What prevents a scenario where tunopen() is entered and the check for si_drv1 == dev to fail because a parallel tun_destroy() not yet set si_drv1 to dev. Meantime tun_destroy() progressed to the point that si_drv1 is no longer a pointer to tuntap_softc, and we read it there?

I do not understand this even more. If everything you do under the tunmtx is checking the flag, then you can check it without lock as well.

Could it become simpler if we made two observations:

• if you need to call destroy_dev() from cdevpriv destructor, then the destructor itself was not called in the context of destroy_dev(), but instead due to the close of a file
• after destroy_dev_sched(), no new threads could enter any csw methods. Existing threads continue to run, of course.

Oh, right- I missed that your point #1 is implemented by way of dev_refthread() checking CDP_SCHED_DTR... I'll chew on this a little bit more, because I don't immediately see how I drain the theoretical remaining thread in tunopen(), unless I switch it to something more like an epoch with a deferred-free.

So I still do not understand why what I asked above is not possible, with the new code. You ought to explain it, perhaps as a comment to make it easily visible.

Sure, let me explain here to be sure it's actually correct (and it may be that I'm missing a barrier around si_drv1 load/store to actually guarantee the ordering that I want): tun_destroy() sets si_drv1 = dev and subsequently schedules the softc to be freed in coordination with the net epoch, so that a parallel thread in tunopen can observe one of two states:

• si_drv1 == dev: the softc will be freed imminently
• si_drv1 != dev: we're in the middle of an epoch section, so even if we just missed the store to si_drv1 the free will still be deferred until sometime after we exited. The tunnel is TUN_DYING, so we'll EBUSY our way out of the epoch.

Don't you at least need read-once semantics for dev->si_drv1? That is, how do you know that the value tp is a valid pointer to the softc? It looks like this should be:

void *p;

p = atomic_load_ptr(&dev->si_drv1);
if (p == dev)
    return error;
...
tp = p;

I think my other concern here is: do I need to be paranoid enough to drop a release fence here to guarantee order between this and the later NET_EPOCH_CALL? I particular, I'm wondering if the CPU could manage to reorder this past both that and the destroy_dev_sched badly enough that one could enter the net epoch at just the wrong time to observe a state where it's being freed without this store having completed, but maybe epoch_call semantics mean that it isn't a realistic scenario

Actually, I guess there's some locking in there that probably makes it not a realistic scenario

Yes, you can rely that we take and drop (giving rel semantic) dev_mtx in any form of destroy_dev().

I would perhaps use an atomic_store_ptr() here to complement the load and signal that the store is unsynchronized, but I agree that you don't need a fence.

OK- will turn it into an atomic_store_ptr before pushing