Patch "netpoll: Fix race condition in netpoll_owner_active" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 21 Jun 2024 11:45:17 -0400

This is a note to let you know that I've just added the patch titled

    netpoll: Fix race condition in netpoll_owner_active

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netpoll-fix-race-condition-in-netpoll_owner_active.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 943d19c0acf7fa0bef128ab706ec9b78dab48310
Author: Breno Leitao <leitao@xxxxxxxxxx>
Date:   Mon Apr 29 03:04:33 2024 -0700

    netpoll: Fix race condition in netpoll_owner_active
    
    [ Upstream commit c2e6a872bde9912f1a7579639c5ca3adf1003916 ]
    
    KCSAN detected a race condition in netpoll:
    
            BUG: KCSAN: data-race in net_rx_action / netpoll_send_skb
            write (marked) to 0xffff8881164168b0 of 4 bytes by interrupt on cpu 10:
            net_rx_action (./include/linux/netpoll.h:90 net/core/dev.c:6712 net/core/dev.c:6822)
    <snip>
            read to 0xffff8881164168b0 of 4 bytes by task 1 on cpu 2:
            netpoll_send_skb (net/core/netpoll.c:319 net/core/netpoll.c:345 net/core/netpoll.c:393)
            netpoll_send_udp (net/core/netpoll.c:?)
    <snip>
            value changed: 0x0000000a -> 0xffffffff
    
    This happens because netpoll_owner_active() needs to check if the
    current CPU is the owner of the lock, touching napi->poll_owner
    non atomically. The ->poll_owner field contains the current CPU holding
    the lock.
    
    Use an atomic read to check if the poll owner is the current CPU.
    
    Signed-off-by: Breno Leitao <leitao@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240429100437.3487432-1-leitao@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 543007f159f99..55bcacf67df3b 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -316,7 +316,7 @@ static int netpoll_owner_active(struct net_device *dev)
 	struct napi_struct *napi;
 
 	list_for_each_entry_rcu(napi, &dev->napi_list, dev_list) {
-		if (napi->poll_owner == smp_processor_id())
+		if (READ_ONCE(napi->poll_owner) == smp_processor_id())
 			return 1;
 	}
 	return 0;







