caif: Bugfix list_del_rcu race in cfmuxl_ctrlcmd.

Always use cfmuxl_remove_uplayer when removing a up-layer. cfmuxl_ctrlcmd() can be called independently and in parallel with cfmuxl_remove_uplayer(). The race between them could cause list_del_rcu to be called on a node which has been already taken out from the list. That lead to a (rare) crash on accessing poisoned node->prev inside list_del_rcu. This fix ensures that deletion are done holding the same lock. Reported-by: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com> Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: sjur.brandeland@stericsson.com <sjur.brandeland@stericsson.com> 2012-02-01 20:21:02 -0500
committer: David S. Miller <davem@davemloft.net> 2012-02-02 14:35:12 -0500
commit: b01377a4200d0dfc7b04a8daabb4739727353703 (patch)
tree: 2c1eef3ae76495872c2b55459c318e9a905c479f /net/caif
parent: c31c151b1c4a29da4dc92212aa8648fb4f8557b9 (diff)
1 files changed, 3 insertions, 9 deletions
diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c
index b36f24a4c8e7..94b08612a4d8 100644
--- a/net/caif/cfmuxl.c
+++ b/net/caif/cfmuxl.c
@@ -248,7 +248,6 @@ static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
 {
        struct cfmuxl *muxl = container_obj(layr);
        struct cflayer *layer;
-        int idx;
        rcu_read_lock();
        list_for_each_entry_rcu(layer, &muxl->srvl_list, node) {
@@ -257,14 +256,9 @@ static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
                        if ((ctrl == _CAIF_CTRLCMD_PHYIF_DOWN_IND ||
                                ctrl == CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND) &&
-                                        layer->id != 0) {
+                                        layer->id != 0)
+                                cfmuxl_remove_uplayer(layr, layer->id);
-                                idx = layer->id % UP_CACHE_SIZE;
-                                spin_lock_bh(&muxl->receive_lock);
-                                RCU_INIT_POINTER(muxl->up_cache[idx], NULL);
-                                list_del_rcu(&layer->node);
-                                spin_unlock_bh(&muxl->receive_lock);
-                        }
                        /* NOTE: ctrlcmd is not allowed to block */
                        layer->ctrlcmd(layer, ctrl, phyid);
                }
author	sjur.brandeland@stericsson.com <sjur.brandeland@stericsson.com>	2012-02-01 20:21:02 -0500
committer	David S. Miller <davem@davemloft.net>	2012-02-02 14:35:12 -0500
commit	b01377a4200d0dfc7b04a8daabb4739727353703 (patch)
tree	2c1eef3ae76495872c2b55459c318e9a905c479f /net/caif
parent	c31c151b1c4a29da4dc92212aa8648fb4f8557b9 (diff)

diff --git a/net/caif/cfmuxl.c b/net/caif/cfmuxl.c index b36f24a4c8e7..94b08612a4d8 100644 --- a/net/caif/cfmuxl.c +++ b/net/caif/cfmuxl.c
@@ -248,7 +248,6 @@ static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
248	{	248	{
249	struct cfmuxl *muxl = container_obj(layr);	249	struct cfmuxl *muxl = container_obj(layr);
250	struct cflayer *layer;	250	struct cflayer *layer;
251	int idx;
252		251
253	rcu_read_lock();	252	rcu_read_lock();
254	list_for_each_entry_rcu(layer, &muxl->srvl_list, node) {	253	list_for_each_entry_rcu(layer, &muxl->srvl_list, node) {
@@ -257,14 +256,9 @@ static void cfmuxl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
257		256
258	if ((ctrl == _CAIF_CTRLCMD_PHYIF_DOWN_IND \|\|	257	if ((ctrl == _CAIF_CTRLCMD_PHYIF_DOWN_IND \|\|
259	ctrl == CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND) &&	258	ctrl == CAIF_CTRLCMD_REMOTE_SHUTDOWN_IND) &&
260	layer->id != 0) {	259	layer->id != 0)
261		260	cfmuxl_remove_uplayer(layr, layer->id);
262	idx = layer->id % UP_CACHE_SIZE;	261
263	spin_lock_bh(&muxl->receive_lock);
264	RCU_INIT_POINTER(muxl->up_cache[idx], NULL);
265	list_del_rcu(&layer->node);
266	spin_unlock_bh(&muxl->receive_lock);
267	}
268	/* NOTE: ctrlcmd is not allowed to block */	262	/* NOTE: ctrlcmd is not allowed to block */
269	layer->ctrlcmd(layer, ctrl, phyid);	263	layer->ctrlcmd(layer, ctrl, phyid);
270	}	264	}