From: "Jonathan Lemon" <jonathan.lemon@gmail.com>
To: "Björn Töpel" <bjorn.topel@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org,
"Björn Töpel" <bjorn.topel@intel.com>,
magnus.karlsson@intel.com, magnus.karlsson@gmail.com,
bpf@vger.kernel.org,
syzbot+c82697e3043781e08802@syzkaller.appspotmail.com,
hdanton@sina.com, i.maximets@samsung.com
Subject: Re: [PATCH bpf-next v3 3/4] xsk: use state member for socket synchronization
Date: Wed, 04 Sep 2019 09:40:40 -0700 [thread overview]
Message-ID: <4FF1A5C9-F4DD-4FD8-86E8-DDEA753B7954@gmail.com> (raw)
In-Reply-To: <20190904114913.17217-4-bjorn.topel@gmail.com>
On 4 Sep 2019, at 4:49, Björn Töpel wrote:
> From: Björn Töpel <bjorn.topel@intel.com>
>
> Prior the state variable was introduced by Ilya, the dev member was
> used to determine whether the socket was bound or not. However, when
> dev was read, proper SMP barriers and READ_ONCE were missing. In order
> to address the missing barriers and READ_ONCE, we start using the
> state variable as a point of synchronization. The state member
> read/write is paired with proper SMP barriers, and from this follows
> that the members described above does not need READ_ONCE if used in
> conjunction with state check.
>
> In all syscalls and the xsk_rcv path we check if state is
> XSK_BOUND. If that is the case we do a SMP read barrier, and this
> implies that the dev, umem and all rings are correctly setup. Note
> that no READ_ONCE are needed for these variable if used when state is
> XSK_BOUND (plus the read barrier).
>
> To summarize: The members struct xdp_sock members dev, queue_id, umem,
> fq, cq, tx, rx, and state were read lock-less, with incorrect barriers
> and missing {READ, WRITE}_ONCE. Now, umem, fq, cq, tx, rx, and state
> are read lock-less. When these members are updated, WRITE_ONCE is
> used. When read, READ_ONCE are only used when read outside the control
> mutex (e.g. mmap) or, not synchronized with the state member
> (XSK_BOUND plus smp_rmb())
>
> Note that dev and queue_id do not need a WRITE_ONCE or READ_ONCE, due
> to the introduce state synchronization (XSK_BOUND plus smp_rmb()).
>
> Introducing the state check also fixes a race, found by syzcaller, in
> xsk_poll() where umem could be accessed when stale.
>
> Suggested-by: Hillf Danton <hdanton@sina.com>
> Reported-by: syzbot+c82697e3043781e08802@syzkaller.appspotmail.com
> Fixes: 77cd0d7b3f25 ("xsk: add support for need_wakeup flag in AF_XDP
> rings")
> Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
next prev parent reply other threads:[~2019-09-04 16:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-04 11:49 [PATCH bpf-next v3 0/4] xsk: various CPU barrier and {READ, WRITE}_ONCE Björn Töpel
2019-09-04 11:49 ` [PATCH bpf-next v3 1/4] xsk: avoid store-tearing when assigning queues Björn Töpel
2019-09-04 11:49 ` [PATCH bpf-next v3 2/4] xsk: avoid store-tearing when assigning umem Björn Töpel
2019-09-04 11:49 ` [PATCH bpf-next v3 3/4] xsk: use state member for socket synchronization Björn Töpel
2019-09-04 16:40 ` Jonathan Lemon [this message]
2019-09-04 11:49 ` [PATCH bpf-next v3 4/4] xsk: lock the control mutex in sock_diag interface Björn Töpel
2019-09-05 13:14 ` [PATCH bpf-next v3 0/4] xsk: various CPU barrier and {READ, WRITE}_ONCE Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4FF1A5C9-F4DD-4FD8-86E8-DDEA753B7954@gmail.com \
--to=jonathan.lemon@gmail.com \
--cc=ast@kernel.org \
--cc=bjorn.topel@gmail.com \
--cc=bjorn.topel@intel.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=hdanton@sina.com \
--cc=i.maximets@samsung.com \
--cc=magnus.karlsson@gmail.com \
--cc=magnus.karlsson@intel.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+c82697e3043781e08802@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).