4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
[ Upstream commit 4477138fa0ae4e1b699786ef0600863ea6e6c61c ]
Same reasons than the ones explained in commit 4179cb5a4c92 ("vxlan: test dev->flags & IFF_UP before calling netif_rx()")
netif_rx_ni() or napi_gro_frags() must be called under a strict contract.
At device dismantle phase, core networking clears IFF_UP and flush_all_backlogs() is called after rcu grace period to make sure no incoming packet might be in a cpu backlog and still referencing the device.
A similar protocol is used for gro layer.
Most drivers call netif_rx() from their interrupt handler, and since the interrupts are disabled at device dismantle, netif_rx() does not have to check dev->flags & IFF_UP
Virtual drivers do not have this guarantee, and must therefore make the check themselves.
Fixes: 1bd4978a88ac ("tun: honor IFF_UP in tun_get_user()") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzbot syzkaller@googlegroups.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/tun.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -1718,9 +1718,6 @@ static ssize_t tun_get_user(struct tun_s int skb_xdp = 1; bool frags = tun_napi_frags_enabled(tfile);
- if (!(tun->dev->flags & IFF_UP)) - return -EIO; - if (!(tun->flags & IFF_NO_PI)) { if (len < sizeof(pi)) return -EINVAL; @@ -1822,6 +1819,8 @@ static ssize_t tun_get_user(struct tun_s err = skb_copy_datagram_from_iter(skb, 0, from, len);
if (err) { + err = -EFAULT; +drop: this_cpu_inc(tun->pcpu_stats->rx_dropped); kfree_skb(skb); if (frags) { @@ -1829,7 +1828,7 @@ static ssize_t tun_get_user(struct tun_s mutex_unlock(&tfile->napi_mutex); }
- return -EFAULT; + return err; } }
@@ -1913,6 +1912,12 @@ static ssize_t tun_get_user(struct tun_s !tfile->detached) rxhash = __skb_get_hash_symmetric(skb);
+ rcu_read_lock(); + if (unlikely(!(tun->dev->flags & IFF_UP))) { + err = -EIO; + goto drop; + } + if (frags) { /* Exercise flow dissector code path. */ u32 headlen = eth_get_headlen(skb->data, skb_headlen(skb)); @@ -1920,6 +1925,7 @@ static ssize_t tun_get_user(struct tun_s if (unlikely(headlen > skb_headlen(skb))) { this_cpu_inc(tun->pcpu_stats->rx_dropped); napi_free_frags(&tfile->napi); + rcu_read_unlock(); mutex_unlock(&tfile->napi_mutex); WARN_ON(1); return -ENOMEM; @@ -1947,6 +1953,7 @@ static ssize_t tun_get_user(struct tun_s } else { netif_rx_ni(skb); } + rcu_read_unlock();
stats = get_cpu_ptr(tun->pcpu_stats); u64_stats_update_begin(&stats->syncp);