l2tp: fix race in l2tp_recv_dequeue()
authorEric Dumazet <eric.dumazet@gmail.com>
Wed, 2 Nov 2011 22:47:44 +0000 (22:47 +0000)
committerDavid S. Miller <davem@davemloft.net>
Thu, 3 Nov 2011 22:02:13 +0000 (18:02 -0400)
commite2e210c0238eb7073e07af503ae743fa53977120
treea4940a436eb0292f09a9e9c09d7bfccfc5a0d76f
parent2edcd4ca43df3c1d1d392753531cc73a53e709ba
l2tp: fix race in l2tp_recv_dequeue()

Misha Labjuk reported panics occurring in l2tp_recv_dequeue()

If we release reorder_q.lock, we must not keep a dangling pointer (tmp),
since another thread could manipulate reorder_q.

Instead we must restart the scan at beginning of list.

Reported-by: Misha Labjuk <spiked.yar@gmail.com>
Tested-by: Misha Labjuk <spiked.yar@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/l2tp/l2tp_core.c