tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tuntap: correctly wake up process during uninit

We used to check dev->reg_state against NETREG_REGISTERED after each
time we are woke up. But after commit 9e641bdcfa4e ("net-tun:
restructure tun_do_read for better sleep/wakeup efficiency"), it uses
skb_recv_datagram() which does not check dev->reg_state. This will
result if we delete a tun/tap device after a process is blocked in the
reading. The device will wait for the reference count which was held
by that process for ever.

Fixes this by using RCV_SHUTDOWN which will be checked during
sk_recv_datagram() before trying to wake up the process during uninit.

Fixes: 9e641bdcfa4e ("net-tun: restructure tun_do_read for better
sleep/wakeup efficiency")
Cc: Eric Dumazet <edumazet@google.com>
Cc: Xi Wang <xii@google.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Jason Wang and committed by
David S. Miller addf8fc4 7fd3c56d

+3 -3
+3 -3
drivers/net/tun.c
··· 580 580 for (i = 0; i < n; i++) { 581 581 tfile = rtnl_dereference(tun->tfiles[i]); 582 582 BUG_ON(!tfile); 583 + tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN; 583 584 tfile->socket.sk->sk_data_ready(tfile->socket.sk); 584 585 RCU_INIT_POINTER(tfile->tun, NULL); 585 586 --tun->numqueues; 586 587 } 587 588 list_for_each_entry(tfile, &tun->disabled, next) { 589 + tfile->socket.sk->sk_shutdown = RCV_SHUTDOWN; 588 590 tfile->socket.sk->sk_data_ready(tfile->socket.sk); 589 591 RCU_INIT_POINTER(tfile->tun, NULL); 590 592 } ··· 643 641 goto out; 644 642 } 645 643 tfile->queue_index = tun->numqueues; 644 + tfile->socket.sk->sk_shutdown &= ~RCV_SHUTDOWN; 646 645 rcu_assign_pointer(tfile->tun, tun); 647 646 rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile); 648 647 tun->numqueues++; ··· 1493 1490 1494 1491 if (!iov_iter_count(to)) 1495 1492 return 0; 1496 - 1497 - if (tun->dev->reg_state != NETREG_REGISTERED) 1498 - return -EIO; 1499 1493 1500 1494 /* Read frames from queue */ 1501 1495 skb = __skb_recv_datagram(tfile->socket.sk, noblock ? MSG_DONTWAIT : 0,