lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <7b9744b4-42ec-7d0a-20ff-d65f71b16c63@gmail.com>
Date:   Mon, 6 May 2019 20:41:10 -0700
From:   Eric Dumazet <eric.dumazet@...il.com>
To:     Jason Wang <jasowang@...hat.com>, netdev@...r.kernel.org
Cc:     mst@...hat.com, YueHaibing <yuehaibing@...wei.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        "weiyongjun (A)" <weiyongjun1@...wei.com>
Subject: Re: [PATCH net] tuntap: synchronize through tfiles array instead of
 tun->numqueues



On 5/6/19 11:23 PM, Jason Wang wrote:
> When a queue(tfile) is detached through __tun_detach(), we move the
> last enabled tfile to the position where detached one sit but don't
> NULL out last position. We expect to synchronize the datapath through
> tun->numqueues. Unfortunately, this won't work since we're lacking
> sufficient mechanism to order or synchronize the access to
> tun->numqueues.
> 
> To fix this, NULL out the last position during detaching and check
> RCU protected tfile against NULL instead of checking tun->numqueues in
> datapath.
> 
> Cc: YueHaibing <yuehaibing@...wei.com>
> Cc: Cong Wang <xiyou.wangcong@...il.com>
> Cc: weiyongjun (A) <weiyongjun1@...wei.com>
> Fixes: c8d68e6be1c3b ("tuntap: multiqueue support")
> Signed-off-by: Jason Wang <jasowang@...hat.com>
> ---
>  drivers/net/tun.c | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index e9ca1c0..a64c928 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -700,6 +700,8 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
>  				   tun->tfiles[tun->numqueues - 1]);
>  		ntfile = rtnl_dereference(tun->tfiles[index]);
>  		ntfile->queue_index = index;
> +		rcu_assign_pointer(tun->tfiles[tun->numqueues - 1],
> +				   NULL);
>  
>  		--tun->numqueues;
>  		if (clean) {
> @@ -1082,7 +1084,7 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev)
>  	tfile = rcu_dereference(tun->tfiles[txq]);
>  
>  	/* Drop packet if interface is not attached */
> -	if (txq >= tun->numqueues)
> +	if (!tfile)
>  		goto drop;
>  
>  	if (!rcu_dereference(tun->steering_prog))
> @@ -1306,13 +1308,13 @@ static int tun_xdp_xmit(struct net_device *dev, int n,
>  	rcu_read_lock();
>  
>  	numqueues = READ_ONCE(tun->numqueues);
> -	if (!numqueues) {
> -		rcu_read_unlock();
> -		return -ENXIO; /* Caller will free/return all frames */
> -	}
>  

If you remove the test on (!numqueues),
the following might crash with a divide by zero...

>  	tfile = rcu_dereference(tun->tfiles[smp_processor_id() %
>  					    numqueues]);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