Re: [PATCH] tuntap: fix a possible race between queue selection andchanging queues

From: Michael S. Tsirkin
Date: Wed Jun 05 2013 - 06:33:05 EST


On Wed, Jun 05, 2013 at 04:44:57PM +0800, Jason Wang wrote:
> Complier may generate codes that re-read the tun->numqueues during
> tun_select_queue(). This may be a race if vlan->numqueues were changed in the
> same time and can lead unexpected result (e.g. very huge value).
>
> We need prevent the compiler from generating such codes by adding an
> ACCESS_ONCE() to make sure tun->numqueues were only read once.
>
> Bug were introduced by commit c8d68e6be1c3b242f1c598595830890b65cea64a
> (tuntap: multiqueue support).
>
> Reported-by: Michael S. Tsirkin <mst@xxxxxxxxxx>
> Cc: Michael S. Tsirkin <mst@xxxxxxxxxx>
> Signed-off-by: Jason Wang <jasowang@xxxxxxxxxx>

Acked-by: Michael S. Tsirkin <mst@xxxxxxxxxx>

This is a theoretical problem, right?
So no need for stable.

> ---
> drivers/net/tun.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index f042b03..adfcde7 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -352,7 +352,7 @@ static u16 tun_select_queue(struct net_device *dev, struct sk_buff *skb)
> u32 numqueues = 0;
>
> rcu_read_lock();
> - numqueues = tun->numqueues;
> + numqueues = ACCESS_ONCE(tun->numqueues);
>
> txq = skb_get_rxhash(skb);
> if (txq) {
> --
> 1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/