* [PATCH] tuntap: fix a possible race between queue selection and changing queues
@ 2013-06-05 8:44 Jason Wang
2013-06-05 10:33 ` Michael S. Tsirkin
0 siblings, 1 reply; 3+ messages in thread
From: Jason Wang @ 2013-06-05 8:44 UTC (permalink / raw)
To: davem, mst, netdev, linux-kernel; +Cc: Jason Wang
Complier may generate codes that re-read the tun->numqueues during
tun_select_queue(). This may be a race if vlan->numqueues were changed in the
same time and can lead unexpected result (e.g. very huge value).
We need prevent the compiler from generating such codes by adding an
ACCESS_ONCE() to make sure tun->numqueues were only read once.
Bug were introduced by commit c8d68e6be1c3b242f1c598595830890b65cea64a
(tuntap: multiqueue support).
Reported-by: Michael S. Tsirkin <mst@redhat.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
---
drivers/net/tun.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index f042b03..adfcde7 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -352,7 +352,7 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
u32 numqueues = 0;
rcu_read_lock();
- numqueues = tun->numqueues;
+ numqueues = ACCESS_ONCE(tun->numqueues);
txq = skb_get_rxhash(skb);
if (txq) {
--
1.7.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] tuntap: fix a possible race between queue selection and changing queues
2013-06-05 8:44 [PATCH] tuntap: fix a possible race between queue selection and changing queues Jason Wang
@ 2013-06-05 10:33 ` Michael S. Tsirkin
2013-06-10 21:33 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Michael S. Tsirkin @ 2013-06-05 10:33 UTC (permalink / raw)
To: Jason Wang; +Cc: davem, netdev, linux-kernel
On Wed, Jun 05, 2013 at 04:44:57PM +0800, Jason Wang wrote:
> Complier may generate codes that re-read the tun->numqueues during
> tun_select_queue(). This may be a race if vlan->numqueues were changed in the
> same time and can lead unexpected result (e.g. very huge value).
>
> We need prevent the compiler from generating such codes by adding an
> ACCESS_ONCE() to make sure tun->numqueues were only read once.
>
> Bug were introduced by commit c8d68e6be1c3b242f1c598595830890b65cea64a
> (tuntap: multiqueue support).
>
> Reported-by: Michael S. Tsirkin <mst@redhat.com>
> Cc: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
This is a theoretical problem, right?
So no need for stable.
> ---
> drivers/net/tun.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index f042b03..adfcde7 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -352,7 +352,7 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
> u32 numqueues = 0;
>
> rcu_read_lock();
> - numqueues = tun->numqueues;
> + numqueues = ACCESS_ONCE(tun->numqueues);
>
> txq = skb_get_rxhash(skb);
> if (txq) {
> --
> 1.7.1
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] tuntap: fix a possible race between queue selection and changing queues
2013-06-05 10:33 ` Michael S. Tsirkin
@ 2013-06-10 21:33 ` David Miller
0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2013-06-10 21:33 UTC (permalink / raw)
To: mst; +Cc: jasowang, netdev, linux-kernel
From: "Michael S. Tsirkin" <mst@redhat.com>
Date: Wed, 5 Jun 2013 13:33:32 +0300
> On Wed, Jun 05, 2013 at 04:44:57PM +0800, Jason Wang wrote:
>> Complier may generate codes that re-read the tun->numqueues during
>> tun_select_queue(). This may be a race if vlan->numqueues were changed in the
>> same time and can lead unexpected result (e.g. very huge value).
>>
>> We need prevent the compiler from generating such codes by adding an
>> ACCESS_ONCE() to make sure tun->numqueues were only read once.
>>
>> Bug were introduced by commit c8d68e6be1c3b242f1c598595830890b65cea64a
>> (tuntap: multiqueue support).
>>
>> Reported-by: Michael S. Tsirkin <mst@redhat.com>
>> Cc: Michael S. Tsirkin <mst@redhat.com>
>> Signed-off-by: Jason Wang <jasowang@redhat.com>
>
> Acked-by: Michael S. Tsirkin <mst@redhat.com>
>
> This is a theoretical problem, right?
> So no need for stable.
Applied, thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-06-10 21:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-05 8:44 [PATCH] tuntap: fix a possible race between queue selection and changing queues Jason Wang
2013-06-05 10:33 ` Michael S. Tsirkin
2013-06-10 21:33 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).