Patch "veth: fix races around rq->rx_notify_masked" has been added to the 4.19-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is a note to let you know that I've just added the patch titled

    veth: fix races around rq->rx_notify_masked

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     veth-fix-races-around-rq-rx_notify_masked.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1e2ef4d2361612378ac0c747ab7d326c57b715f4
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Tue Feb 8 15:28:22 2022 -0800

    veth: fix races around rq->rx_notify_masked
    
    [ Upstream commit 68468d8c4cd4222a4ca1f185ab5a1c14480d078c ]
    
    veth being NETIF_F_LLTX enabled, we need to be more careful
    whenever we read/write rq->rx_notify_masked.
    
    BUG: KCSAN: data-race in veth_xmit / veth_xmit
    
    write to 0xffff888133d9a9f8 of 1 bytes by task 23552 on cpu 0:
     __veth_xdp_flush drivers/net/veth.c:269 [inline]
     veth_xmit+0x307/0x470 drivers/net/veth.c:350
     __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
     netdev_start_xmit include/linux/netdevice.h:4697 [inline]
     xmit_one+0x105/0x2f0 net/core/dev.c:3473
     dev_hard_start_xmit net/core/dev.c:3489 [inline]
     __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
     dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
     br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53
     NF_HOOK include/linux/netfilter.h:307 [inline]
     br_forward_finish net/bridge/br_forward.c:66 [inline]
     NF_HOOK include/linux/netfilter.h:307 [inline]
     __br_forward+0x2e4/0x400 net/bridge/br_forward.c:115
     br_flood+0x521/0x5c0 net/bridge/br_forward.c:242
     br_dev_xmit+0x8b6/0x960
     __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
     netdev_start_xmit include/linux/netdevice.h:4697 [inline]
     xmit_one+0x105/0x2f0 net/core/dev.c:3473
     dev_hard_start_xmit net/core/dev.c:3489 [inline]
     __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
     dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
     neigh_hh_output include/net/neighbour.h:525 [inline]
     neigh_output include/net/neighbour.h:539 [inline]
     ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228
     ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316
     NF_HOOK_COND include/linux/netfilter.h:296 [inline]
     ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
     dst_output include/net/dst.h:451 [inline]
     ip_local_out net/ipv4/ip_output.c:126 [inline]
     ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570
     udp_send_skb+0x641/0x880 net/ipv4/udp.c:967
     udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254
     inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819
     sock_sendmsg_nosec net/socket.c:705 [inline]
     sock_sendmsg net/socket.c:725 [inline]
     ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
     ___sys_sendmsg net/socket.c:2467 [inline]
     __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553
     __do_sys_sendmmsg net/socket.c:2582 [inline]
     __se_sys_sendmmsg net/socket.c:2579 [inline]
     __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    read to 0xffff888133d9a9f8 of 1 bytes by task 23563 on cpu 1:
     __veth_xdp_flush drivers/net/veth.c:268 [inline]
     veth_xmit+0x2d6/0x470 drivers/net/veth.c:350
     __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
     netdev_start_xmit include/linux/netdevice.h:4697 [inline]
     xmit_one+0x105/0x2f0 net/core/dev.c:3473
     dev_hard_start_xmit net/core/dev.c:3489 [inline]
     __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
     dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
     br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53
     NF_HOOK include/linux/netfilter.h:307 [inline]
     br_forward_finish net/bridge/br_forward.c:66 [inline]
     NF_HOOK include/linux/netfilter.h:307 [inline]
     __br_forward+0x2e4/0x400 net/bridge/br_forward.c:115
     br_flood+0x521/0x5c0 net/bridge/br_forward.c:242
     br_dev_xmit+0x8b6/0x960
     __netdev_start_xmit include/linux/netdevice.h:4683 [inline]
     netdev_start_xmit include/linux/netdevice.h:4697 [inline]
     xmit_one+0x105/0x2f0 net/core/dev.c:3473
     dev_hard_start_xmit net/core/dev.c:3489 [inline]
     __dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
     dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
     neigh_hh_output include/net/neighbour.h:525 [inline]
     neigh_output include/net/neighbour.h:539 [inline]
     ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228
     ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316
     NF_HOOK_COND include/linux/netfilter.h:296 [inline]
     ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
     dst_output include/net/dst.h:451 [inline]
     ip_local_out net/ipv4/ip_output.c:126 [inline]
     ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570
     udp_send_skb+0x641/0x880 net/ipv4/udp.c:967
     udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254
     inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819
     sock_sendmsg_nosec net/socket.c:705 [inline]
     sock_sendmsg net/socket.c:725 [inline]
     ____sys_sendmsg+0x39a/0x510 net/socket.c:2413
     ___sys_sendmsg net/socket.c:2467 [inline]
     __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553
     __do_sys_sendmmsg net/socket.c:2582 [inline]
     __se_sys_sendmmsg net/socket.c:2579 [inline]
     __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579
     do_syscall_x64 arch/x86/entry/common.c:50 [inline]
     do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
     entry_SYSCALL_64_after_hwframe+0x44/0xae
    
    value changed: 0x00 -> 0x01
    
    Reported by Kernel Concurrency Sanitizer on:
    CPU: 1 PID: 23563 Comm: syz-executor.5 Not tainted 5.17.0-rc2-syzkaller-00064-gc36c04c2e132 #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    
    Fixes: 948d4f214fde ("veth: Add driver XDP")
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Cc: Toshiaki Makita <makita.toshiaki@xxxxxxxxxxxxx>
    Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 5e988f7ec1743..76e834ca54e79 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -152,9 +152,10 @@ static void __veth_xdp_flush(struct veth_rq *rq)
 {
 	/* Write ptr_ring before reading rx_notify_masked */
 	smp_mb();
-	if (!rq->rx_notify_masked) {
-		rq->rx_notify_masked = true;
-		napi_schedule(&rq->xdp_napi);
+	if (!READ_ONCE(rq->rx_notify_masked) &&
+	    napi_schedule_prep(&rq->xdp_napi)) {
+		WRITE_ONCE(rq->rx_notify_masked, true);
+		__napi_schedule(&rq->xdp_napi);
 	}
 }
 
@@ -623,8 +624,10 @@ static int veth_poll(struct napi_struct *napi, int budget)
 		/* Write rx_notify_masked before reading ptr_ring */
 		smp_store_mb(rq->rx_notify_masked, false);
 		if (unlikely(!__ptr_ring_empty(&rq->xdp_ring))) {
-			rq->rx_notify_masked = true;
-			napi_schedule(&rq->xdp_napi);
+			if (napi_schedule_prep(&rq->xdp_napi)) {
+				WRITE_ONCE(rq->rx_notify_masked, true);
+				__napi_schedule(&rq->xdp_napi);
+			}
 		}
 	}
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux