tuntap: fix possible deadlock when fail to register netdev

Private destructor could be called when register_netdev() fail with
rtnl lock held. This will lead deadlock in tun_free_netdev() who tries
to hold rtnl_lock. Fixing this by switching to use spinlock to
synchronize.

Fixes: 96f84061620c ("tun: add eBPF based queue selection method")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index c2ad8f3858d1e334e512bb4163a86c025d545048..e367d63103531a23f833211f7026d2e9c426c7af 100644 (file)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2048,8 +2048,11 @@ static int __tun_set_steering_ebpf(struct tun_struct *tun,
                new->prog = prog;
        }
 
-       old = rtnl_dereference(tun->steering_prog);
+       spin_lock_bh(&tun->lock);
+       old = rcu_dereference_protected(tun->steering_prog,
+                                       lockdep_is_held(&tun->lock));
        rcu_assign_pointer(tun->steering_prog, new);
+       spin_unlock_bh(&tun->lock);
 
        if (old)
                call_rcu(&old->rcu, tun_steering_prog_free);
@@ -2065,9 +2068,7 @@ static void tun_free_netdev(struct net_device *dev)
        free_percpu(tun->pcpu_stats);
        tun_flow_uninit(tun);
        security_tun_dev_free_security(tun->security);
-       rtnl_lock();
        __tun_set_steering_ebpf(tun, NULL);
-       rtnl_unlock();
 }
 
 static void tun_setup(struct net_device *dev)