.com> | 2008-04-29 03:18:13 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-04-29 03:18:13 -0700 |
commit | d69efb16891ddfa6c0b527f912a7193054d50281 (patch) | |
tree | f9d3b4a858530e0e63246467cf9d1efdd6abdd05 /net/bridge | |
parent | 43af8532ecd74a61f9e7aeb27c026c1ee27915ca (diff) | |
download | lwn-d69efb16891ddfa6c0b527f912a7193054d50281.tar.gz lwn-d69efb16891ddfa6c0b527f912a7193054d50281.zip |
bridge: kernel panic when unloading bridge module
There is a race condition when unloading bridge and netfilter.
The problem happens if __fake_rtable is in use by a skb
coming in, while someone starts to unload bridge.ko.
br_netfilter_fini() is called at the beginning of unload
in br_deinit() while skbs still are being forwarded and
transferred to local ip stack. Thus there is a possibility
of the __fake_rtable pointer not being removed in a skb that
goes up to ip stack. This results in a kernel panic, as
ip_rcv() calls the input-function of __fake_rtable, which
is NULL.
Moving the call of br_netfilter_fini() to the end of
br_deinit() solves the problem.
Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge')
-rw-r--r-- | net/bridge/br.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/bridge/br.c b/net/bridge/br.c index a90182873120..8f3c58e5f7a5 100644 --- a/net/bridge/br.c +++ b/net/bridge/br.c @@ -76,7 +76,6 @@ static void __exit br_deinit(void) rcu_assign_pointer(br_stp_sap->rcv_func, NULL); br_netlink_fini(); - br_netfilter_fini(); unregister_netdevice_notifier(&br_device_notifier); brioctl_set(NULL); @@ -84,6 +83,7 @@ static void __exit br_deinit(void) synchronize_net(); + br_netfilter_fini(); llc_sap_put(br_stp_sap); br_fdb_get_hook = NULL; br_fdb_put_hook = NULL; |