AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-05 03:25:26 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
0b7959b625
linux_dsm_epyc7002/drivers/net
History
Stanislav Fomichev 0b7959b625 tun: publish tfile after it's fully initialized 
BUG: unable to handle kernel NULL pointer dereference at 00000000000000d1
Call Trace:
 ? napi_gro_frags+0xa7/0x2c0
 tun_get_user+0xb50/0xf20
 tun_chr_write_iter+0x53/0x70
 new_sync_write+0xff/0x160
 vfs_write+0x191/0x1e0
 __x64_sys_write+0x5e/0xd0
 do_syscall_64+0x47/0xf0
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

I think there is a subtle race between sending a packet via tap and
attaching it:

CPU0:                    CPU1:
tun_chr_ioctl(TUNSETIFF)
  tun_set_iff
    tun_attach
      rcu_assign_pointer(tfile->tun, tun);
                         tun_fops->write_iter()
                           tun_chr_write_iter
                             tun_napi_alloc_frags
                               napi_get_frags
                                 napi->skb = napi_alloc_skb
      tun_napi_init
        netif_napi_add
          napi->skb = NULL
                              napi->skb is NULL here
                              napi_gro_frags
                                napi_frags_skb
				  skb = napi->skb
				  skb_reset_mac_header(skb)
				  panic()

Move rcu_assign_pointer(tfile->tun) and rcu_assign_pointer(tun->tfiles) to
be the last thing we do in tun_attach(); this should guarantee that when we
call tun_get() we always get an initialized object.

v2 changes:
* remove extra napi_mutex locks/unlocks for napi operations

Reported-by: syzbot <syzkaller@googlegroups.com>
Fixes: 90e33d4594 ("tun: enable napi_gro_frags() for TUN/TAP driver")

Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-10 09:24:38 -05:00
..
appletalk drivers/net: appletalk/cops: remove redundant if statement and mask 2018-12-24 14:48:26 -08:00
arcnet
bonding bonding: fix indentation issues, remove extra spaces 2018-12-18 15:01:23 -08:00
caif
can
dsa net: dsa: mt7530: Drop unused GPIO include 2019-01-04 13:07:23 -08:00
ethernet mlxsw: spectrum_switchdev: Set PVID correctly during VLAN deletion 2019-01-08 16:53:54 -05:00
fddi
fjes
hamradio net/hamradio/6pack: use mod_timer() to rearm timers 2019-01-02 10:27:01 -08:00
hippi
hyperv net: dev: Add extack argument to dev_set_mac_address() 2018-12-13 18:41:38 -08:00
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00
ipvlan net: ipvlan: Issue NETDEV_PRE_CHANGEADDR 2018-12-13 18:41:38 -08:00
netdevsim drivers: net: netdevsim: use skb_sec_path helper 2018-12-19 11:21:37 -08:00
phy Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00
plip
ppp ppp: Move PFC decompression to PPP generic layer 2018-12-20 16:49:30 -08:00
slip
team net: dev: Add extack argument to dev_set_mac_address() 2018-12-13 18:41:38 -08:00
usb cdc_ether: trivial whitespace readability fix 2019-01-07 11:33:18 -05:00
vmxnet3
wan soc/fsl/qe: fix err handling of ucc_of_parse_tdm 2019-01-04 12:50:43 -08:00
wimax
wireless for-4.21/block-20181221 2018-12-28 13:19:59 -08:00
xen-netback
dummy.c
eql.c
geneve.c
gtp.c
ifb.c
Kconfig
LICENSE.SRC
loopback.c
macsec.c
macvlan.c net: dev: Add extack argument to dev_set_mac_address() 2018-12-13 18:41:38 -08:00
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c tap: call skb_probe_transport_header after setting skb->dev 2019-01-01 12:01:02 -08:00
thunderbolt.c
tun.c tun: publish tfile after it's fully initialized 2019-01-10 09:24:38 -05:00
veth.c
virtio_net.c virtio-net: ethtool configurable LRO 2018-12-20 19:14:15 -08:00
vrf.c
vsockmon.c
vxlan.c vxlan: Correct merge error. 2018-12-20 16:14:22 -08:00
xen-netfront.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-20 11:53:36 -08:00