diff options
author | Eric Dumazet <edumazet@google.com> | 2019-10-24 01:44:49 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2019-10-28 16:33:41 -0400 |
commit | 137a0dbe3426fd7bcfe3f8117b36a87b3590e4eb (patch) | |
tree | 394134c0da793152f6710ce111dc6a52ab4fd50a /net | |
parent | d7d16a89350ab263484c0aa2b523dd3a234e4a80 (diff) |
udp: use skb_queue_empty_lockless()
syzbot reported a data-race [1].
We should use skb_queue_empty_lockless() to document that we are
not ensuring a mutual exclusion and silence KCSAN.
[1]
BUG: KCSAN: data-race in __skb_recv_udp / __udp_enqueue_schedule_skb
write to 0xffff888122474b50 of 8 bytes by interrupt on cpu 0:
__skb_insert include/linux/skbuff.h:1852 [inline]
__skb_queue_before include/linux/skbuff.h:1958 [inline]
__skb_queue_tail include/linux/skbuff.h:1991 [inline]
__udp_enqueue_schedule_skb+0x2c1/0x410 net/ipv4/udp.c:1470
__udp_queue_rcv_skb net/ipv4/udp.c:1940 [inline]
udp_queue_rcv_one_skb+0x7bd/0xc70 net/ipv4/udp.c:2057
udp_queue_rcv_skb+0xb5/0x400 net/ipv4/udp.c:2074
udp_unicast_rcv_skb.isra.0+0x7e/0x1c0 net/ipv4/udp.c:2233
__udp4_lib_rcv+0xa44/0x17c0 net/ipv4/udp.c:2300
udp_rcv+0x2b/0x40 net/ipv4/udp.c:2470
ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:442 [inline]
ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
__netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010
__netif_receive_skb+0x37/0xf0 net/core/dev.c:5124
process_backlog+0x1d3/0x420 net/core/dev.c:5955
read to 0xffff888122474b50 of 8 bytes by task 8921 on cpu 1:
skb_queue_empty include/linux/skbuff.h:1494 [inline]
__skb_recv_udp+0x18d/0x500 net/ipv4/udp.c:1653
udp_recvmsg+0xe1/0xb10 net/ipv4/udp.c:1712
inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871
___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480
do_recvmmsg+0x19a/0x5c0 net/socket.c:2601
__sys_recvmmsg+0x1ef/0x200 net/socket.c:2680
__do_sys_recvmmsg net/socket.c:2703 [inline]
__se_sys_recvmmsg net/socket.c:2696 [inline]
__x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696
do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 8921 Comm: syz-executor.4 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/udp.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 14bc654b6842..2cc259736c2e 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c | |||
@@ -1577,7 +1577,7 @@ static int first_packet_length(struct sock *sk) | |||
1577 | 1577 | ||
1578 | spin_lock_bh(&rcvq->lock); | 1578 | spin_lock_bh(&rcvq->lock); |
1579 | skb = __first_packet_length(sk, rcvq, &total); | 1579 | skb = __first_packet_length(sk, rcvq, &total); |
1580 | if (!skb && !skb_queue_empty(sk_queue)) { | 1580 | if (!skb && !skb_queue_empty_lockless(sk_queue)) { |
1581 | spin_lock(&sk_queue->lock); | 1581 | spin_lock(&sk_queue->lock); |
1582 | skb_queue_splice_tail_init(sk_queue, rcvq); | 1582 | skb_queue_splice_tail_init(sk_queue, rcvq); |
1583 | spin_unlock(&sk_queue->lock); | 1583 | spin_unlock(&sk_queue->lock); |
@@ -1650,7 +1650,7 @@ struct sk_buff *__skb_recv_udp(struct sock *sk, unsigned int flags, | |||
1650 | return skb; | 1650 | return skb; |
1651 | } | 1651 | } |
1652 | 1652 | ||
1653 | if (skb_queue_empty(sk_queue)) { | 1653 | if (skb_queue_empty_lockless(sk_queue)) { |
1654 | spin_unlock_bh(&queue->lock); | 1654 | spin_unlock_bh(&queue->lock); |
1655 | goto busy_check; | 1655 | goto busy_check; |
1656 | } | 1656 | } |
@@ -1676,7 +1676,7 @@ busy_check: | |||
1676 | break; | 1676 | break; |
1677 | 1677 | ||
1678 | sk_busy_loop(sk, flags & MSG_DONTWAIT); | 1678 | sk_busy_loop(sk, flags & MSG_DONTWAIT); |
1679 | } while (!skb_queue_empty(sk_queue)); | 1679 | } while (!skb_queue_empty_lockless(sk_queue)); |
1680 | 1680 | ||
1681 | /* sk_queue is empty, reader_queue may contain peeked packets */ | 1681 | /* sk_queue is empty, reader_queue may contain peeked packets */ |
1682 | } while (timeo && | 1682 | } while (timeo && |