Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4057432ybl; Mon, 3 Feb 2020 11:43:13 -0800 (PST) X-Google-Smtp-Source: APXvYqwUA6GnQlFOFowHrABAmti0JrePArOQ6VtJdUlkISoZSaurynGC//nW/BzbiM+PG/yJ6foN X-Received: by 2002:a9d:7999:: with SMTP id h25mr18833648otm.347.1580758993519; Mon, 03 Feb 2020 11:43:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580758993; cv=none; d=google.com; s=arc-20160816; b=Mh27C13lEp0mWVPVcl7LizddPOBGB8f8ZBIHxiewirSTj3uGFFRDqfyer3POD7pa+i 5UHGyr2PZlEKXjYy/PaUanSOSU4Lu4nHgF8A/4i/BHos3LQU4CKDdnXDUeL8jrFTRPh/ JNcEwbK8gEcObUR2VNC9aYvS/colAjFoSfhJOnoPmSSkFsbS6bs7I3iTXoPZocoCsB5l HNayhN1w0gsRpyw8EeAgZ/RSRX/o2rcM/c3ottPd3HPoIJQA+Q33S2gpoxQUgwZzrrAI X037LNLotAVNTsZ0zkC6UfxLelM3sMw9vxEJvT+V7DNLzbOCnRCoRwaMptTLPtSgBQzW zwsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=YGczli9kRu4G0EE9ppK/ZW7lnNhHOnn2KrgcFZjo3F4=; b=PWQrXkwBKUtfly0GRQkZVT7fGgfwioEacmGsFlasdXp8vT6gl5LtnLqjwakU/H4Q7V jvVmXNP/tK+AV5pfj3xlgtV6suddB35u0UX1LVEn1xWVgkvU6fVx2KAfVgd+fHGcq2Cz RgP9IrqVzfQGELyV+dE8tUhpXR7MIMq9WzBacLV1BS6H+CKHTYiTlvN/vDyWADcgdL/t +vnC97eIwrbGsI7VbIaT1vOUI5wjQN1OGe8h6g+BBoRccJXkpuvbR/+AO525Tb8yh0Lx afLvJuccbMppPDMtimcDdRwu2KiOk9WOVhML/m63/0QS85bLCYMpiGC8rEN6uIXmEaRC OgKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=blwMci7m; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h18si9781254otj.114.2020.02.03.11.43.01; Mon, 03 Feb 2020 11:43:13 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=blwMci7m; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726994AbgBCTmB (ORCPT + 99 others); Mon, 3 Feb 2020 14:42:01 -0500 Received: from mail-pj1-f66.google.com ([209.85.216.66]:51433 "EHLO mail-pj1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726018AbgBCTmB (ORCPT ); Mon, 3 Feb 2020 14:42:01 -0500 Received: by mail-pj1-f66.google.com with SMTP id fa20so207150pjb.1; Mon, 03 Feb 2020 11:42:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=YGczli9kRu4G0EE9ppK/ZW7lnNhHOnn2KrgcFZjo3F4=; b=blwMci7mz2N1tkDktCs7E8urYt8dkZzBulEzDjpsEAoBCH5Tr6zzMpRIR/HoARACOm IG0wWVpsEohRwVOfHGozsf5HfwkcTNg1U37D+ur6vAtJCBa1auwM8OQMrWQk5nrBXUrC 9ynCssqpweEyHNU4HKfBZqZD+3jNIODCwtiEwXjMw8rU8I5UhSjWaUGQ1ZfCpPr52B/H YoJCEDGrgrb/NHwfdEJuqBPnN6E/Q1W/1uvwyTkf5Arp4kxLo5djNwsXPjvzWaBlOza3 H8EetcxskLdns/GY62bKN9LDERXs/kWH8QxaNtKW9+4/XEYkYiGTQMyN85f0Eheb2cFg Yrgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=YGczli9kRu4G0EE9ppK/ZW7lnNhHOnn2KrgcFZjo3F4=; b=CWzFbdeLf5EOdY+Py2HzNOWZ7KHO6zcRFBFErdRL+M1rHAqDvU0wPuYMAa2NJIT1ls CvNIhzhGMAjDbFyjiPjm4J3Ybai+qvYueGDxHBeMAaBHUvln1xetmkbtLj/OAN2y14/A Si5taOJ2MVNwCsx2eZxFnw7V+i//aqSw4/BDKAgi5H4kOtjBqfVt3+7M1CFgH5WbXORL tzIzmxhjTtOXpSKh9tgpiZ0Brh+xwBw0EYaxFCnUf+uzMKaYaZD5yY2/sP/FKJ4b54aW