From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 46/71] veth: fix races around rq->rx_notify_masked
Date: Mon, 14 Feb 2022 10:26:14 +0100 [thread overview]
Message-ID: <20220214092453.603018204@linuxfoundation.org> (raw)
In-Reply-To: <20220214092452.020713240@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 68468d8c4cd4222a4ca1f185ab5a1c14480d078c ]
veth being NETIF_F_LLTX enabled, we need to be more careful
whenever we read/write rq->rx_notify_masked.
BUG: KCSAN: data-race in veth_xmit / veth_xmit
write to 0xffff888133d9a9f8 of 1 bytes by task 23552 on cpu 0:
__veth_xdp_flush drivers/net/veth.c:269 [inline]
veth_xmit+0x307/0x470 drivers/net/veth.c:350
__netdev_start_xmit include/linux/netdevice.h:4683 [inline]
netdev_start_xmit include/linux/netdevice.h:4697 [inline]
xmit_one+0x105/0x2f0 net/core/dev.c:3473
dev_hard_start_xmit net/core/dev.c:3489 [inline]
__dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53
NF_HOOK include/linux/netfilter.h:307 [inline]
br_forward_finish net/bridge/br_forward.c:66 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
__br_forward+0x2e4/0x400 net/bridge/br_forward.c:115
br_flood+0x521/0x5c0 net/bridge/br_forward.c:242
br_dev_xmit+0x8b6/0x960
__netdev_start_xmit include/linux/netdevice.h:4683 [inline]
netdev_start_xmit include/linux/netdevice.h:4697 [inline]
xmit_one+0x105/0x2f0 net/core/dev.c:3473
dev_hard_start_xmit net/core/dev.c:3489 [inline]
__dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
neigh_hh_output include/net/neighbour.h:525 [inline]
neigh_output include/net/neighbour.h:539 [inline]
ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228
ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:451 [inline]
ip_local_out net/ipv4/ip_output.c:126 [inline]
ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570
udp_send_skb+0x641/0x880 net/ipv4/udp.c:967
udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254
inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:705 [inline]
sock_sendmsg net/socket.c:725 [inline]
____sys_sendmsg+0x39a/0x510 net/socket.c:2413
___sys_sendmsg net/socket.c:2467 [inline]
__sys_sendmmsg+0x267/0x4c0 net/socket.c:2553
__do_sys_sendmmsg net/socket.c:2582 [inline]
__se_sys_sendmmsg net/socket.c:2579 [inline]
__x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff888133d9a9f8 of 1 bytes by task 23563 on cpu 1:
__veth_xdp_flush drivers/net/veth.c:268 [inline]
veth_xmit+0x2d6/0x470 drivers/net/veth.c:350
__netdev_start_xmit include/linux/netdevice.h:4683 [inline]
netdev_start_xmit include/linux/netdevice.h:4697 [inline]
xmit_one+0x105/0x2f0 net/core/dev.c:3473
dev_hard_start_xmit net/core/dev.c:3489 [inline]
__dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
br_dev_queue_push_xmit+0x3ce/0x430 net/bridge/br_forward.c:53
NF_HOOK include/linux/netfilter.h:307 [inline]
br_forward_finish net/bridge/br_forward.c:66 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
__br_forward+0x2e4/0x400 net/bridge/br_forward.c:115
br_flood+0x521/0x5c0 net/bridge/br_forward.c:242
br_dev_xmit+0x8b6/0x960
__netdev_start_xmit include/linux/netdevice.h:4683 [inline]
netdev_start_xmit include/linux/netdevice.h:4697 [inline]
xmit_one+0x105/0x2f0 net/core/dev.c:3473
dev_hard_start_xmit net/core/dev.c:3489 [inline]
__dev_queue_xmit+0x86d/0xf90 net/core/dev.c:4116
dev_queue_xmit+0x13/0x20 net/core/dev.c:4149
neigh_hh_output include/net/neighbour.h:525 [inline]
neigh_output include/net/neighbour.h:539 [inline]
ip_finish_output2+0x6f8/0xb70 net/ipv4/ip_output.c:228
ip_finish_output+0xfb/0x240 net/ipv4/ip_output.c:316
NF_HOOK_COND include/linux/netfilter.h:296 [inline]
ip_output+0xf3/0x1a0 net/ipv4/ip_output.c:430
dst_output include/net/dst.h:451 [inline]
ip_local_out net/ipv4/ip_output.c:126 [inline]
ip_send_skb+0x6e/0xe0 net/ipv4/ip_output.c:1570
udp_send_skb+0x641/0x880 net/ipv4/udp.c:967
udp_sendmsg+0x12ea/0x14c0 net/ipv4/udp.c:1254
inet_sendmsg+0x5f/0x80 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:705 [inline]
sock_sendmsg net/socket.c:725 [inline]
____sys_sendmsg+0x39a/0x510 net/socket.c:2413
___sys_sendmsg net/socket.c:2467 [inline]
__sys_sendmmsg+0x267/0x4c0 net/socket.c:2553
__do_sys_sendmmsg net/socket.c:2582 [inline]
__se_sys_sendmmsg net/socket.c:2579 [inline]
__x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0x00 -> 0x01
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 23563 Comm: syz-executor.5 Not tainted 5.17.0-rc2-syzkaller-00064-gc36c04c2e132 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes: 948d4f214fde ("veth: Add driver XDP")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/veth.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/veth.c b/drivers/net/veth.c
