tun: Fix device unregister race

It is currently possible for an asynchronous device unregister
to cause the same tun device to be unregistered twice.  This
is because the unregister in tun_chr_close only checks whether
__tun_get(tfile) != NULL.  This however has nothing to do with
whether the device has already been unregistered.  All it tells
you is whether __tun_detach has been called.

This patch fixes this by using the most obvious thing to test
whether the device has been unregistered.

It also moves __tun_detach outside of rtnl_unlock since nothing
that it does requires that lock.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 11a0ba4..b393536 100644 (file)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1324,20 +1324,22 @@ static int tun_chr_close(struct inode *inode, struct file *file)
        struct tun_file *tfile = file->private_data;
        struct tun_struct *tun;
 
-
-       rtnl_lock();
        tun = __tun_get(tfile);
        if (tun) {
-               DBG(KERN_INFO "%s: tun_chr_close\n", tun->dev->name);
+               struct net_device *dev = tun->dev;
+
+               DBG(KERN_INFO "%s: tun_chr_close\n", dev->name);
 
                __tun_detach(tun);
 
                /* If desireable, unregister the netdevice. */
-               if (!(tun->flags & TUN_PERSIST))
-                       unregister_netdevice(tun->dev);
-
+               if (!(tun->flags & TUN_PERSIST)) {
+                       rtnl_lock();
+                       if (dev->reg_state == NETREG_REGISTERED)
+                               unregister_netdevice(dev);
+                       rtnl_unlock();
+               }
        }
-       rtnl_unlock();
 
        tun = tfile->tun;
        if (tun)