bridge: kernel panic when unloading bridge module

There is a race condition when unloading bridge and netfilter.

The problem happens if __fake_rtable is in use by a skb
coming in, while someone starts to unload bridge.ko.
br_netfilter_fini() is called at the beginning of unload
in br_deinit() while skbs still are being forwarded and
transferred to local ip stack. Thus there is a possibility
of the __fake_rtable pointer not being removed in a skb that
goes up to ip stack. This results in a kernel panic, as
ip_rcv() calls the input-function of __fake_rtable, which
is NULL.

Moving the call of br_netfilter_fini() to the end of
br_deinit() solves the problem.
Signed-off-by: NBodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: NStephen Hemminger <stephen.hemminger@vyatta.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

net/bridge/br.c

@@ -76,7 +76,6 @@ static void __exit br_deinit(void)
 	rcu_assign_pointer(br_stp_sap->rcv_func, NULL);
 
 	br_netlink_fini();
-	br_netfilter_fini();
 	unregister_netdevice_notifier(&br_device_notifier);
 	brioctl_set(NULL);
 
@@ -84,6 +83,7 @@ static void __exit br_deinit(void)
 
 	synchronize_net();
 
+	br_netfilter_fini();
 	llc_sap_put(br_stp_sap);
 	br_fdb_get_hook = NULL;
 	br_fdb_put_hook = NULL;