Commit 2547496e authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'tun-races' 



Eric Dumazet says:

====================
tun: address two syzbot reports

Small changes addressing races discovered by syzbot.

First patch is a cleanup.
Second patch moves a mutex init sooner.
Third patch makes sure each tfile gets its own napi enable flags.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 6fe94878 af3fb24e

drivers/net/tun.c

+21 −16
Original line number Diff line number Diff line
@@ -181,6 +181,7 @@ struct tun_file { 
	};

	struct napi_struct napi;

	bool napi_enabled;

	bool napi_frags_enabled;

	struct mutex napi_mutex;	/* Protects access to the above napi */

	struct list_head next;

	struct tun_struct *detached;
@@ -313,32 +314,32 @@ static int tun_napi_poll(struct napi_struct *napi, int budget) 
}



static void tun_napi_init(struct tun_struct *tun, struct tun_file *tfile,

			  bool napi_en)

			  bool napi_en, bool napi_frags)

{

	tfile->napi_enabled = napi_en;

	tfile->napi_frags_enabled = napi_en && napi_frags;

	if (napi_en) {

		netif_napi_add(tun->dev, &tfile->napi, tun_napi_poll,

			       NAPI_POLL_WEIGHT);

		napi_enable(&tfile->napi);

		mutex_init(&tfile->napi_mutex);

	}

}



static void tun_napi_disable(struct tun_struct *tun, struct tun_file *tfile)

static void tun_napi_disable(struct tun_file *tfile)

{

	if (tfile->napi_enabled)

		napi_disable(&tfile->napi);

}



static void tun_napi_del(struct tun_struct *tun, struct tun_file *tfile)

static void tun_napi_del(struct tun_file *tfile)

{

	if (tfile->napi_enabled)

		netif_napi_del(&tfile->napi);

}



static bool tun_napi_frags_enabled(const struct tun_struct *tun)

static bool tun_napi_frags_enabled(const struct tun_file *tfile)

{

	return READ_ONCE(tun->flags) & IFF_NAPI_FRAGS;

	return tfile->napi_frags_enabled;

}



#ifdef CONFIG_TUN_VNET_CROSS_LE
@@ -690,8 +691,8 @@ static void __tun_detach(struct tun_file *tfile, bool clean) 
	tun = rtnl_dereference(tfile->tun);



	if (tun && clean) {

		tun_napi_disable(tun, tfile);

		tun_napi_del(tun, tfile);

		tun_napi_disable(tfile);

		tun_napi_del(tfile);

	}



	if (tun && !tfile->detached) {
@@ -758,7 +759,7 @@ static void tun_detach_all(struct net_device *dev) 
	for (i = 0; i < n; i++) {

		tfile = rtnl_dereference(tun->tfiles[i]);

		BUG_ON(!tfile);

		tun_napi_disable(tun, tfile);

		tun_napi_disable(tfile);

		tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN;

		tfile->socket.sk->sk_data_ready(tfile->socket.sk);

		RCU_INIT_POINTER(tfile->tun, NULL);
@@ -774,7 +775,7 @@ static void tun_detach_all(struct net_device *dev) 
	synchronize_net();

	for (i = 0; i < n; i++) {

		tfile = rtnl_dereference(tun->tfiles[i]);

		tun_napi_del(tun, tfile);

		tun_napi_del(tfile);

		/* Drop read queue */

		tun_queue_purge(tfile);

		xdp_rxq_info_unreg(&tfile->xdp_rxq);
@@ -793,7 +794,7 @@ static void tun_detach_all(struct net_device *dev) 
}



static int tun_attach(struct tun_struct *tun, struct file *file,

		      bool skip_filter, bool napi)

		      bool skip_filter, bool napi, bool napi_frags)

{

	struct tun_file *tfile = file->private_data;

	struct net_device *dev = tun->dev;
@@ -866,7 +867,7 @@ static int tun_attach(struct tun_struct *tun, struct file *file, 
		tun_enable_queue(tfile);

	} else {

		sock_hold(&tfile->sk);

		tun_napi_init(tun, tfile, napi);

		tun_napi_init(tun, tfile, napi, napi_frags);

	}



	tun_set_real_num_queues(tun);
@@ -1709,7 +1710,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, 
	int err;

	u32 rxhash = 0;

	int skb_xdp = 1;

	bool frags = tun_napi_frags_enabled(tun);

	bool frags = tun_napi_frags_enabled(tfile);



	if (!(tun->dev->flags & IFF_UP))

		return -EIO;
@@ -2534,7 +2535,8 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) 
			return err;



		err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER,

				 ifr->ifr_flags & IFF_NAPI);

				 ifr->ifr_flags & IFF_NAPI,

				 ifr->ifr_flags & IFF_NAPI_FRAGS);

		if (err < 0)

			return err;
@@ -2632,7 +2634,8 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) 
			      (ifr->ifr_flags & TUN_FEATURES);



		INIT_LIST_HEAD(&tun->disabled);

		err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI);

		err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI,

				 ifr->ifr_flags & IFF_NAPI_FRAGS);

		if (err < 0)

			goto err_free_flow;
@@ -2781,7 +2784,8 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr) 
		ret = security_tun_dev_attach_queue(tun->security);

		if (ret < 0)

			goto unlock;

		ret = tun_attach(tun, file, false, tun->flags & IFF_NAPI);

		ret = tun_attach(tun, file, false, tun->flags & IFF_NAPI,

				 tun->flags & IFF_NAPI_FRAGS);

	} else if (ifr->ifr_flags & IFF_DETACH_QUEUE) {

		tun = rtnl_dereference(tfile->tun);

		if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached)
@@ -3199,6 +3203,7 @@ static int tun_chr_open(struct inode *inode, struct file * file) 
		return -ENOMEM;

	}



	mutex_init(&tfile->napi_mutex);

	RCU_INIT_POINTER(tfile->tun, NULL);

	tfile->flags = 0;

	tfile->ifindex = 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE