Commit d69efb16891ddfa6c0b527f912a7193054d50281
Committed by
David S. Miller
David S. Miller
1 parent
43af8532ec
bridge: kernel panic when unloading bridge module
There is a race condition when unloading bridge and netfilter. The problem happens if __fake_rtable is in use by a skb coming in, while someone starts to unload bridge.ko. br_netfilter_fini() is called at the beginning of unload in br_deinit() while skbs still are being forwarded and transferred to local ip stack. Thus there is a possibility of the __fake_rtable pointer not being removed in a skb that goes up to ip stack. This results in a kernel panic, as ip_rcv() calls the input-function of __fake_rtable, which is NULL. Moving the call of br_netfilter_fini() to the end of br_deinit() solves the problem. Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com> Signed-off-by: Stephen Hemminger <stephen.hemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
net/bridge/br.c
| ... | ... | @@ -76,7 +76,6 @@ |
| 76 | 76 | rcu_assign_pointer(br_stp_sap->rcv_func, NULL); |
| 77 | 77 | |
| 78 | 78 | br_netlink_fini(); |
| 79 | - br_netfilter_fini(); | |
| 80 | 79 | unregister_netdevice_notifier(&br_device_notifier); |
| 81 | 80 | brioctl_set(NULL); |
| 82 | 81 | |
| ... | ... | @@ -84,6 +83,7 @@ |
| 84 | 83 | |
| 85 | 84 | synchronize_net(); |
| 86 | 85 | |
| 86 | + br_netfilter_fini(); | |
| 87 | 87 | llc_sap_put(br_stp_sap); |
| 88 | 88 | br_fdb_get_hook = NULL; |
| 89 | 89 | br_fdb_put_hook = NULL; |