[PATCH AUTOSEL 6.6 09/21] virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zhongqiu Han <quic_zhonhan@quicinc.com>,
	syzbot+efe683d57990864b8c8e@syzkaller.appspotmail.com,
	"Michael S . Tsirkin" <mst@redhat.com>,
	Jason Wang <jasowang@redhat.com>, Sasha Levin <sashal@kernel.org>,
	virtualization@lists.linux.dev
Subject: [PATCH AUTOSEL 6.6 09/21] virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN
Date: Tue, 29 Apr 2025 19:52:21 -0400	[thread overview]
Message-ID: <20250429235233.537828-9-sashal@kernel.org> (raw)
In-Reply-To: <20250429235233.537828-1-sashal@kernel.org>

From: Zhongqiu Han <quic_zhonhan@quicinc.com>

[ Upstream commit 2e2f925fe737576df2373931c95e1a2b66efdfef ]

syzbot reports a data-race when accessing the event_triggered, here is the
simplified stack when the issue occurred:

==================================================================
BUG: KCSAN: data-race in virtqueue_disable_cb / virtqueue_enable_cb_delayed

write to 0xffff8881025bc452 of 1 bytes by task 3288 on cpu 0:
 virtqueue_enable_cb_delayed+0x42/0x3c0 drivers/virtio/virtio_ring.c:2653
 start_xmit+0x230/0x1310 drivers/net/virtio_net.c:3264
 __netdev_start_xmit include/linux/netdevice.h:5151 [inline]
 netdev_start_xmit include/linux/netdevice.h:5160 [inline]
 xmit_one net/core/dev.c:3800 [inline]

read to 0xffff8881025bc452 of 1 bytes by interrupt on cpu 1:
 virtqueue_disable_cb_split drivers/virtio/virtio_ring.c:880 [inline]
 virtqueue_disable_cb+0x92/0x180 drivers/virtio/virtio_ring.c:2566
 skb_xmit_done+0x5f/0x140 drivers/net/virtio_net.c:777
 vring_interrupt+0x161/0x190 drivers/virtio/virtio_ring.c:2715
 __handle_irq_event_percpu+0x95/0x490 kernel/irq/handle.c:158
 handle_irq_event_percpu kernel/irq/handle.c:193 [inline]

value changed: 0x01 -> 0x00
==================================================================

When the data race occurs, the function virtqueue_enable_cb_delayed() sets
event_triggered to false, and virtqueue_disable_cb_split/packed() reads it
as false due to the race condition. Since event_triggered is an unreliable
hint used for optimization, this should only cause the driver temporarily
suggest that the device not send an interrupt notification when the event
index is used.

Fix this KCSAN reported data-race issue by explicitly tagging the access as
data_racy.

Reported-by: syzbot+efe683d57990864b8c8e@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/67c7761a.050a0220.15b4b9.0018.GAE@google.com/
Signed-off-by: Zhongqiu Han <quic_zhonhan@quicinc.com>
Message-Id: <20250312130412.3516307-1-quic_zhonhan@quicinc.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/virtio/virtio_ring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index 80669e05bf0ee..c5f04234d9511 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -2530,7 +2530,7 @@ bool virtqueue_enable_cb_delayed(struct virtqueue *_vq)
 	struct vring_virtqueue *vq = to_vvq(_vq);
 
 	if (vq->event_triggered)
-		vq->event_triggered = false;
+		data_race(vq->event_triggered = false);
 
 	return vq->packed_ring ? virtqueue_enable_cb_delayed_packed(_vq) :
 				 virtqueue_enable_cb_delayed_split(_vq);
-- 
2.39.5

next prev parent reply	other threads:[~2025-04-29 23:52 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-29 23:52 [PATCH AUTOSEL 6.6 01/21] cpufreq: Add SM8650 to cpufreq-dt-platdev blocklist Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 02/21] nvmem: rockchip-otp: Move read-offset into variant-data Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 03/21] nvmem: rockchip-otp: add rk3576 variant data Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 04/21] nvmem: core: verify cell's raw_len Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 05/21] nvmem: core: update raw_len if the bit reading is required Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 06/21] nvmem: qfprom: switch to 4-byte aligned reads Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 07/21] scsi: target: iscsi: Fix timeout on deleted connection Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 08/21] scsi: ufs: Introduce quirk to extend PA_HIBERN8TIME for UFS devices Sasha Levin
2025-04-29 23:52 ` Sasha Levin [this message]
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 10/21] intel_th: avoid using deprecated page->mapping, index fields Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 11/21] dma-mapping: avoid potential unused data compilation warning Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 12/21] cgroup: Fix compilation issue due to cgroup_mutex not being exported Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 13/21] vhost_task: fix vhost_task_create() documentation Sasha Levin
2025-04-30  9:10   ` Stefano Garzarella
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 14/21] vhost-scsi: protect vq->log_used with vq->mutex Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 15/21] scsi: mpi3mr: Add level check to control event logging Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 16/21] net: enetc: refactor bulk flipping of RX buffers to separate function Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 17/21] ima: process_measurement() needlessly takes inode_lock() on MAY_READ Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 18/21] drm/amdgpu: Allow P2P access through XGMI Sasha Levin
2025-04-30 12:57   ` Alex Deucher
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 19/21] selftests/bpf: Mitigate sockmap_ktls disconnect_after_delete failure Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 20/21] bpf: fix possible endless loop in BPF map iteration Sasha Levin
2025-04-29 23:52 ` [PATCH AUTOSEL 6.6 21/21] samples/bpf: Fix compilation failure for samples/bpf on LoongArch Fedora Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:80669e05bf0e dfblob:c5f04234d951 )
 OR (
bs:"[PATCH AUTOSEL 6.6 09/21] virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250429235233.537828-9-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=jasowang@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mst@redhat.com \
    --cc=quic_zhonhan@quicinc.com \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+efe683d57990864b8c8e@syzkaller.appspotmail.com \
    --cc=virtualization@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox