From patchwork Wed Oct 18 19:12:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 827785 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="raFGlYff"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yHMBR5XPsz9t75 for ; Thu, 19 Oct 2017 06:12:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751348AbdJRTMN (ORCPT ); Wed, 18 Oct 2017 15:12:13 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:46159 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750853AbdJRTML (ORCPT ); Wed, 18 Oct 2017 15:12:11 -0400 Received: by mail-it0-f68.google.com with SMTP id f187so7578328itb.1 for ; Wed, 18 Oct 2017 12:12:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=d/FkzMlwkYBrGQ88dW3ce7FIdJVIoVOIZd2LROSsIiI=; b=raFGlYffAwE9Qrt8xMNrgZsjuxXfdsNJgxPwZ9v6N2h5K1kc4g9DpyXRv0VsFr0B5W RKwMZkfTcQr+bPjW2tjlzSUubyQWaYvOsLTCEknjubJKETSSFvOx/sq3yFCMeD66mD2+ sjh+iwEqr0NDzxCLTTjhKaWBGSIJDXcqa5D/euQ9m/mxdUq26zs7/Hd1klmzi5PgTQ3d hoCn2hjOI3SePGUbifWjyUJBAp8WC912iMrP5v+vkymsNlcQ0zcaOjy9t8HPwQo8Oyrk v4DgFtrqsm1Sbtf9I3uwSL9Vix+iSb9k6BJSA17zGl8FTHg+/7Vqg+FHu4XQZbtrdi/o uX8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=d/FkzMlwkYBrGQ88dW3ce7FIdJVIoVOIZd2LROSsIiI=; b=TKnDUYapftSFHbwahWVIz7aYfUy4fiVk+bJcMjPOweiVtclvWUnSTuix+iKYZHS9P6 bfSKbu+/rhS96ozseRuRV6kTwTAngwn/DKVTJMc5j3JIpixtbeRp7F6My+aE91PFgIvG nXWSGPHLo2AtHGG5bDzTA9ZYhEokNUXsN+L4RtAF3INOgoSd0y5YeOmUCmP7O1M9vdtS ZZlFVtPq3oEGVowzLDyVW8PSDWko6F4dKXp9jWqzu0HPp2zWxrnbtJUzP+I8H9GjxNmt WuSGTrAcDrJiqk5mI3plZxgdTtQFVXa63roZzK07q0Spxw1HiQ8arIYJBSAKUX3u29bK nBaA== X-Gm-Message-State: AMCzsaWZNUA65qQrRUbB05zj6vwBJCUdH8CpjzYo/0Te9T1GLrJULovV IQDWS3ZfWGq7hd3HLKGMUR4= X-Google-Smtp-Source: ABhQp+Sa3IqLmd5d19jGwqUeN56BvpUBJFT4TJ+z9FEVOEF1/GM69s6DYafImOUOSYSocUZXH1BtZg== X-Received: by 10.36.47.84 with SMTP id j81mr10281462itj.37.1508353931258; Wed, 18 Oct 2017 12:12:11 -0700 (PDT) Received: from ?IPv6:2620:15c:2c1:100:8c3b:83ae:17c4:e83? ([2620:15c:2c1:100:8c3b:83ae:17c4:e83]) by smtp.googlemail.com with ESMTPSA id w195sm6742066ita.44.2017.10.18.12.12.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Oct 2017 12:12:10 -0700 (PDT) Message-ID: <1508353929.31614.136.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net-next] net-tun: fix panics at dismantle time From: Eric Dumazet To: David Miller Cc: netdev , Petar Penkov , Mahesh Bandewar Date: Wed, 18 Oct 2017 12:12:09 -0700 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet syzkaller got crashes at dismantle time [1] It is not correct to test (tun->flags & IFF_NAPI) in tun_napi_disable() and tun_napi_del() : Each tun_file can have different mode, depending on how they were created. Similarly I have changed tun_get_user() and tun_poll_controller() to use the new tfile->napi_enabled boolean. [ 154.331360] BUG: unable to handle kernel NULL pointer dereference at (null) [ 154.339220] IP: [] hrtimer_active+0x26/0x60 [ 154.344983] PGD 0 [ 154.347009] Oops: 0000 [#1] SMP [ 154.350680] gsmi: Log Shutdown Reason 0x03 [ 154.379572] task: ffff994719150dc0 ti: ffff99475c0ae000 task.ti: ffff99475c0ae000 [ 154.387043] RIP: 0010:[] [] hrtimer_active+0x26/0x60 [ 154.395232] RSP: 0018:ffff99475c0afce8 EFLAGS: 00010246 [ 154.400542] RAX: ffff994754850ac0 RBX: ffff994753e65408 