From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757541AbeAHPL7 (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Mon, 8 Jan 2018 10:11:59 -0500
Received: from mx1.redhat.com ([209.132.183.28]:50170 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1756537AbeAHPL5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Jan 2018 10:11:57 -0500
Date: Mon, 8 Jan 2018 16:11:40 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Nicolai Stange <nstange@suse.de>
Cc: "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Mohamed Ghannam <simo.ghannam@gmail.com>,
        Michal Kubecek <mkubecek@suse.cz>,
        Miroslav Benes <mbenes@suse.cz>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] net: ipv4: emulate READ_ONCE() on ->hdrincl
 bit-field in raw_sendmsg()
Message-ID: <20180108161140.796eb4cf@elisabeth>
In-Reply-To: <20180108145444.19457-1-nstange@suse.de>
References: <20180103113700.049f7558@elisabeth>
        <20180108145444.19457-1-nstange@suse.de>
Organization: Red Hat
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 08 Jan 2018 15:11:57 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

On Mon,  8 Jan 2018 15:54:44 +0100
Nicolai Stange <nstange@suse.de> wrote:

> Commit 8f659a03a0ba ("net: ipv4: fix for a race condition in
> raw_sendmsg") fixed the issue of possibly inconsistent ->hdrincl handling
> due to concurrent updates by reading this bit-field member into a local
> variable and using the thus stabilized value in subsequent tests.
> 
> However, aforementioned commit also adds the (correct) comment that
> 
>   /* hdrincl should be READ_ONCE(inet->hdrincl)
>    * but READ_ONCE() doesn't work with bit fields
>    */
> 
> because as it stands, the compiler is free to shortcut or even eliminate
> the local variable at its will.
> 
> Note that I have not seen anything like this happening in reality and thus,
> the concern is a theoretical one.
> 
> However, in order to be on the safe side, emulate a READ_ONCE() on the
> bit-field by doing it on the local 'hdrincl' variable itself:
> 
> 	int hdrincl = inet->hdrincl;
> 	hdrincl = READ_ONCE(hdrincl);
> 
> This breaks the chain in the sense that the compiler is not allowed
> to replace subsequent reads from hdrincl with reloads from inet->hdrincl.
> 
> Fixes: 8f659a03a0ba ("net: ipv4: fix for a race condition in raw_sendmsg")
> Signed-off-by: Nicolai Stange <nstange@suse.de>

Reviewed-by: Stefano Brivio <sbrivio@redhat.com>

-- 
Stefano