From: Nikolay Aleksandrov <razor@xxxxxxxxxxxxx>
Date: Mon, 12 Oct 2015 17:55:55 +0200
> From: Nikolay Aleksandrov <nikolay@xxxxxxxxxxxxxxxxxxx>
>
> commit c62987bbd8a1 ("bridge: push bridge setting ageing_time down to
> switchdev") introduced a timer race condition because the gc_timer can
> get rearmed after it's supposedly stopped and flushed in br_dev_delete()
> leading to a use of freed memory. So take rtnl to sync with bridge
> destruction when setting ageing_timer.
> Here's the trace reproduced with these two commands running in parallel:
> while :; do echo 10000 > /sys/class/net/br0/bridge/ageing_timer; done;
> while :; do brctl addbr br0; ip l set br0 up; ip l set br0 down;
> brctl delbr br0; done;
...
> Fixes: c62987bbd8a1 ("bridge: push bridge setting ageing_time down to switchdev")
> Signed-off-by: Nikolay Aleksandrov <nikolay@xxxxxxxxxxxxxxxxxxx>
Applied, thanks.
