net: tun: unlink NAPI from device on destruction
authorJakub Kicinski <kuba@kernel.org>
Thu, 23 Jun 2022 04:20:39 +0000 (21:20 -0700)
committerJakub Kicinski <kuba@kernel.org>
Fri, 24 Jun 2022 23:28:08 +0000 (16:28 -0700)
Syzbot found a race between tun file and device destruction.
NAPIs live in struct tun_file which can get destroyed before
the netdev so we have to del them explicitly. The current
code is missing deleting the NAPI if the queue was detached
first.

Fixes: 943170998b20 ("tun: enable NAPI for TUN/TAP driver")
Reported-by: syzbot+b75c138e9286ac742647@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20220623042039.2274708-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/tun.c

index 87a635aac0084a1008276a0bab2f5f794fc04c52..7fd0288c378989dadc5992dafbb6617214116081 100644 (file)
@@ -727,6 +727,7 @@ static void tun_detach_all(struct net_device *dev)
                sock_put(&tfile->sk);
        }
        list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
+               tun_napi_del(tfile);
                tun_enable_queue(tfile);
                tun_queue_purge(tfile);
                xdp_rxq_info_unreg(&tfile->xdp_rxq);