tun: add mutex_unlock() call and napi.skb clearing in tun_get_user()

[mirror_ubuntu-bionic-kernel.git] / drivers / net / tun.c
diff --git a/drivers/net/tun.c b/drivers/net/tun.c

index 01c706f8fb74e586c7ac1312216a91e255020585..83d267ded3465b9ce10e0eb2ba1ed9befd0670bd 100644 (file)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -281,8 +281,8 @@ static void tun_napi_init(struct tun_struct *tun, struct tun_file *tfile,
         tfile->napi_enabled = napi_en;
         tfile->napi_frags_enabled = napi_en && napi_frags;
         if (napi_en) {
-               netif_napi_add(tun->dev, &tfile->napi, tun_napi_poll,
-                              NAPI_POLL_WEIGHT);
+               netif_tx_napi_add(tun->dev, &tfile->napi, tun_napi_poll,
+                                 NAPI_POLL_WEIGHT);
                 napi_enable(&tfile->napi);
         }
  }
@@ -716,7 +716,8 @@ static void tun_detach_all(struct net_device *dev)
  }
  
  static int tun_attach(struct tun_struct *tun, struct file *file,
-                     bool skip_filter, bool napi, bool napi_frags)
+                     bool skip_filter, bool napi, bool napi_frags,
+                     bool publish_tun)
  {
         struct tun_file *tfile = file->private_data;
         struct net_device *dev = tun->dev;
@@ -773,7 +774,8 @@ static int tun_attach(struct tun_struct *tun, struct file *file,
          * initialized tfile; otherwise we risk using half-initialized
          * object.
          */
-       rcu_assign_pointer(tfile->tun, tun);
+       if (publish_tun)
+               rcu_assign_pointer(tfile->tun, tun);
         rcu_assign_pointer(tun->tfiles[tun->numqueues], tfile);
         tun->numqueues++;
         tun_set_real_num_queues(tun);
@@ -1252,6 +1254,13 @@ static void tun_net_init(struct net_device *dev)
         dev->max_mtu = MAX_MTU - dev->hard_header_len;
  }
  
+static bool tun_sock_writeable(struct tun_struct *tun, struct tun_file *tfile)
+{
+       struct sock *sk = tfile->socket.sk;
+
+       return (tun->dev->flags & IFF_UP) && sock_writeable(sk);
+}
+
  /* Character device part */
  
  /* Poll */
@@ -1274,10 +1283,14 @@ static unsigned int tun_chr_poll(struct file *file, poll_table *wait)
         if (!skb_array_empty(&tfile->tx_array))
                 mask |= POLLIN | POLLRDNORM;
  
-       if (tun->dev->flags & IFF_UP &&
-           (sock_writeable(sk) ||
-            (!test_and_set_bit(SOCKWQ_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
-             sock_writeable(sk))))
+       /* Make sure SOCKWQ_ASYNC_NOSPACE is set if not writable to
+        * guarantee EPOLLOUT to be raised by either here or
+        * tun_sock_write_space(). Then process could get notification
+        * after it writes to a down device and meets -EIO.
+        */
+       if (tun_sock_writeable(tun, tfile) ||
+           (!test_and_set_bit(SOCKWQ_ASYNC_NOSPACE, &sk->sk_socket->flags) &&
+            tun_sock_writeable(tun, tfile)))
                 mask |= POLLOUT | POLLWRNORM;
  
         if (tun->dev->reg_state != NETREG_REGISTERED)
@@ -1749,6 +1762,10 @@ drop:
                         if (ret != XDP_PASS) {
                                 rcu_read_unlock();
                                 local_bh_enable();
+                               if (frags) {
+                                       tfile->napi.skb = NULL;
+                                       mutex_unlock(&tfile->napi_mutex);
+                               }
                                 return total_len;
                         }
                 }
@@ -2253,7 +2270,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
  
                 err = tun_attach(tun, file, ifr->ifr_flags & IFF_NOFILTER,
                                  ifr->ifr_flags & IFF_NAPI,
-                                ifr->ifr_flags & IFF_NAPI_FRAGS);
+                                ifr->ifr_flags & IFF_NAPI_FRAGS, true);
                 if (err < 0)
                         return err;
  
@@ -2343,13 +2360,17 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
  
                 INIT_LIST_HEAD(&tun->disabled);
                 err = tun_attach(tun, file, false, ifr->ifr_flags & IFF_NAPI,
-                                ifr->ifr_flags & IFF_NAPI_FRAGS);
+                                ifr->ifr_flags & IFF_NAPI_FRAGS, false);
                 if (err < 0)
                         goto err_free_flow;
  
                 err = register_netdevice(tun->dev);
                 if (err < 0)
                         goto err_detach;
+               /* free_netdev() won't check refcnt, to aovid race
+                * with dev_put() we need publish tun after registration.
+                */
+               rcu_assign_pointer(tfile->tun, tun);
         }
  
         netif_carrier_on(tun->dev);
@@ -2496,7 +2517,7 @@ static int tun_set_queue(struct file *file, struct ifreq *ifr)
                 if (ret < 0)
                         goto unlock;
                 ret = tun_attach(tun, file, false, tun->flags & IFF_NAPI,
-                                tun->flags & IFF_NAPI_FRAGS);
+                                tun->flags & IFF_NAPI_FRAGS, true);
         } else if (ifr->ifr_flags & IFF_DETACH_QUEUE) {
                 tun = rtnl_dereference(tfile->tun);
                 if (!tun || !(tun->flags & IFF_MULTI_QUEUE) || tfile->detached)