RCX: ffff994753e65388 [ 154.407666] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff994753e65408 [ 154.414790] RBP: ffff99475c0afce8 R08: 0000000000000000 R09: 0000000000000000 [ 154.421921] R10: ffff99475f6f5910 R11: 0000000000000001 R12: 0000000000000000 [ 154.429044] R13: ffff99417deab668 R14: ffff99417deaa780 R15: ffff99475f45dde0 [ 154.436174] FS: 0000000000000000(0000) GS:ffff994767a00000(0000) knlGS:0000000000000000 [ 154.444249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 154.449986] CR2: 0000000000000000 CR3: 00000005a8a0e000 CR4: 0000000000022670 [ 154.457110] Stack: [ 154.459120] ffff99475c0afd28 ffffffff9634d614 1000000000000000 0000000000000000 [ 154.466598] ffffe54240000000 ffff994753e65408 ffff994753e653a8 ffff99417deab668 [ 154.474067] ffff99475c0afd48 ffffffff9634d6fd ffff99474c2be678 ffff994753e65398 [ 154.481537] Call Trace: [ 154.483985] [] hrtimer_try_to_cancel+0x24/0xf0 [ 154.490074] [] hrtimer_cancel+0x1d/0x30 [ 154.495563] [] napi_disable+0x3c/0x70 [ 154.500875] [] __tun_detach+0xd2/0x360 [ 154.506272] [] tun_chr_close+0x27/0x40 [ 154.511669] [] __fput+0xd6/0x1e0 [ 154.516548] [] ____fput+0xe/0x10 [ 154.521429] [] task_work_run+0x72/0x90 [ 154.526827] [] do_exit+0x317/0xb60 [ 154.531879] [] do_group_exit+0x3f/0xa0 [ 154.537275] [] SyS_exit_group+0x17/0x20 [ 154.542769] [] entry_SYSCALL_64_fastpath+0x12/0x17 Fixes: 943170998b20 ("net-tun: enable NAPI for TUN/TAP driver") Signed-off-by: Eric Dumazet --- drivers/net/tun.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 57e4c31fa84adc4d9af6ab69a87feac23a8b034e..aef6c7f2f429559ba060b30beb9f729bc71a9c5a 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -175,6 +175,7 @@ struct tun_file { unsigned int ifindex; }; struct napi_struct napi; + bool napi_enabled; struct mutex napi_mutex; /* Protects access to the above napi */ struct list_head next; struct tun_struct *detached; @@ -276,6 +277,7 @@ static int tun_napi_poll(struct napi_struct *napi, int budget) static void tun_napi_init(struct tun_struct *tun, struct tun_file *tfile, bool napi_en) { + tfile->napi_enabled = napi_en; if (napi_en) { netif_napi_add(tun->dev, &tfile->napi, tun_napi_poll, NAPI_POLL_WEIGHT); @@ -286,13 +288,13 @@ static void tun_napi_init(struct tun_struct *tun, struct tun_file *tfile, static void tun_napi_disable(struct tun_struct *tun, struct tun_file *tfile) { - if (tun->flags & IFF_NAPI) + if (tfile->napi_enabled) napi_disable(&tfile->napi); } static void tun_napi_del(struct tun_struct *tun, struct tun_file *tfile) { - if (tun->flags & IFF_NAPI) + if (tfile->napi_enabled) netif_napi_del(&tfile->napi); } @@ -1055,7 +1057,8 @@ static void tun_poll_controller(struct net_device *dev) rcu_read_lock(); for (i = 0; i < tun->numqueues; i++) { tfile = rcu_dereference(tun->tfiles[i]); - napi_schedule(&tfile->napi); + if (tfile->napi_enabled) + napi_schedule(&tfile->napi); } rcu_read_unlock(); } @@ -1749,7 +1752,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, napi_gro_frags(&tfile->napi); local_bh_enable(); mutex_unlock(&tfile->napi_mutex); - } else if (tun->flags & IFF_NAPI) { + } else if (tfile->napi_enabled) { struct sk_buff_head *queue = &tfile->sk.sk_write_queue; int queue_len;