netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Re: data-race in __tcp_alloc_md5sig_pool / tcp_alloc_md5sig_pool
       [not found] <CAEHB24_nMMdHw1tQ0Jb0rhOLXgi6X=_Ou6r8BcbV3r-6HeueEA@mail.gmail.com>
@ 2022-08-19 21:23 ` Eric Dumazet
  2022-08-22 20:53   ` Gabriel Ryan
  0 siblings, 1 reply; 2+ messages in thread
From: Eric Dumazet @ 2022-08-19 21:23 UTC (permalink / raw)
  To: abhishek.shah
  Cc: David Miller, David Ahern, Jakub Kicinski, llvm,
	Nathan Chancellor, Nick Desaulniers, netdev, Paolo Abeni,
	Hideaki YOSHIFUJI, Andrii Nakryiko, Alexei Starovoitov, bpf,
	Daniel Borkmann, John Fastabend, Martin KaFai Lau, KP Singh,
	LKML, Song Liu, trix, Yonghong Song, Gabriel Ryan

On Fri, Aug 19, 2022 at 8:40 AM Abhishek Shah
<abhishek.shah@columbia.edu> wrote:
>
> Hi all,
>

Not sure why you included so many people in this report ?

You have not exactly said what could be the issue (other than the raw
kcsan report)

> We found a race involving the tcp_md5sig_pool_populated variable. Upon further investigation, we think that __tcp_alloc_md5sig_pool can be run multiple times before tcp_md5sig_pool_populated is set to true here. However, we are not sure. Please let us know what you think.

I think this is a false positive, because the data race is properly handled
with the help of tcp_md5sig_mutex.

We might silence it, of course, like many other existing data races.



>
> Thanks!
>
>
> --------------------Report--------------
>
> write to 0xffffffff883a2438 of 1 bytes by task 6542 on cpu 0:
>  __tcp_alloc_md5sig_pool+0x239/0x260 net/ipv4/tcp.c:4343
>  tcp_alloc_md5sig_pool+0x58/0xb0 net/ipv4/tcp.c:4352
>  tcp_md5_do_add+0x2c4/0x470 net/ipv4/tcp_ipv4.c:1199
>  tcp_v6_parse_md5_keys+0x473/0x490
>  do_tcp_setsockopt net/ipv4/tcp.c:3614 [inline]
>  tcp_setsockopt+0xda6/0x1be0 net/ipv4/tcp.c:3698
>  sock_common_setsockopt+0x62/0x80 net/core/sock.c:3505
>  __sys_setsockopt+0x2d1/0x450 net/socket.c:2180
>  __do_sys_setsockopt net/socket.c:2191 [inline]
>  __se_sys_setsockopt net/socket.c:2188 [inline]
>  __x64_sys_setsockopt+0x67/0x80 net/socket.c:2188
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> read to 0xffffffff883a2438 of 1 bytes by task 6541 on cpu 1:
>  tcp_alloc_md5sig_pool+0x15/0xb0 net/ipv4/tcp.c:4348
>  tcp_md5_do_add+0x2c4/0x470 net/ipv4/tcp_ipv4.c:1199
>  tcp_v4_parse_md5_keys+0x42f/0x500 net/ipv4/tcp_ipv4.c:1303
>  do_tcp_setsockopt net/ipv4/tcp.c:3614 [inline]
>  tcp_setsockopt+0xda6/0x1be0 net/ipv4/tcp.c:3698
>  sock_common_setsockopt+0x62/0x80 net/core/sock.c:3505
>  __sys_setsockopt+0x2d1/0x450 net/socket.c:2180
>  __do_sys_setsockopt net/socket.c:2191 [inline]
>  __se_sys_setsockopt net/socket.c:2188 [inline]
>  __x64_sys_setsockopt+0x67/0x80 net/socket.c:2188
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 PID: 6541 Comm: syz-executor2-n Not tainted 5.18.0-rc5+ #107
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
>
>
> Reproducing Inputs
>
> Input CPU 0:
> r0 = socket(0xa, 0x1, 0x0)
> setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000000)={@in6={{0xa, 0x0, 0x0, @private0}}, 0x0, 0x0, 0x10, 0x0, "a04979dcb0f6e3666c36f59053376c1d2e245fbad5b4749a8c55dda1bd819ec87afb7f5ac2483f179675d3c23fdba661afcca7cca5661a7b52ac11cc8085800c2c0d8e7de309eb57b89292880a563154"}, 0xd8)
> setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x0, @loopback}}, 0x0, 0x0, 0x28, 0x0, "f386ea32b026420a2c65ea375667090000000000000000a300001e81f9c22181fe9cef51a4070736c7a33d08c1dd5c35eb9b0e6c6aa490d4f1b18f7b09103bf18619b49a9ce10f4bd98e0b00"}, 0xd8)
>
> Input CPU 1:
> r0 = socket$inet_tcp(0x2, 0x1, 0x0)
> setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000080)={@in={{0x2, 0x0, @remote}}, 0x0, 0x0, 0x47, 0x0, "2a34e559cc66f8b453edeb61450c3899cc1d1304f0e5f1758293ddd3597b84447d3056ed871ae397b0fd27a54e4ff8ba83f0cf3e5f323acb74f974c0b87333e0570e9019d8fdcf0bc1044a5e96d68296"}, 0xd8)

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: data-race in __tcp_alloc_md5sig_pool / tcp_alloc_md5sig_pool
  2022-08-19 21:23 ` data-race in __tcp_alloc_md5sig_pool / tcp_alloc_md5sig_pool Eric Dumazet
@ 2022-08-22 20:53   ` Gabriel Ryan
  0 siblings, 0 replies; 2+ messages in thread
From: Gabriel Ryan @ 2022-08-22 20:53 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: abhishek.shah, David Miller, David Ahern, Jakub Kicinski, llvm,
	Nathan Chancellor, Nick Desaulniers, netdev, Paolo Abeni,
	Hideaki YOSHIFUJI, Andrii Nakryiko, Alexei Starovoitov, bpf,
	Daniel Borkmann, John Fastabend, Martin KaFai Lau, KP Singh,
	LKML, Song Liu, trix, Yonghong Song

Hi Eric,

Makes sense, thanks for taking the time to look at our report.

