Message ID | 1518819115-13507-1-git-send-email-khoroshilov@ispras.ru |
---|---|
State | Rejected, archived |
Delegated to: | David Miller |
Headers | show |
Series | tun: fix mismatch in mutex lock-unlock in tun_get_user() | expand |
On Fri, Feb 16, 2018 at 2:11 PM, Alexey Khoroshilov <khoroshilov@ispras.ru> wrote: > There is a single error path where tfile->napi_mutex is left unlocked. > It can lead to a deadlock. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> > --- > drivers/net/tun.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/net/tun.c b/drivers/net/tun.c > index 81e6cc951e7f..0072a9832532 100644 > --- a/drivers/net/tun.c > +++ b/drivers/net/tun.c > @@ -1879,6 +1879,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, > default: > this_cpu_inc(tun->pcpu_stats->rx_dropped); > kfree_skb(skb); > + if (frags) { > + tfile->napi.skb = NULL; > + mutex_unlock(&tfile->napi_mutex); > + } > return -EINVAL; I do not believe this can happen for IFF_TUN IFF_NAPI_FRAGS can only be set for IFF_TAP
From: Alexey Khoroshilov <khoroshilov@ispras.ru> Date: Sat, 17 Feb 2018 01:11:55 +0300 > There is a single error path where tfile->napi_mutex is left unlocked. > It can lead to a deadlock. > > Found by Linux Driver Verification project (linuxtesting.org). > > Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> As Eric explained, tun_napi_frags_enabled() (and therefore 'frags') will never be true for TUN devices, which is the type handled by this code path.
diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 81e6cc951e7f..0072a9832532 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1879,6 +1879,10 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, default: this_cpu_inc(tun->pcpu_stats->rx_dropped); kfree_skb(skb); + if (frags) { + tfile->napi.skb = NULL; + mutex_unlock(&tfile->napi_mutex); + } return -EINVAL; } }
There is a single error path where tfile->napi_mutex is left unlocked. It can lead to a deadlock. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> --- drivers/net/tun.c | 4 ++++ 1 file changed, 4 insertions(+)