From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <edumazet@google.com>
Cc: <davem@davemloft.net>, <kuba@kernel.org>, <kuni1840@gmail.com>,
<kuniyu@amazon.com>, <netdev@vger.kernel.org>,
<pabeni@redhat.com>, <syzkaller@googlegroups.com>
Subject: Re: [PATCH v2 net] net: Fix sk->sk_stamp race in sock_recv_cmsgs().
Date: Mon, 8 May 2023 10:20:16 -0700 [thread overview]
Message-ID: <20230508172016.49942-1-kuniyu@amazon.com> (raw)
In-Reply-To: <CANn89i+JJ3747u5B89XMzxHQXgHiiXmftGZd2LV-ejJ3-g68CQ@mail.gmail.com>
From: Eric Dumazet <edumazet@google.com>
Date: Mon, 8 May 2023 19:08:58 +0200
> On Mon, May 8, 2023 at 6:58 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> >
> > KCSAN found a data race in sock_recv_cmsgs() [0] where the read access
> > to sk->sk_stamp needs READ_ONCE().
> >
> > Also, there is another race like below. If the torn load of the high
> > 32-bits precedes WRITE_ONCE(sk, skb->tstamp) and later the written
> > lower 32-bits happens to match with SK_DEFAULT_STAMP, the final result
> > of sk->sk_stamp could be 0.
> >
> > sock_recv_cmsgs() ioctl(SIOCGSTAMP) sock_recv_cmsgs()
> > | | |
> > |- if (sock_flag(sk, SOCK_TIMESTAMP)) |
> > | | |
> > | `- sock_set_flag(sk, SOCK_TIMESTAMP)
> > | |
> > | `- if (sock_flag(sk, SOCK_TIMESTAMP))
> > `- if (sk->sk_stamp == SK_DEFAULT_STAMP) `- sock_write_timestamp(sk, skb->tstamp)
> > `- sock_write_timestamp(sk, 0)
> >
> > Even with READ_ONCE(), we could get the same result if READ_ONCE() precedes
> > WRITE_ONCE() because the SK_DEFAULT_STAMP check and WRITE_ONCE(sk_stamp, 0)
> > are not atomic.
> >
> > Let's avoid the race by cmpxchg() on 64-bits architecture or seqlock on
> > 32-bits machines.
> >
>
> I disagree. Please use WRITE_ONCE(), even if we know it is racy on 32bit.
>
> sock_read_timestamp() and sock_write_timestamp() already are racy, and
> we do not care.
I think it's not racy since commit 3a0ed3e96197 ("sock: Make sock->sk_stamp
thread-safe"), which introduced seqlock in sock_read_timestamp() and
sock_write_timestamp().
next prev parent reply other threads:[~2023-05-08 17:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-08 16:58 [PATCH v2 net] net: Fix sk->sk_stamp race in sock_recv_cmsgs() Kuniyuki Iwashima
2023-05-08 17:08 ` Eric Dumazet
2023-05-08 17:20 ` Kuniyuki Iwashima [this message]
2023-05-08 17:31 ` Eric Dumazet
2023-05-08 17:39 ` Kuniyuki Iwashima
2023-05-09 7:38 ` kernel test robot
2023-05-09 8:12 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230508172016.49942-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.