| From add6e218bdba211c16455c532af096b2c141645c Mon Sep 17 00:00:00 2001 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Thu, 7 Nov 2019 20:08:19 -0800 |
| Subject: [PATCH] net: fix data-race in neigh_event_send() |
| |
| commit 1b53d64435d56902fc234ff2507142d971a09687 upstream. |
| |
| KCSAN reported the following data-race [1] |
| |
| The fix will also prevent the compiler from optimizing out |
| the condition. |
| |
| [1] |
| |
| BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output |
| |
| write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1: |
| neigh_event_send include/net/neighbour.h:443 [inline] |
| neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474 |
| neigh_output include/net/neighbour.h:511 [inline] |
| ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 |
| __ip_finish_output net/ipv4/ip_output.c:308 [inline] |
| __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 |
| ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 |
| NF_HOOK_COND include/linux/netfilter.h:294 [inline] |
| ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 |
| dst_output include/net/dst.h:436 [inline] |
| ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 |
| __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 |
| ip_queue_xmit+0x45/0x60 include/net/ip.h:237 |
| __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 |
| tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] |
| __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 |
| tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 |
| tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 |
| tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 |
| tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618 |
| |
| read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0: |
| neigh_event_send include/net/neighbour.h:442 [inline] |
| neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474 |
| neigh_output include/net/neighbour.h:511 [inline] |
| ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228 |
| __ip_finish_output net/ipv4/ip_output.c:308 [inline] |
| __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290 |
| ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318 |
| NF_HOOK_COND include/linux/netfilter.h:294 [inline] |
| ip_output+0xdf/0x210 net/ipv4/ip_output.c:432 |
| dst_output include/net/dst.h:436 [inline] |
| ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125 |
| __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 |
| ip_queue_xmit+0x45/0x60 include/net/ip.h:237 |
| __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169 |
| tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline] |
| __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976 |
| tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999 |
| tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515 |
| tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598 |
| |
| Reported by Kernel Concurrency Sanitizer on: |
| CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/include/net/neighbour.h b/include/net/neighbour.h |
| index 50a67bd6a434..b8452cc0e059 100644 |
| --- a/include/net/neighbour.h |
| +++ b/include/net/neighbour.h |
| @@ -439,8 +439,8 @@ static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb) |
| { |
| unsigned long now = jiffies; |
| |
| - if (neigh->used != now) |
| - neigh->used = now; |
| + if (READ_ONCE(neigh->used) != now) |
| + WRITE_ONCE(neigh->used, now); |
| if (!(neigh->nud_state&(NUD_CONNECTED|NUD_DELAY|NUD_PROBE))) |
| return __neigh_event_send(neigh, skb); |
| return 0; |
| -- |
| 2.7.4 |
| |