From: odedkatz <katz.oded@gmail.com>
To: wireguard@lists.zx2c4.com
Cc: odedk@twingate.com, odedkatz <katz.oded@gmail.com>
Subject: [PATCH 1/1] in order to prevent buffer overrun (which was observed while sending multiple high throughput UDP streams from different threads) I move the driver spinlock to protect Ring buffer Head.
Date: Thu, 19 Feb 2026 11:32:55 -0800 [thread overview]
Message-ID: <20260219193255.14334-2-katz.oded@gmail.com> (raw)
In-Reply-To: <20260219193255.14334-1-katz.oded@gmail.com>
I observed that the Ring->Head was taken and manipulated later on with just a `ReadULongAcquire` which isn't OK when 2 are trying to manipulate it later on based on the same received value.
---
driver/wintun.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/driver/wintun.c b/driver/wintun.c
index d1f3b9f..65cd97e 100644
--- a/driver/wintun.c
+++ b/driver/wintun.c
@@ -284,13 +284,14 @@ TunSendNetBufferLists(
TUN_RING *Ring = Ctx->Device.Send.Ring;
ULONG RingCapacity = Ctx->Device.Send.Capacity;
+ KLOCK_QUEUE_HANDLE LockHandle;
+ KeAcquireInStackQueuedSpinLock(&Ctx->Device.Send.Lock, &LockHandle);
/* Allocate space for packets in the ring. */
ULONG RingHead = ReadULongAcquire(&Ring->Head);
- if (Status = NDIS_STATUS_ADAPTER_NOT_READY, RingHead >= RingCapacity)
+ if (Status = NDIS_STATUS_ADAPTER_NOT_READY, RingHead >= RingCapacity) {
+ KeReleaseInStackQueuedSpinLock(&LockHandle);
goto skipNbl;
-
- KLOCK_QUEUE_HANDLE LockHandle;
- KeAcquireInStackQueuedSpinLock(&Ctx->Device.Send.Lock, &LockHandle);
+ }
ULONG RingTail = Ctx->Device.Send.RingTail;
ASSERT(RingTail < RingCapacity);
@@ -419,8 +420,8 @@ TunReturnNetBufferLists(NDIS_HANDLE MiniportAdapterContext, PNET_BUFFER_LIST Net
Ctx->Device.Receive.ActiveNbls.Head = NET_BUFFER_LIST_NEXT_NBL_EX(CompletedNbl);
if (!Ctx->Device.Receive.ActiveNbls.Head)
KeSetEvent(&Ctx->Device.Receive.ActiveNbls.Empty, IO_NO_INCREMENT, FALSE);
- KeReleaseInStackQueuedSpinLock(&LockHandle);
WriteULongRelease(&Ring->Head, TunNblGetOffset(CompletedNbl));
+ KeReleaseInStackQueuedSpinLock(&LockHandle);
const MDL *TargetMdl = Ctx->Device.Receive.Mdl;
for (MDL *Mdl = NET_BUFFER_FIRST_MDL(NET_BUFFER_LIST_FIRST_NB(CompletedNbl)); Mdl; Mdl = Mdl->Next)
{
--
2.43.0
next prev parent reply other threads:[~2026-02-19 19:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-19 19:32 [PATCH 0/1] This PR fixes a critical race condition in the Wintun driver that causes ring buffer overruns odedkatz
2026-02-19 19:32 ` odedkatz [this message]
2026-02-20 7:28 ` [PATCH 1/1] in order to prevent buffer overrun (which was observed while sending multiple high throughput UDP streams from different threads) I move the driver spinlock to protect Ring buffer Head Simon Rozman
2026-02-20 16:55 ` Oded Katz
2026-02-27 21:28 ` Oded Katz
2026-02-27 22:03 ` Simon Rozman
2026-02-28 1:12 ` Oded Katz
2026-03-11 23:35 ` Oded Katz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260219193255.14334-2-katz.oded@gmail.com \
--to=katz.oded@gmail.com \
--cc=odedk@twingate.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.