[PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN
Date: Wed,  7 Jul 2021 18:18:41 +0200	[thread overview]
Message-ID: <20210707161844.20827-9-pablo@netfilter.org> (raw)
In-Reply-To: <20210707161844.20827-1-pablo@netfilter.org>

From: Manfred Spraul <manfred@colorfullife.com>

KCSAN detected an data race with ipc/sem.c that is intentional.

As nf_conntrack_lock() uses the same algorithm: Update
nf_conntrack_core as well:

nf_conntrack_lock() contains
  a1) spin_lock()
  a2) smp_load_acquire(nf_conntrack_locks_all).

a1) actually accesses one lock from an array of locks.

nf_conntrack_locks_all() contains
  b1) nf_conntrack_locks_all=true (normal write)
  b2) spin_lock()
  b3) spin_unlock()

b2 and b3 are done for every lock.

This guarantees that nf_conntrack_locks_all() prevents any
concurrent nf_conntrack_lock() owners:
If a thread past a1), then b2) will block until that thread releases
the lock.
If the threat is before a1, then b3)+a1) ensure the write b1) is
visible, thus a2) is guaranteed to see the updated value.

But: This is only the latest time when b1) becomes visible.
It may also happen that b1) is visible an undefined amount of time
before the b3). And thus KCSAN will notice a data race.

In addition, the compiler might be too clever.

Solution: Use WRITE_ONCE().

Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_core.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 085a11f1eb43..83c52df85870 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -149,7 +149,15 @@ static void nf_conntrack_all_lock(void)

 	spin_lock(&nf_conntrack_locks_all_lock);

-	nf_conntrack_locks_all = true;
+	/* For nf_contrack_locks_all, only the latest time when another
+	 * CPU will see an update is controlled, by the "release" of the
+	 * spin_lock below.
+	 * The earliest time is not controlled, an thus KCSAN could detect
+	 * a race when nf_conntract_lock() reads the variable.
+	 * WRITE_ONCE() is used to ensure the compiler will not
+	 * optimize the write.
+	 */
+	WRITE_ONCE(nf_conntrack_locks_all, true);

 	for (i = 0; i < CONNTRACK_LOCKS; i++) {
 		spin_lock(&nf_conntrack_locks[i]);
-- 
2.20.1

next prev parent reply	other threads:[~2021-07-07 16:19 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-07 16:18 [PATCH net 00/11] Netfilter fixes for net Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 01/11] selftest: netfilter: add test case for unreplied tcp connections Pablo Neira Ayuso
2021-07-07 21:10   ` patchwork-bot+netdevbpf
2021-07-07 16:18 ` [PATCH net 02/11] netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 03/11] netfilter: nf_tables: Fix dereference of null pointer flow Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 04/11] netfilter: conntrack: nf_ct_gre_keymap_flush() removal Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 05/11] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 06/11] netfilter: conntrack: improve RST handling when tuple is re-used Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 07/11] netfilter: conntrack: add new sysctl to disable RST check Pablo Neira Ayuso
2021-07-07 16:18 ` Pablo Neira Ayuso [this message]
2021-07-07 16:18 ` [PATCH net 09/11] netfilter: nft_last: honor NFTA_LAST_SET on restoration Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 10/11] netfilter: nft_last: incorrect arithmetics when restoring last used Pablo Neira Ayuso
2021-07-07 16:18 ` [PATCH net 11/11] netfilter: uapi: refer to nfnetlink_conntrack.h, not nf_conntrack_netlink.h Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:085a11f1eb4 dfblob:83c52df8587 )
 OR (
bs:"[PATCH net 08/11] netfilter: conntrack: Mark access for KCSAN" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210707161844.20827-9-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).