[NET]: Fix race in dev_close(). (Bug 9750)
authorMatti Linnanvuori <mattilinnanvuori@yahoo.com>
Wed, 13 Feb 2008 07:10:11 +0000 (23:10 -0800)
committerDavid S. Miller <davem@davemloft.net>
Wed, 13 Feb 2008 07:11:16 +0000 (23:11 -0800)
There is a race in Linux kernel file net/core/dev.c, function dev_close.
The function calls function dev_deactivate, which calls function
dev_watchdog_down that deletes the watchdog timer. However, after that, a
driver can call netif_carrier_ok, which calls function
__netdev_watchdog_up that can add the watchdog timer again. Function
unregister_netdevice calls function dev_shutdown that traps the bug
!timer_pending(&dev->watchdog_timer). Moving dev_deactivate after
netif_running() has been cleared prevents function netif_carrier_on
from calling __netdev_watchdog_up and adding the watchdog timer again.

Signed-off-by: Matti Linnanvuori <mattilinnanvuori@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/dev.c

index 9549417250bba71650547e747226ba9e8c0a1882..6cfc1238c4a6979c1d94599f990aae6c9d95f50d 100644 (file)
@@ -1071,8 +1071,6 @@ int dev_close(struct net_device *dev)
         */
        call_netdevice_notifiers(NETDEV_GOING_DOWN, dev);
 
-       dev_deactivate(dev);
-
        clear_bit(__LINK_STATE_START, &dev->state);
 
        /* Synchronize to scheduled poll. We cannot touch poll list,
@@ -1083,6 +1081,8 @@ int dev_close(struct net_device *dev)
         */
        smp_mb__after_clear_bit(); /* Commit netif_running(). */
 
+       dev_deactivate(dev);
+
        /*
         *      Call the device specific close. This cannot fail.
         *      Only if device is UP