From: Stanislav Fomichev <s...@google.com>
Date: Mon, 7 Jan 2019 13:38:38 -0800
> BUG: unable to handle kernel NULL pointer dereference at 00000000000000d1
> Call Trace:
...
>
> I think there is a subtle race between sending a packet via tap and
> attaching it:
>
> CPU0: CPU1:
> tun_chr_ioctl(TUNSETIFF)
...
> Move rcu_assign_pointer(tfile->tun) and rcu_assign_pointer(tun->tfiles) to
> be the last thing we do in tun_attach(); this should guarantee that when we
> call tun_get() we always get an initialized object.
>
> v2 changes:
> * remove extra napi_mutex locks/unlocks for napi operations
>
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
> Signed-off-by: Stanislav Fomichev <s...@google.com>
Applied and queued up for -stable.
Please, the next time you submit a patch series, provide a proper header
posting.
Thank you.
