Re: [PATCH v2 net] net: Fix sk->sk_stamp race in sock_recv_cmsgs().

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <edumazet@google.com>
Cc: <davem@davemloft.net>, <kuba@kernel.org>, <kuni1840@gmail.com>,
	<kuniyu@amazon.com>, <netdev@vger.kernel.org>,
	<pabeni@redhat.com>, <syzkaller@googlegroups.com>
Subject: Re: [PATCH v2 net] net: Fix sk->sk_stamp race in sock_recv_cmsgs().
Date: Mon, 8 May 2023 10:39:59 -0700	[thread overview]
Message-ID: <20230508173959.52607-1-kuniyu@amazon.com> (raw)
In-Reply-To: <CANn89iJAZ+OYVebm-x4pJgjYTdj8RiXc8iLnQC8X6JC3RUywuA@mail.gmail.com>

From: Eric Dumazet <edumazet@google.com>
Date: Mon, 8 May 2023 19:31:12 +0200
> On Mon, May 8, 2023 at 7:20 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> >
> > From: Eric Dumazet <edumazet@google.com>
> > Date: Mon, 8 May 2023 19:08:58 +0200
> > > On Mon, May 8, 2023 at 6:58 PM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
> > > >
> > > > KCSAN found a data race in sock_recv_cmsgs() [0] where the read access
> > > > to sk->sk_stamp needs READ_ONCE().
> > > >
> > > > Also, there is another race like below.  If the torn load of the high
> > > > 32-bits precedes WRITE_ONCE(sk, skb->tstamp) and later the written
> > > > lower 32-bits happens to match with SK_DEFAULT_STAMP, the final result
> > > > of sk->sk_stamp could be 0.
> > > >
> > > >   sock_recv_cmsgs()  ioctl(SIOCGSTAMP)      sock_recv_cmsgs()
> > > >   |                  |                      |
> > > >   |- if (sock_flag(sk, SOCK_TIMESTAMP))     |
> > > >   |                  |                      |
> > > >   |                  `- sock_set_flag(sk, SOCK_TIMESTAMP)
> > > >   |                                         |
> > > >   |                                          `- if (sock_flag(sk, SOCK_TIMESTAMP))
> > > >   `- if (sk->sk_stamp == SK_DEFAULT_STAMP)      `- sock_write_timestamp(sk, skb->tstamp)
> > > >       `- sock_write_timestamp(sk, 0)
> > > >
> > > > Even with READ_ONCE(), we could get the same result if READ_ONCE() precedes
> > > > WRITE_ONCE() because the SK_DEFAULT_STAMP check and WRITE_ONCE(sk_stamp, 0)
> > > > are not atomic.
> > > >
> > > > Let's avoid the race by cmpxchg() on 64-bits architecture or seqlock on
> > > > 32-bits machines.
> > > >
> > >
> > > I disagree. Please use WRITE_ONCE(), even if we know it is racy on 32bit.
> > >
> > > sock_read_timestamp() and sock_write_timestamp() already are racy, and
> > > we do not care.
> >
> > I think it's not racy since commit 3a0ed3e96197 ("sock: Make sock->sk_stamp
> > thread-safe"), which introduced seqlock in sock_read_timestamp() and
> > sock_write_timestamp().
> 
> Please note I do not care of 32bit.
> 
> It is definitely racy on 64bit.
> 
> Please look at
> 
> commit f75359f3ac855940c5718af10ba089b8977bf339
> Author: Eric Dumazet <edumazet@google.com>
> Date:   Mon Nov 4 21:38:43 2019 -0800
> 
>     net: prevent load/store tearing on sk->sk_stamp
> 
> 
> We can not use cmpxchg() only in one place and not the others.

Ah, I understand.  I'll post v3 with this diff to silence KCSAN.

---8<---
diff --git a/include/net/sock.h b/include/net/sock.h
index 8b7ed7167243..656ea89f60ff 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2718,7 +2718,7 @@ static inline void sock_recv_cmsgs(struct msghdr *msg, struct sock *sk,
 		__sock_recv_cmsgs(msg, sk, skb);
 	else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP)))
 		sock_write_timestamp(sk, skb->tstamp);
-	else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP))
+	else if (unlikely(sock_read_timestamp(sk) == SK_DEFAULT_STAMP))
 		sock_write_timestamp(sk, 0);
 }
 
---8<---

Thank you!


> 
> cmpxchg() is expensive, we do not want it here on our fast path.
>
> Thanks.

next prev parent reply	other threads:[~2023-05-08 17:40 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-08 16:58 [PATCH v2 net] net: Fix sk->sk_stamp race in sock_recv_cmsgs() Kuniyuki Iwashima
2023-05-08 17:08 ` Eric Dumazet
2023-05-08 17:20   ` Kuniyuki Iwashima
2023-05-08 17:31     ` Eric Dumazet
2023-05-08 17:39       ` Kuniyuki Iwashima [this message]
2023-05-09  7:38 ` kernel test robot
2023-05-09  8:12 ` kernel test robot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8b7ed716724 dfblob:656ea89f60f )
 OR (
bs:"Re: [PATCH v2 net] net: Fix sk->sk_stamp race in sock_recv_cmsgs()." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230508173959.52607-1-kuniyu@amazon.com \
    --to=kuniyu@amazon.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=kuni1840@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.