[IPV6] Fix possible dead-lock in ipv6_create_tempaddr().

If we need to obtain lock both ifp and ifp->idev, we need to do
lock idev first to avoid dead-lock.
Signed-off-by: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>

net/ipv6/addrconf.c

@@ -645,13 +645,14 @@ static void ipv6_del_addr(struct inet6_ifaddr *ifp)
 #ifdef CONFIG_IPV6_PRIVACY
 static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *ift)
 {
-	struct inet6_dev *idev;
+	struct inet6_dev *idev = ifp->idev;
 	struct in6_addr addr, *tmpaddr;
-	unsigned long tmp_prefered_lft, tmp_valid_lft;
+	unsigned long tmp_prefered_lft, tmp_valid_lft, tmp_cstamp, tmp_tstamp;
 	int tmp_plen;
 	int ret = 0;
 	int max_addresses;
 
+	write_lock(&idev->lock);
 	if (ift) {
 		spin_lock_bh(&ift->lock);
 		memcpy(&addr.s6_addr[8], &ift->addr.s6_addr[8], 8);
@@ -661,40 +662,35 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i
 		tmpaddr = NULL;
 	}
 retry:
-	spin_lock_bh(&ifp->lock);
-	in6_ifa_hold(ifp);
-	idev = ifp->idev;
 	in6_dev_hold(idev);
-	memcpy(addr.s6_addr, ifp->addr.s6_addr, 8);
-	write_lock(&idev->lock);
 	if (idev->cnf.use_tempaddr <= 0) {
 		write_unlock(&idev->lock);
-		spin_unlock_bh(&ifp->lock);
 		printk(KERN_INFO
 			"ipv6_create_tempaddr(): use_tempaddr is disabled.\n");
 		in6_dev_put(idev);
-		in6_ifa_put(ifp);
 		ret = -1;
 		goto out;
 	}
+	spin_lock_bh(&ifp->lock);
 	if (ifp->regen_count++ >= idev->cnf.regen_max_retry) {
 		idev->cnf.use_tempaddr = -1;	/*XXX*/
-		write_unlock(&idev->lock);
 		spin_unlock_bh(&ifp->lock);
+		write_unlock(&idev->lock);
 		printk(KERN_WARNING
 			"ipv6_create_tempaddr(): regeneration time exceeded. disabled temporary address support.\n");
 		in6_dev_put(idev);
-		in6_ifa_put(ifp);
 		ret = -1;
 		goto out;
 	}
+	in6_ifa_hold(ifp);
+	memcpy(addr.s6_addr, ifp->addr.s6_addr, 8);
 	if (__ipv6_try_regen_rndid(idev, tmpaddr) < 0) {
-		write_unlock(&idev->lock);
 		spin_unlock_bh(&ifp->lock);
+		write_unlock(&idev->lock);
 		printk(KERN_WARNING
 			"ipv6_create_tempaddr(): regeneration of randomized interface id failed.\n");
-		in6_dev_put(idev);
 		in6_ifa_put(ifp);
+		in6_dev_put(idev);
 		ret = -1;
 		goto out;
 	}
@@ -707,27 +703,33 @@ static int ipv6_create_tempaddr(struct inet6_ifaddr *ifp, struct inet6_ifaddr *i
 				 idev->cnf.temp_prefered_lft - desync_factor / HZ);
 	tmp_plen = ifp->prefix_len;
 	max_addresses = idev->cnf.max_addresses;
-	write_unlock(&idev->lock);
+	tmp_cstamp = ifp->cstamp;
+	tmp_tstamp = ifp->tstamp;
 	spin_unlock_bh(&ifp->lock);
+
+	write_unlock(&idev->lock);
 	ift = !max_addresses ||
 	      ipv6_count_addresses(idev) < max_addresses ? 
 		ipv6_add_addr(idev, &addr, tmp_plen,
 			      ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, IFA_F_TEMPORARY) : NULL;
 	if (!ift || IS_ERR(ift)) {
-		in6_dev_put(idev);
 		in6_ifa_put(ifp);
+		in6_dev_put(idev);
 		printk(KERN_INFO
 			"ipv6_create_tempaddr(): retry temporary address regeneration.\n");
 		tmpaddr = &addr;
+		write_lock(&idev->lock);
 		goto retry;
 	}
+
 	spin_lock_bh(&ift->lock);
 	ift->ifpub = ifp;
 	ift->valid_lft = tmp_valid_lft;
 	ift->prefered_lft = tmp_prefered_lft;
-	ift->cstamp = ifp->cstamp;
-	ift->tstamp = ifp->tstamp;
+	ift->cstamp = tmp_cstamp;
+	ift->tstamp = tmp_tstamp;
 	spin_unlock_bh(&ift->lock);
+
 	addrconf_dad_start(ift, 0);
 	in6_ifa_put(ift);
 	in6_dev_put(idev);
@@ -938,14 +940,12 @@ int ipv6_chk_same_addr(const struct in6_addr *addr, struct net_device *dev)
 	struct inet6_ifaddr * ifp;
 	u8 hash = ipv6_addr_hash(addr);
 
-	read_lock_bh(&addrconf_hash_lock);
 	for(ifp = inet6_addr_lst[hash]; ifp; ifp=ifp->lst_next) {
 		if (ipv6_addr_equal(&ifp->addr, addr)) {
 			if (dev == NULL || ifp->idev->dev == dev)
 				break;
 		}
 	}
-	read_unlock_bh(&addrconf_hash_lock);
 	return ifp != NULL;
 }