Best,

Gabe



On Fri, Aug 19, 2022 at 5:24 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Fri, Aug 19, 2022 at 8:40 AM Abhishek Shah
> <abhishek.shah@columbia.edu> wrote:
> >
> > Hi all,
> >
>
> Not sure why you included so many people in this report ?
>
> You have not exactly said what could be the issue (other than the raw
> kcsan report)
>
> > We found a race involving the tcp_md5sig_pool_populated variable. Upon further investigation, we think that __tcp_alloc_md5sig_pool can be run multiple times before tcp_md5sig_pool_populated is set to true here. However, we are not sure. Please let us know what you think.
>
> I think this is a false positive, because the data race is properly handled
> with the help of tcp_md5sig_mutex.
>
> We might silence it, of course, like many other existing data races.
>
>
>
> >
> > Thanks!
> >
> >
> > --------------------Report--------------
> >
> > write to 0xffffffff883a2438 of 1 bytes by task 6542 on cpu 0:
> >  __tcp_alloc_md5sig_pool+0x239/0x260 net/ipv4/tcp.c:4343
> >  tcp_alloc_md5sig_pool+0x58/0xb0 net/ipv4/tcp.c:4352
> >  tcp_md5_do_add+0x2c4/0x470 net/ipv4/tcp_ipv4.c:1199
> >  tcp_v6_parse_md5_keys+0x473/0x490
> >  do_tcp_setsockopt net/ipv4/tcp.c:3614 [inline]
> >  tcp_setsockopt+0xda6/0x1be0 net/ipv4/tcp.c:3698
> >  sock_common_setsockopt+0x62/0x80 net/core/sock.c:3505
> >  __sys_setsockopt+0x2d1/0x450 net/socket.c:2180
> >  __do_sys_setsockopt net/socket.c:2191 [inline]
> >  __se_sys_setsockopt net/socket.c:2188 [inline]
> >  __x64_sys_setsockopt+0x67/0x80 net/socket.c:2188
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> >
> > read to 0xffffffff883a2438 of 1 bytes by task 6541 on cpu 1:
> >  tcp_alloc_md5sig_pool+0x15/0xb0 net/ipv4/tcp.c:4348
> >  tcp_md5_do_add+0x2c4/0x470 net/ipv4/tcp_ipv4.c:1199
> >  tcp_v4_parse_md5_keys+0x42f/0x500 net/ipv4/tcp_ipv4.c:1303
> >  do_tcp_setsockopt net/ipv4/tcp.c:3614 [inline]
> >  tcp_setsockopt+0xda6/0x1be0 net/ipv4/tcp.c:3698
> >  sock_common_setsockopt+0x62/0x80 net/core/sock.c:3505
> >  __sys_setsockopt+0x2d1/0x450 net/socket.c:2180
> >  __do_sys_setsockopt net/socket.c:2191 [inline]
> >  __se_sys_setsockopt net/socket.c:2188 [inline]
> >  __x64_sys_setsockopt+0x67/0x80 net/socket.c:2188
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x44/0xae
> >
> > Reported by Kernel Concurrency Sanitizer on:
> > CPU: 1 PID: 6541 Comm: syz-executor2-n Not tainted 5.18.0-rc5+ #107
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> >
> >
> > Reproducing Inputs
> >
> > Input CPU 0:
> > r0 = socket(0xa, 0x1, 0x0)
> > setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000000)={@in6={{0xa, 0x0, 0x0, @private0}}, 0x0, 0x0, 0x10, 0x0, "a04979dcb0f6e3666c36f59053376c1d2e245fbad5b4749a8c55dda1bd819ec87afb7f5ac2483f179675d3c23fdba661afcca7cca5661a7b52ac11cc8085800c2c0d8e7de309eb57b89292880a563154"}, 0xd8)
> > setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000100)={@in6={{0xa, 0x0, 0x0, @loopback}}, 0x0, 0x0, 0x28, 0x0, "f386ea32b026420a2c65ea375667090000000000000000a300001e81f9c22181fe9cef51a4070736c7a33d08c1dd5c35eb9b0e6c6aa490d4f1b18f7b09103bf18619b49a9ce10f4bd98e0b00"}, 0xd8)
> >
> > Input CPU 1:
> > r0 = socket$inet_tcp(0x2, 0x1, 0x0)
> > setsockopt$inet_tcp_TCP_MD5SIG(r0, 0x6, 0xe, &(0x7f0000000080)={@in={{0x2, 0x0, @remote}}, 0x0, 0x0, 0x47, 0x0, "2a34e559cc66f8b453edeb61450c3899cc1d1304f0e5f1758293ddd3597b84447d3056ed871ae397b0fd27a54e4ff8ba83f0cf3e5f323acb74f974c0b87333e0570e9019d8fdcf0bc1044a5e96d68296"}, 0xd8)

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-08-22 20:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CAEHB24_nMMdHw1tQ0Jb0rhOLXgi6X=_Ou6r8BcbV3r-6HeueEA@mail.gmail.com>
2022-08-19 21:23 ` data-race in __tcp_alloc_md5sig_pool / tcp_alloc_md5sig_pool Eric Dumazet
2022-08-22 20:53   ` Gabriel Ryan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).