ipip: potential race in ip_tunnel_init_net()
authorDan Carpenter <dan.carpenter@oracle.com>
Fri, 23 Aug 2013 08:15:37 +0000 (11:15 +0300)
committerDavid S. Miller <davem@davemloft.net>
Sun, 25 Aug 2013 22:39:59 +0000 (18:39 -0400)
Eric Dumazet says that my previous fix for an ERR_PTR dereference
(ea857f28ab 'ipip: dereferencing an ERR_PTR in ip_tunnel_init_net()')
could be racy and suggests the following fix instead.

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ip_tunnel.c

index 24549b4aeae219f19e433f31e032f795bd249166..830de3f4e2935d17e241e37b7c563bd6a6eb191d 100644 (file)
@@ -854,16 +854,14 @@ int ip_tunnel_init_net(struct net *net, int ip_tnl_net_id,
 
        rtnl_lock();
        itn->fb_tunnel_dev = __ip_tunnel_create(net, ops, &parms);
-       rtnl_unlock();
-
-       if (IS_ERR(itn->fb_tunnel_dev))
-               return PTR_ERR(itn->fb_tunnel_dev);
        /* FB netdevice is special: we have one, and only one per netns.
         * Allowing to move it to another netns is clearly unsafe.
         */
-       itn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL;
+       if (!IS_ERR(itn->fb_tunnel_dev))
+               itn->fb_tunnel_dev->features |= NETIF_F_NETNS_LOCAL;
+       rtnl_unlock();
 
-       return 0;
+       return PTR_RET(itn->fb_tunnel_dev);
 }
 EXPORT_SYMBOL_GPL(ip_tunnel_init_net);