From: Yunsheng Lin <linyunsh...@huawei.com> Date: Tue, 8 Sep 2020 19:02:34 +0800
> Currently there is concurrent reset and enqueue operation for the > same lockless qdisc when there is no lock to synchronize the > q->enqueue() in __dev_xmit_skb() with the qdisc reset operation in > qdisc_deactivate() called by dev_deactivate_queue(), which may cause > out-of-bounds access for priv->ring[] in hns3 driver if user has > requested a smaller queue num when __dev_xmit_skb() still enqueue a > skb with a larger queue_mapping after the corresponding qdisc is > reset, and call hns3_nic_net_xmit() with that skb later. > > Reused the existing synchronize_net() in dev_deactivate_many() to > make sure skb with larger queue_mapping enqueued to old qdisc(which > is saved in dev_queue->qdisc_sleeping) will always be reset when > dev_reset_queue() is called. > > Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") > Signed-off-by: Yunsheng Lin <linyunsh...@huawei.com> > --- > ChangeLog V2: > Reuse existing synchronize_net(). Applied and queued up for -stable, thank you.