index 81a79e7132483..10a876f8831c7 100644
--- a/drivers/net/veth.c
+++ b/drivers/net/veth.c
@@ -209,9 +209,10 @@ static void __veth_xdp_flush(struct veth_rq *rq)
{
/* Write ptr_ring before reading rx_notify_masked */
smp_mb();
- if (!rq->rx_notify_masked) {
- rq->rx_notify_masked = true;
- napi_schedule(&rq->xdp_napi);
+ if (!READ_ONCE(rq->rx_notify_masked) &&
+ napi_schedule_prep(&rq->xdp_napi)) {
+ WRITE_ONCE(rq->rx_notify_masked, true);
+ __napi_schedule(&rq->xdp_napi);
}
}
@@ -780,8 +781,10 @@ static int veth_poll(struct napi_struct *napi, int budget)
/* Write rx_notify_masked before reading ptr_ring */
smp_store_mb(rq->rx_notify_masked, false);
if (unlikely(!__ptr_ring_empty(&rq->xdp_ring))) {
- rq->rx_notify_masked = true;
- napi_schedule(&rq->xdp_napi);
+ if (napi_schedule_prep(&rq->xdp_napi)) {
+ WRITE_ONCE(rq->rx_notify_masked, true);
+ __napi_schedule(&rq->xdp_napi);
+ }
}
}
--
2.34.1
next prev parent reply other threads:[~2022-02-14 9:44 UTC|newest]
Thread overview: 80+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-02-14 9:25 [PATCH 5.4 00/71] 5.4.180-rc1 review Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 01/71] integrity: check the return value of audit_log_start() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 02/71] ima: Remove ima_policy file before directory Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 03/71] ima: Allow template selection with ima_template[_fmt]= after ima_hash= Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 04/71] ima: Do not print policy rule with inactive LSM labels Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 05/71] mmc: sdhci-of-esdhc: Check for error num after setting mask Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 06/71] net: phy: marvell: Fix RGMII Tx/Rx delays setting in 88e1121-compatible PHYs Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 07/71] net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 08/71] NFS: Fix initialisation of nfs_client cl_flags field Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 09/71] NFSD: Clamp WRITE offsets Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 10/71] NFSD: Fix offset type in I/O trace points Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 11/71] nvme: Fix parsing of ANA log page Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 12/71] NFSv4 only print the label when its queried Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 13/71] nfs: nfs4clinet: check the return value of kstrdup() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 14/71] NFSv4.1: Fix uninitialised variable in devicenotify Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 15/71] NFSv4 remove zero number of fs_locations entries error check Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 16/71] NFSv4 expose nfs_parse_server_name function Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 17/71] drm: panel-orientation-quirks: Add quirk for the 1Netbook OneXPlayer Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 18/71] net: sched: Clarify error message when qdisc kind is unknown Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 19/71] scsi: target: iscsi: Make sure the np under each tpg is unique Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 20/71] scsi: qedf: Fix refcount issue when LOGO is received during TMF Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 21/71] scsi: myrs: Fix crash in error case Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 22/71] PM: hibernate: Remove register_nosave_region_late() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 23/71] usb: dwc2: gadget: dont try to disable ep0 in dwc2_hsotg_suspend Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 24/71] net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout() Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 25/71] KVM: nVMX: eVMCS: Filter out VM_EXIT_SAVE_VMX_PREEMPTION_TIMER Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 26/71] bpf: Add kconfig knob for disabling unpriv bpf by default Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 27/71] riscv: fix build with binutils 2.38 Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 28/71] ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 29/71] ARM: socfpga: fix missing RESET_CONTROLLER Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 30/71] nvme-tcp: fix bogus request completion when failing to send AER Greg Kroah-Hartman
