From: Herbert Xu <herbert@gondor.apana.org.au>

When we are not the real parent of the dst (e.g., when we're xfrm_dst and
the child is an rtentry), it may already be on the GC list.

In fact the current code is buggy to, we need to check dst->flags before
the dec as dst may no longer be valid afterwards.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/net/core/dst.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff -puN net/core/dst.c~fix-dst_destroy-race net/core/dst.c
--- 25/net/core/dst.c~fix-dst_destroy-race	2005-04-06 01:39:29.000000000 -0700
+++ 25-akpm/net/core/dst.c	2005-04-06 01:39:29.000000000 -0700
@@ -198,13 +198,15 @@ again:
 
 	dst = child;
 	if (dst) {
+		int nohash = dst->flags & DST_NOHASH;
+
 		if (atomic_dec_and_test(&dst->__refcnt)) {
 			/* We were real parent of this dst, so kill child. */
-			if (dst->flags&DST_NOHASH)
+			if (nohash)
 				goto again;
 		} else {
 			/* Child is still referenced, return it for freeing. */
-			if (dst->flags&DST_NOHASH)
+			if (nohash)
 				return dst;
 			/* Child is still in his hash table */
 		}
_