This is a note to let you know that I've just added the patch titled net: tun: avoid disabling NAPI twice to the 5.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: net-tun-avoid-disabling-napi-twice.patch and it can be found in the queue-5.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From ff1fa2081d173b01cebe2fbf0a2d0f1cee9ce4b5 Mon Sep 17 00:00:00 2001 From: Jakub Kicinski <kuba@xxxxxxxxxx> Date: Wed, 29 Jun 2022 11:19:10 -0700 Subject: net: tun: avoid disabling NAPI twice From: Jakub Kicinski <kuba@xxxxxxxxxx> commit ff1fa2081d173b01cebe2fbf0a2d0f1cee9ce4b5 upstream. Eric reports that syzbot made short work out of my speculative fix. Indeed when queue gets detached its tfile->tun remains, so we would try to stop NAPI twice with a detach(), close() sequence. Alternative fix would be to move tun_napi_disable() to tun_detach_all() and let the NAPI run after the queue has been detached. Fixes: a8fc8cb5692a ("net: tun: stop NAPI when detaching queues") Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> Reported-by: Eric Dumazet <edumazet@xxxxxxxxxx> Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx> Link: https://lore.kernel.org/r/20220629181911.372047-1-kuba@xxxxxxxxxx Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/net/tun.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -696,7 +696,8 @@ static void __tun_detach(struct tun_file tun = rtnl_dereference(tfile->tun); if (tun && clean) { - tun_napi_disable(tfile); + if (!tfile->detached) + tun_napi_disable(tfile); tun_napi_del(tfile); } Patches currently in stable-queue which might be from kuba@xxxxxxxxxx are queue-5.4/nfc-nfcmrvl-fix-irq_of_parse_and_map-return-value.patch queue-5.4/selftests-net-pass-ipv6_args-to-udpgso_bench-s-ipv6-tcp-test.patch queue-5.4/ipv6-take-care-of-disable_policy-when-restoring-routes.patch queue-5.4/net-tun-unlink-napi-from-device-on-destruction.patch queue-5.4/net-tun-avoid-disabling-napi-twice.patch queue-5.4/usbnet-fix-memory-allocation-in-helpers.patch queue-5.4/net-ipv6-unexport-__init-annotated-seg6_hmac_net_init.patch queue-5.4/net-tun-stop-napi-when-detaching-queues.patch queue-5.4/net-bonding-fix-use-after-free-after-802.3ad-slave-unbind.patch queue-5.4/net-sched-act_api-notify-user-space-if-any-actions-were-flushed-before-error.patch