On Fri, Dec 08, 2017 at 12:02:30PM +0800, Jason Wang wrote:
> Private destructor could be called when register_netdev() fail with
> rtnl lock held. This will lead deadlock in tun_free_netdev() who tries
> to hold rtnl_lock. Fixing this by switching to use spinlock to
> synchronize.
>
> Fixes: 96f84061620c ("tun: add eBPF based queue selection method")
> Reported-by: Eric Dumazet <[email protected]>
> Cc: Eric Dumazet <[email protected]>
> Cc: Willem de Bruijn <[email protected]>
> Signed-off-by: Jason Wang <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]>
> ---
> drivers/net/tun.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 787cc35..8d85163 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -2050,8 +2050,11 @@ static int __tun_set_steering_ebpf(struct tun_struct
> *tun,
> new->prog = prog;
> }
>
> - old = rtnl_dereference(tun->steering_prog);
> + spin_lock_bh(&tun->lock);
> + old = rcu_dereference_protected(tun->steering_prog,
> + lockdep_is_held(&tun->lock));
> rcu_assign_pointer(tun->steering_prog, new);
> + spin_unlock_bh(&tun->lock);
>
> if (old)
> call_rcu(&old->rcu, tun_steering_prog_free);
> @@ -2067,9 +2070,7 @@ static void tun_free_netdev(struct net_device *dev)
> free_percpu(tun->pcpu_stats);
> tun_flow_uninit(tun);
> security_tun_dev_free_security(tun->security);
> - rtnl_lock();
> __tun_set_steering_ebpf(tun, NULL);
> - rtnl_unlock();
> }
>
> static void tun_setup(struct net_device *dev)
> --
> 2.7.4