sGmnu+7H+YaIwQvPK15UN3jEl+0efPWAVXTjb+uk9W+AqfFxH4bTOGkQ2KH27UqA5Ycp dn1Q== X-Gm-Message-State: APjAAAX3B5BvGXngky7IpzaRXK9w741hFfe/I6J2fnbzcSTXEMz4HPdD 1kp/k1Xeiiro4Cn79kGdjBH1Ts8p X-Received: by 2002:a17:902:7d93:: with SMTP id a19mr24912115plm.283.1580758920688; Mon, 03 Feb 2020 11:42:00 -0800 (PST) Received: from ?IPv6:2620:15c:2c1:200:55c7:81e6:c7d8:94b? ([2620:15c:2c1:200:55c7:81e6:c7d8:94b]) by smtp.gmail.com with ESMTPSA id x21sm20686309pfn.164.2020.02.03.11.41.59 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 03 Feb 2020 11:42:00 -0800 (PST) Subject: Re: [PATCH] skbuff: fix a data race in skb_queue_len() To: Qian Cai , davem@davemloft.net Cc: kuba@kernel.org, elver@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <1580756190-3541-1-git-send-email-cai@lca.pw> From: Eric Dumazet Message-ID: <648d6673-bbd8-6634-0174-f9b77194ecfd@gmail.com> Date: Mon, 3 Feb 2020 11:41:58 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <1580756190-3541-1-git-send-email-cai@lca.pw> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2/3/20 10:56 AM, Qian Cai wrote: > sk_buff.qlen can be accessed concurrently as noticed by KCSAN, > > BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg > > read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96: > unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821 > net/unix/af_unix.c:1761 > ____sys_sendmsg+0x33e/0x370 > ___sys_sendmsg+0xa6/0xf0 > __sys_sendmsg+0x69/0xf0 > __x64_sys_sendmsg+0x51/0x70 > do_syscall_64+0x91/0xb47 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99: > __skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029 > __skb_try_recv_datagram+0xbe/0x220 > unix_dgram_recvmsg+0xee/0x850 > ____sys_recvmsg+0x1fb/0x210 > ___sys_recvmsg+0xa2/0xf0 > __sys_recvmsg+0x66/0xf0 > __x64_sys_recvmsg+0x51/0x70 > do_syscall_64+0x91/0xb47 > entry_SYSCALL_64_after_hwframe+0x49/0xbe > > Since only the read is operating as lockless, it could introduce a logic > bug in unix_recvq_full() due to the load tearing. Fix it by adding > a READ_ONCE() there. > > Signed-off-by: Qian Cai > --- > include/linux/skbuff.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h > index 3d13a4b717e9..4b5157164f3e 100644 > --- a/include/linux/skbuff.h > +++ b/include/linux/skbuff.h > @@ -1818,7 +1818,7 @@ static inline struct sk_buff *skb_peek_tail(const struct sk_buff_head *list_) > */ > static inline __u32 skb_queue_len(const struct sk_buff_head *list_) > { > - return list_->qlen; > + return READ_ONCE(list_->qlen); > } We do not want to add READ_ONCE() for all uses of skb_queue_len() This could hide some real bugs, and could generate slightly less efficient code in the cases we have the lock held.