| Message ID | 20120809124436.5156.26944.stgit@localhost.localdomain |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Stanislav Kinsbursky <skinsbursky@parallels.com> Date: Thu, 09 Aug 2012 16:50:40 +0400 > This is a fix for bug, introduced in 3.4 kernel by commit > 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d, which, among other things, replaced > simple sock_put() by sk_release_kernel(). Below is sequence, which leads to > oops for non-persistent devices: > > tun_chr_close() > tun_detach() <== tun->socket.file = NULL > tun_free_netdev() > sk_release_sock() > sock_release(sock->file == NULL) > iput(SOCK_INODE(sock)) <== dereference on NULL pointer > > This patch just removes zeroing of socket's file from __tun_detach(). > sock_release() will do this. > > Cc: stable@vger.kernel.org > Reported-by: Ruan Zhijie <ruanzhijie@hotmail.com> > Tested-by: Ruan Zhijie <ruanzhijie@hotmail.com> > Acked-by: Al Viro <viro@ZenIV.linux.org.uk> > Acked-by: Eric Dumazet <edumazet@google.com> > Acked-by: Yuchung Cheng <ycheng@google.com> > Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com> Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
10.08.2012 03:16, David Miller пишет: > From: Stanislav Kinsbursky <skinsbursky@parallels.com> > Date: Thu, 09 Aug 2012 16:50:40 +0400 > >> This is a fix for bug, introduced in 3.4 kernel by commit >> 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d, which, among other things, replaced >> simple sock_put() by sk_release_kernel(). Below is sequence, which leads to >> oops for non-persistent devices: >> >> tun_chr_close() >> tun_detach() <== tun->socket.file = NULL >> tun_free_netdev() >> sk_release_sock() >> sock_release(sock->file == NULL) >> iput(SOCK_INODE(sock)) <== dereference on NULL pointer >> >> This patch just removes zeroing of socket's file from __tun_detach(). >> sock_release() will do this. >> >> Cc: stable@vger.kernel.org >> Reported-by: Ruan Zhijie <ruanzhijie@hotmail.com> >> Tested-by: Ruan Zhijie <ruanzhijie@hotmail.com> >> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> >> Acked-by: Eric Dumazet <edumazet@google.com> >> Acked-by: Yuchung Cheng <ycheng@google.com> >> Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com> > > Applied, thanks. > Hi, David. I found out, that this commit: b09e786bd1dd66418b69348cb110f3a64764626a was previous attempt to fix the problem. I believe this commit have to be dropped.
On Tue, Aug 21, 2012 at 12:04 PM, Stanislav Kinsbursky <skinsbursky@parallels.com> wrote: > 10.08.2012 03:16, David Miller пишет: > >> From: Stanislav Kinsbursky <skinsbursky@parallels.com> >> Date: Thu, 09 Aug 2012 16:50:40 +0400 >> >>> This is a fix for bug, introduced in 3.4 kernel by commit >>> 1ab5ecb90cb6a3df1476e052f76a6e8f6511cb3d, which, among other things, >>> replaced >>> simple sock_put() by sk_release_kernel(). Below is sequence, which leads >>> to >>> oops for non-persistent devices: >>> >>> tun_chr_close() >>> tun_detach() <== tun->socket.file = NULL >>> tun_free_netdev() >>> sk_release_sock() >>> sock_release(sock->file == NULL) >>> iput(SOCK_INODE(sock)) <== dereference on NULL pointer >>> >>> This patch just removes zeroing of socket's file from __tun_detach(). >>> sock_release() will do this. >>> >>> Cc: stable@vger.kernel.org >>> Reported-by: Ruan Zhijie <ruanzhijie@hotmail.com> >>> Tested-by: Ruan Zhijie <ruanzhijie@hotmail.com> >>> Acked-by: Al Viro <viro@ZenIV.linux.org.uk> >>> Acked-by: Eric Dumazet <edumazet@google.com> >>> Acked-by: Yuchung Cheng <ycheng@google.com> >>> Signed-off-by: Stanislav Kinsbursky <skinsbursky@parallels.com> >> >> >> Applied, thanks. >> > > Hi, David. > I found out, that this commit: b09e786bd1dd66418b69348cb110f3a64764626a > was previous attempt to fix the problem. > I believe this commit have to be dropped. Have you tried testing with that commit reverted? AFAICT from reading the code, if you revert b09e786bd1dd66418b69348cb110f3a64764626a then the sockets_in_use count becomes incorrect, because sock_release() will be calling this_cpu_sub() for each tun socket teardown when there was no corresponding this_cpu_add() for the tun socket (because the tun socket is not allocated with sock_alloc()). Can you sketch in more detail why that commit should be dropped? neal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 987aeef..c1639f3 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -185,7 +185,6 @@ static void __tun_detach(struct tun_struct *tun) netif_tx_lock_bh(tun->dev); netif_carrier_off(tun->dev); tun->tfile = NULL; - tun->socket.file = NULL; netif_tx_unlock_bh(tun->dev); /* Drop read queue */