Hi!

> commit 3116f59c12bd24c513194cd3acb3ec1f7d468954 upstream.
> 
> Using ifconfig command to delete the ipv6 address will cause
> the i40e network card driver to delete its internal mac_filter and
> i40e_service_task kernel thread will concurrently access the mac_filter.
> These two processes are not protected by lock
> so causing the following use-after-free problems.

Ok, but...

> +static void netdev_hw_addr_refcnt(struct i40e_mac_filter *f,
> +				  struct net_device *netdev, int delta)
> +{
> +	struct netdev_hw_addr *ha;
> +
> +	if (!f || !netdev)
> +		return;
> +
> +	netdev_for_each_mc_addr(ha, netdev) {
> +		if (ether_addr_equal(ha->addr, f->macaddr)) {
> +			ha->refcount += delta;
> +			if (ha->refcount <= 0)
> +				ha->refcount = 1;
> +			break;
> +		}
> +	}
> +}

What is going on here? Is refcount expected to underflow under normal
operation? Should we at least have WARN_ON there?

Best regards,
								Pavel
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany