netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] netlink: fix a data race in netlink_rcv_wake()
@ 2020-08-26 12:01 zhudi
  2020-08-28 13:51 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: zhudi @ 2020-08-26 12:01 UTC (permalink / raw)
  To: davem, kuba; +Cc: ast, yhs, netdev, zhudi21, rose.chen

The data races were reported by KCSAN:
BUG: KCSAN: data-race in netlink_recvmsg / skb_queue_tail

write (marked) to 0xffff8c0986e5a8c8 of 8 bytes by interrupt on cpu 3:
 skb_queue_tail+0xcc/0x120
 __netlink_sendskb+0x55/0x80
 netlink_broadcast_filtered+0x465/0x7e0
 nlmsg_notify+0x8f/0x120
 rtnl_notify+0x8e/0xb0
 __neigh_notify+0xf2/0x120
 neigh_update+0x927/0xde0
 arp_process+0x8a3/0xf50
 arp_rcv+0x27c/0x3b0
 __netif_receive_skb_core+0x181c/0x1840
 __netif_receive_skb+0x38/0xf0
 netif_receive_skb_internal+0x77/0x1c0
 napi_gro_receive+0x1bd/0x1f0
 e1000_clean_rx_irq+0x538/0xb20 [e1000]
 e1000_clean+0x5e4/0x1340 [e1000]
 net_rx_action+0x310/0x9d0
 __do_softirq+0xe8/0x308
 irq_exit+0x109/0x110
 do_IRQ+0x7f/0xe0
 ret_from_intr+0x0/0x1d
 0xffffffffffffffff

read to 0xffff8c0986e5a8c8 of 8 bytes by task 1463 on cpu 0:
 netlink_recvmsg+0x40b/0x820
 sock_recvmsg+0xc9/0xd0
 ___sys_recvmsg+0x1a4/0x3b0
 __sys_recvmsg+0x86/0x120
 __x64_sys_recvmsg+0x52/0x70
 do_syscall_64+0xb5/0x360
 entry_SYSCALL_64_after_hwframe+0x65/0xca
 0xffffffffffffffff

Since the write is under sk_receive_queue->lock but the read
is done as lockless. so fix it by using skb_queue_empty_lockless()
instead of skb_queue_empty() for the read in netlink_rcv_wake()

Signed-off-by: zhudi <zhudi21@huawei.com>
---
 net/netlink/af_netlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index b5f30d7d30d0..d2d1448274f5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -353,7 +353,7 @@ static void netlink_rcv_wake(struct sock *sk)
 {
 	struct netlink_sock *nlk = nlk_sk(sk);
 
-	if (skb_queue_empty(&sk->sk_receive_queue))
+	if (skb_queue_empty_lockless(&sk->sk_receive_queue))
 		clear_bit(NETLINK_S_CONGESTED, &nlk->state);
 	if (!test_bit(NETLINK_S_CONGESTED, &nlk->state))
 		wake_up_interruptible(&nlk->wait);
-- 
2.23.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] netlink: fix a data race in netlink_rcv_wake()
  2020-08-26 12:01 [PATCH] netlink: fix a data race in netlink_rcv_wake() zhudi
@ 2020-08-28 13:51 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2020-08-28 13:51 UTC (permalink / raw)
  To: zhudi21; +Cc: kuba, ast, yhs, netdev, rose.chen

From: zhudi <zhudi21@huawei.com>
Date: Wed, 26 Aug 2020 20:01:13 +0800

> The data races were reported by KCSAN:
> BUG: KCSAN: data-race in netlink_recvmsg / skb_queue_tail
 ...
> Since the write is under sk_receive_queue->lock but the read
> is done as lockless. so fix it by using skb_queue_empty_lockless()
> instead of skb_queue_empty() for the read in netlink_rcv_wake()
> 
> Signed-off-by: zhudi <zhudi21@huawei.com>

Applied, thank you.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-08-28 13:52 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-26 12:01 [PATCH] netlink: fix a data race in netlink_rcv_wake() zhudi
2020-08-28 13:51 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).