Sebastian Andrzej Siewior <bigeasy@xxxxxxxxxxxxx> wrote:
> nft_ct_pcpu_template is a per-CPU variable and relies on disabled BH for its
> locking. The refcounter is read and if its value is set to one then the
> refcounter is incremented and variable is used - otherwise it is already
> in use and left untouched.
>
> Without per-CPU locking in local_bh_disable() on PREEMPT_RT the
> read-then-increment operation is not atomic and therefore racy.
>
> This can be avoided by using unconditionally __refcount_inc() which will
> increment counter and return the old value as an atomic operation.
> In case the returned counter is not one, the variable is in use and we
> need to decrement counter. Otherwise we can use it.
>
> Use __refcount_inc() instead of read and a conditional increment.
Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
Fixes: edee4f1e9245 ("netfilter: nft_ct: add zone id set support")
