caif: Bugfix list_del_rcu race in cfmuxl_ctrlcmd.
authorsjur.brandeland@stericsson.com <sjur.brandeland@stericsson.com>
Thu, 2 Feb 2012 01:21:02 +0000 (01:21 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 2 Feb 2012 19:35:12 +0000 (14:35 -0500)
commitb01377a4200d0dfc7b04a8daabb4739727353703
tree2c1eef3ae76495872c2b55459c318e9a905c479f
parentc31c151b1c4a29da4dc92212aa8648fb4f8557b9
caif: Bugfix list_del_rcu race in cfmuxl_ctrlcmd.

Always use cfmuxl_remove_uplayer when removing a up-layer.
cfmuxl_ctrlcmd() can be called independently and in parallel with
cfmuxl_remove_uplayer(). The race between them could cause list_del_rcu
to be called on a node which has been already taken out from the list.
That lead to a (rare) crash on accessing poisoned node->prev inside
list_del_rcu.

This fix ensures that deletion are done holding the same lock.

Reported-by: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com>
Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/caif/cfmuxl.c