tun: Fix unregister race

It is possible for tun_chr_close to race with dellink on the
a tun device.  In which case if __tun_get runs before dellink
but dellink runs before tun_chr_close calls unregister_netdevice
we will attempt to unregister the netdevice after it is already
gone.

The two cases are already serialized on the rtnl_lock, so I have
gone for the cheap simple fix of moving rtnl_lock to cover __tun_get
in tun_chr_close.  Eliminating the possibility of the tun device
being unregistered between __tun_get and unregister_netdevice in
tun_chr_close.

Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
Tested-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index d83ccb8c982b9d8f8e68eea52de61d1b68c875ba..811d3517fce0c99895b4738df64a60d934f86fcf 100644 (file)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1322,21 +1322,22 @@ static int tun_chr_open(struct inode *inode, struct file * file)
 static int tun_chr_close(struct inode *inode, struct file *file)
 {
        struct tun_file *tfile = file->private_data;
-       struct tun_struct *tun = __tun_get(tfile);
+       struct tun_struct *tun;
 
 
+       rtnl_lock();
+       tun = __tun_get(tfile);
        if (tun) {
                DBG(KERN_INFO "%s: tun_chr_close\n", tun->dev->name);
 
-               rtnl_lock();
                __tun_detach(tun);
 
                /* If desireable, unregister the netdevice. */
                if (!(tun->flags & TUN_PERSIST))
                        unregister_netdevice(tun->dev);
 
-               rtnl_unlock();
        }
+       rtnl_unlock();
 
        tun = tfile->tun;
        if (tun)