Re: [PATCH] um: vector: avoid NULL queue dereference in legacy RX mode

Next message: Nicolai Buchwitz: "Re: [PATCH net-next v7 1/3] net: dsa: microchip: implement KSZ87xx Module 3 low-loss cable errata"
Previous message: Dmitry Baryshkov: "[PATCH v3 1/3] drm/bridge: split hpd_mutex into two mutexes"
In reply to: Henry Barreto: "[PATCH] um: vector: avoid NULL queue dereference in legacy RX mode"
Next in thread: Anton Ivanov: "Re: [PATCH] um: vector: avoid NULL queue dereference in legacy RX mode"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Johannes Berg

Date: Thu May 28 2026 - 03:18:36 EST

On Wed, 2026-05-27 at 18:35 -0300, Henry Barreto wrote:
> From: Henry Barreto <me@xxxxxxxxxxxxxxxx>
>
> Bringing a UML vector netdev up can panic in vector_net_open() with a
> fault in _raw_spin_lock().
>
> vector_net_open() calls vector_reset_stats(), which takes the RX and TX
> queue locks. However, queue allocation depends on runtime transport
> options. With tap transport, vector RX/TX queues are not created and the
> legacy header buffers are used instead. Taking a queue lock then
> dereferences a NULL queue pointer.
>
> Take the queue locks in vector_reset_stats() only when the corresponding
> queue exists. Also move the RX queue lock in vector_poll() into the
> VECTOR_RX path, so legacy RX does not touch rx_queue.
>
> Fixes: 612a8c8e0b43 ("um: vector: Replace locks guarding queue depth with atomics")

So ... you're effectively saying that the tap transport has been broken
since 6.12, released ~1.5 years ago.

Maybe we should just remove that entirely since nobody complained?

johannes