2022-02-14 9:25 ` [PATCH 5.4 31/71] ACPI/IORT: Check node revision for PMCG resources Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 32/71] PM: s2idle: ACPI: Fix wakeup interrupts handling Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 33/71] net: bridge: fix stale eth hdr pointer in br_dev_xmit Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 34/71] perf probe: Fix ppc64 perf probe add events failed case Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 35/71] ARM: dts: meson: Fix the UART compatible strings Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 36/71] staging: fbtft: Fix error path in fbtft_driver_module_init() Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 37/71] ARM: dts: imx6qdl-udoo: Properly describe the SD card detect Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 38/71] usb: f_fs: Fix use-after-free for epfile Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 39/71] misc: fastrpc: avoid double fput() on failed usercopy Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 40/71] ixgbevf: Require large buffers for build_skb on 82599VF Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 41/71] bonding: pair enable_port with slave_arr_updates Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 42/71] ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 43/71] nfp: flower: fix ida_idx not being released Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 44/71] net: do not keep the dst cache when uncloning an skb dst and its metadata Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 45/71] net: fix a memleak " Greg Kroah-Hartman
2022-02-14 9:26 ` Greg Kroah-Hartman [this message]
2022-02-14 9:26 ` [PATCH 5.4 47/71] net: mdio: aspeed: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 48/71] tipc: rate limit warning for received illegal binding update Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 49/71] net: amd-xgbe: disable interrupts during pci removal Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 50/71] vt_ioctl: fix array_index_nospec in vt_setactivate Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 51/71] vt_ioctl: add array_index_nospec to VT_ACTIVATE Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 52/71] n_tty: wake up poll(POLLRDNORM) on receiving data Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 53/71] eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 54/71] net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 55/71] usb: ulpi: Move of_node_put to ulpi_dev_release Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 56/71] usb: ulpi: Call of_node_put correctly Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 57/71] usb: dwc3: gadget: Prevent core from processing stale TRBs Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 58/71] usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 59/71] USB: gadget: validate interface OS descriptor requests Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 60/71] usb: gadget: rndis: check size of RNDIS_MSG_SET command Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 61/71] usb: gadget: f_uac2: Define specific wTerminalType Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 62/71] USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 63/71] USB: serial: option: add ZTE MF286D modem Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 64/71] USB: serial: ch341: add support for GW Instek USB2.0-Serial devices Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 65/71] USB: serial: cp210x: add NCR Retail IO box id Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 66/71] USB: serial: cp210x: add CPI Bulk Coin Recycler id Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 67/71] seccomp: Invalidate seccomp mode to catch death failures Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 68/71] hwmon: (dell-smm) Speed up setting of fan speed Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 69/71] scsi: lpfc: Remove NVMe support if kernel has NVME_FC disabled Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 70/71] perf: Fix list corruption in perf_cgroup_switch() Greg Kroah-Hartman
2022-02-14 9:26 ` [PATCH 5.4 71/71] ACPI: PM: s2idle: Cancel wakeup before dispatching EC GPE Greg Kroah-Hartman
2022-02-14 14:22 ` [PATCH 5.4 00/71] 5.4.180-rc1 review Jon Hunter
2022-02-14 20:12 ` Florian Fainelli
2022-02-14 21:29 ` Slade Watkins
2022-02-14 22:26 ` Shuah Khan
2022-02-15 1:51 ` Guenter Roeck
2022-02-15 9:15 ` Naresh Kamboju
2022-02-15 15:40 ` Sudip Mukherjee
2022-02-16 0:51 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220214092453.603018204@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=makita.toshiaki@lab.ntt.co.jp \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.