From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason Wang <jasowang@redhat.com>
Subject: Re: [PATCH net] tun: Fix NULL pointer dereference in XDP redirect
Date: Mon, 28 May 2018 10:24:29 +0800
Message-ID: <e7222fda-a845-e1ac-f7c2-9a019951af12@redhat.com>
References: <1527222729-2561-1-git-send-email-makita.toshiaki@lab.ntt.co.jp>
 <491862dc-b6d2-854d-4d5f-8dfe34da882d@redhat.com>
 <863681d4-92cf-1575-a182-b07f22ec578e@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: netdev@vger.kernel.org, "Michael S. Tsirkin" <mst@redhat.com>
To: Toshiaki Makita <toshiaki.makita1@gmail.com>,
        Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>,
        "David S. Miller" <davem@davemloft.net>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:38766 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752936AbeE1CYh (ORCPT <rfc822;netdev@vger.kernel.org>);
        Sun, 27 May 2018 22:24:37 -0400
In-Reply-To: <863681d4-92cf-1575-a182-b07f22ec578e@gmail.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>



On 2018年05月25日 21:43, Toshiaki Makita wrote:

[...]

>>> @@ -1917,16 +1923,22 @@ static ssize_t tun_get_user(struct 
>>> tun_struct *tun, struct tun_file *tfile,
>>>           struct bpf_prog *xdp_prog;
>>>           int ret;
>>> +        local_bh_disable();
>>> +        preempt_disable();
>>>           rcu_read_lock();
>>>           xdp_prog = rcu_dereference(tun->xdp_prog);
>>>           if (xdp_prog) {
>>>               ret = do_xdp_generic(xdp_prog, skb);
>>>               if (ret != XDP_PASS) {
>>>                   rcu_read_unlock();
>>> +                preempt_enable();
>>> +                local_bh_enable();
>>>                   return total_len;
>>>               }
>>>           }
>>>           rcu_read_unlock();
>>> +        preempt_enable();
>>> +        local_bh_enable();
>>>       }
>>>       rcu_read_lock();
>>
>> Good catch, thanks.
>>
>> But I think we can just replace preempt_disable()/enable() with 
>> local_bh_disable()/local_bh_enable() ?
>
> I actually thought the same, but noticed this patch.
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9ea4c380066fbe 
>
>
> It looks like they do not think local_bh_disable() implies 
> preempt_disable(). But I'm not sure why..
>
> Toshiaki Makita 

I see, there're probably have some subtle differences and implications 
for e.g scheduler or others.

What we what here is to make sure the process is not moved to another 
CPU and bh is enabled. By checking preemptible() function, preemption 
should be disabled after local_bh_disable(). So I think we're safe here.

Thanks