Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4037774ybl; Mon, 3 Feb 2020 11:18:31 -0800 (PST) X-Google-Smtp-Source: APXvYqwcvCJ8fEaa3FoWemnj7kZ6EZM0DKW6VO5EuUSrnB2BnoXVwSQbWZmcNKzEucwhV92jjzVy X-Received: by 2002:aca:ebc3:: with SMTP id j186mr382766oih.15.1580757511584; Mon, 03 Feb 2020 11:18:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580757511; cv=none; d=google.com; s=arc-20160816; b=xOQscEPGUnqinwwm9ZaXTrzZeZTOYuatP7TwbKRh8ZMZEfCL/uqGg8cN4w2uCRutW8 PT65xrCjTlWjAdpUJXbeRY1HCnd9Q2mNy0/9TVphH4S7UcdlNDECJvqXZKEy6ckcEUAQ CKrkTeUMpVbZrKYlngHIvd1cAQWvosIr37hYRTomG779AV6ViCF9yf4VxBpZOwvCQ5Wa Br4+dxj41nwZTXtaP3xYrVp+CEVhtXIUOzRb81vKGESJhgZnYTgJFMSQdtk3jJTwD1LM 5fYh1FJpoDqZQ1hyjmb/nagpDlWoL27Tj20lo+zZ8u4Tp8v7kTioZ7eBIkk1EoWRNjbt 2VYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=VwnXekGQXSa7uk8525c/XCF18A7jAwffbm1SfA/XcX4=; b=KnZmkpZOmoZzCgxozuWfAJq3tbVYs7az/YQK6CzAy0G5Bu/K+tGtUCGiSli1ydqIQJ pebBiCaQlvePfb/GuXlwKM/Ua245xxN+6NO/CibZjwtEG10VrumGjKC5XQl6werLMwsc yn0LgO67+T/tzsUSGulsDvBFdoJmjKXAKKyJM98cm31liA+iZN8rESinqisarb97+46+ Bcfh+6ywgIGfzX9iPpOU0tvv03IxgLFdFDjZLHLmoXfxLdjcVRauSUznquZ/m3tayeGE 0ZD/rwFjX6p9zqrCWpzuEY7GXor5tWpXqi0Gg227p8r3aLDxz9bugSXT2Q3IQC2PQWtG s1VA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=ZhvyRhZd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y19si3889275oto.102.2020.02.03.11.18.19; Mon, 03 Feb 2020 11:18:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@lca.pw header.s=google header.b=ZhvyRhZd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726653AbgBCTCT (ORCPT + 99 others); Mon, 3 Feb 2020 14:02:19 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:45566 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725372AbgBCS4s (ORCPT ); Mon, 3 Feb 2020 13:56:48 -0500 Received: by mail-qt1-f193.google.com with SMTP id d9so12250947qte.12 for ; Mon, 03 Feb 2020 10:56:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lca.pw; s=google; h=from:to:cc:subject:date:message-id; bh=VwnXekGQXSa7uk8525c/XCF18A7jAwffbm1SfA/XcX4=; b=ZhvyRhZdwPSk7E9iCxSIx3EugvYG564eEnnAlJ/ouVluCpK2VPQykwpEsqeRNgUitR W/BuFusZ27zSDBT+/jYTFFymspJ3dERHirQZvBgZVrPNxvcQm66owTyXKCVV1yAM+Sxc Bc3MKo0HUrcNJ72m8XBBipQotrgt+vwcAEYdeU7BYEaU8lMCQPv6JYIiTQF4Soit1oRW lqzcMVDoNq4Du3f4O9oS0xAciHWKOnCi07fTyMVmG8psBJbz6t/3KtdULlIkacbymLvz b9KRuLJfKpSWd+C74YlFiOGFUD9mabLukExPKGdNs58NJOCldOOgwEQ5mRN7wA9RbOl/ ettg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=VwnXekGQXSa7uk8525c/XCF18A7jAwffbm1SfA/XcX4=; b=CqKCMMX268XphVojm/olFtbY3KakUnY5mh661hOBu7XExlsTJbMtawfH2ZOnlVMVoH 8w0OYaf9AAAssAr3ily5nR+iwit2U4G9d6lcbEr2S+rtFiDF+0qyvhAdJnjnJKDxRckp WeLlgZQ8yoUKk3CVsyeuDOzVNbtDZWFX0tJeFrBdPu9vtNLjji1jhliQuNM+2esu0XaX cWYtRswg/tzBvrllsXaLPmLEmzkavpzBhCGGgQBbLTgpYsGW91V0yL94o19EP3zJ52I4 MMS/Zpse7qZOoSjXM1AccoFrDbEH/6stNASCaWlxWOgh6PJ0R21OLWXXr9LADmg8USnV zmSg== X-Gm-Message-State: APjAAAU8xFg7CGMIi0S54a+l9vwEKsrvjeS5Ju8BWSOuVNCbU9O4F6KW tQIhrHtoUeIMhmfxgOQlyZPvPA== X-Received: by 2002:ac8:4b6f:: with SMTP id g15mr24999365qts.196.1580756205793; Mon, 03 Feb 2020 10:56:45 -0800 (PST) Received: from qcai.nay.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id v18sm9694220qkg.67.2020.02.03.10.56.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 03 Feb 2020 10:56:44 -0800 (PST) From: Qian Cai To: davem@davemloft.net Cc: kuba@kernel.org, elver@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Qian Cai Subject: [PATCH] skbuff: fix a data race in skb_queue_len() Date: Mon, 3 Feb 2020 13:56:30 -0500 Message-Id: <1580756190-3541-1-git-send-email-cai@lca.pw> X-Mailer: git-send-email 1.8.3.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org sk_buff.qlen can be accessed concurrently as noticed by KCSAN, BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96: unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821 net/unix/af_unix.c:1761 ____sys_sendmsg+0x33e/0x370 ___sys_sendmsg+0xa6/0xf0 __sys_sendmsg+0x69/0xf0 __x64_sys_sendmsg+0x51/0x70 do_syscall_64+0x91/0xb47 entry_SYSCALL_64_after_hwframe+0x49/0xbe write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99: __skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029 __skb_try_recv_datagram+0xbe/0x220 unix_dgram_recvmsg+0xee/0x850 ____sys_recvmsg+0x1fb/0x210 ___sys_recvmsg+0xa2/0xf0 __sys_recvmsg+0x66/0xf0 __x64_sys_recvmsg+0x51/0x70 do_syscall_64+0x91/0xb47 entry_SYSCALL_64_after_hwframe+0x49/0xbe Since only the read is operating as lockless, it could introduce a logic bug in unix_recvq_full() due to the load tearing. Fix it by adding a READ_ONCE() there. Signed-off-by: Qian Cai --- include/linux/skbuff.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 3d13a4b717e9..4b5157164f3e 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -1818,7 +1818,7 @@ static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_) */ static inline __u32 skb_queue_len(const struct sk_buff_head *list_) { - return list_->qlen; + return READ_ONCE(list_->qlen); } /** -- 1.8.3.1