tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
net: tun: stop NAPI when detaching queues
While looking at a syzbot report I noticed the NAPI only gets
disabled before it's deleted. I think that user can detach
the queue before destroying the device and the NAPI will never
be stopped.
Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver")
Acked-by: Petar Penkov <ppenkov@aviatrix.com>
Link: https://lore.kernel.org/r/20220623042105.2274812-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+10
-1
+10
-1
drivers/net/tun.c
+10
-1
drivers/net/tun.c
···
273
273
}
274
274
}
275
275
276
+
static void tun_napi_enable(struct tun_file *tfile)
277
+
{
278
+
if (tfile->napi_enabled)
279
+
napi_enable(&tfile->napi);
280
+
}
281
+
276
282
static void tun_napi_disable(struct tun_file *tfile)
277
283
{
278
284
if (tfile->napi_enabled)
···
659
653
if (clean) {
660
654
RCU_INIT_POINTER(tfile->tun, NULL);
661
655
sock_put(&tfile->sk);
662
-
} else
656
+
} else {
663
657
tun_disable_queue(tun, tfile);
658
+
tun_napi_disable(tfile);
659
+
}
664
660
665
661
synchronize_net();
666
662
tun_flow_delete_by_queue(tun, tun->numqueues + 1);
···
816
808
817
809
if (tfile->detached) {
818
810
tun_enable_queue(tfile);
811
+
tun_napi_enable(tfile);
819
812
} else {
820
813
sock_hold(&tfile->sk);
821
814
tun_napi_init(tun, tfile, napi, napi_frags);