Module Name: src Committed By: riastradh Date: Tue Mar 15 00:05:18 UTC 2022
Modified Files: src/sys/net: if_tun.c Log Message: tun(4): Fix bug introduced in previous locking change. Now that tun_lock runs at IPL_NONE, taking it does not have the side effect of disabling preemption, but pktq_enqueue assumes the caller has disabled preemption so it can safely schedule a softint. This isn't a problem in most physical network drivers because the pktq_enqueue call happens from within the driver's softint context anyway. But tun(4) is special -- here, the pktq_enqueue is triggered by a userland write to the device, which is in thread context. So let's just disable preemption in tunwrite. Reported-by: syzbot+21c2cb300f1ec2162...@syzkaller.appspotmail.com To generate a diff of this commit: cvs rdiff -u -r1.171 -r1.172 src/sys/net/if_tun.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/if_tun.c diff -u src/sys/net/if_tun.c:1.171 src/sys/net/if_tun.c:1.172 --- src/sys/net/if_tun.c:1.171 Sun Mar 13 21:42:39 2022 +++ src/sys/net/if_tun.c Tue Mar 15 00:05:17 2022 @@ -1,4 +1,4 @@ -/* $NetBSD: if_tun.c,v 1.171 2022/03/13 21:42:39 riastradh Exp $ */ +/* $NetBSD: if_tun.c,v 1.172 2022/03/15 00:05:17 riastradh Exp $ */ /* * Copyright (c) 1988, Julian Onions <j...@cs.nott.ac.uk> @@ -19,7 +19,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.171 2022/03/13 21:42:39 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_tun.c,v 1.172 2022/03/15 00:05:17 riastradh Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -987,6 +987,7 @@ tunwrite(dev_t dev, struct uio *uio, int error = ENXIO; goto out; } + kpreempt_disable(); if (__predict_false(!pktq_enqueue(pktq, top, 0))) { if_statinc(ifp, if_collisions); mutex_exit(&tp->tun_lock); @@ -994,6 +995,7 @@ tunwrite(dev_t dev, struct uio *uio, int m_freem(top); goto out0; } + kpreempt_enable(); if_statadd2(ifp, if_ipackets, 1, if_ibytes, tlen); out: mutex_exit(&tp->tun_lock);