net: add annotations on hh->hh_len lockless accesses
authorEric Dumazet <edumazet@google.com>
Fri, 8 Nov 2019 02:29:11 +0000 (18:29 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 9 Jan 2020 09:17:59 +0000 (10:17 +0100)
[ Upstream commit c305c6ae79e2ce20c22660ceda94f0d86d639a82 ]

KCSAN reported a data-race [1]

While we can use READ_ONCE() on the read sides,
we need to make sure hh->hh_len is written last.

[1]

BUG: KCSAN: data-race in eth_header_cache / neigh_resolve_output

write to 0xffff8880b9dedcb8 of 4 bytes by task 29760 on cpu 0:
 eth_header_cache+0xa9/0xd0 net/ethernet/eth.c:247
 neigh_hh_init net/core/neighbour.c:1463 [inline]
 neigh_resolve_output net/core/neighbour.c:1480 [inline]
 neigh_resolve_output+0x415/0x470 net/core/neighbour.c:1470
 neigh_output include/net/neighbour.h:511 [inline]
 ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116
 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
 __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505
 ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647
 rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615
 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
 worker_thread+0xa0/0x800 kernel/workqueue.c:2415
 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

read to 0xffff8880b9dedcb8 of 4 bytes by task 29572 on cpu 1:
 neigh_resolve_output net/core/neighbour.c:1479 [inline]
 neigh_resolve_output+0x113/0x470 net/core/neighbour.c:1470
 neigh_output include/net/neighbour.h:511 [inline]
 ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116
 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
 __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
 NF_HOOK_COND include/linux/netfilter.h:294 [inline]
 ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
 dst_output include/net/dst.h:436 [inline]
 NF_HOOK include/linux/netfilter.h:305 [inline]
 ndisc_send_skb+0x459/0x5f0 net/ipv6/ndisc.c:505
 ndisc_send_ns+0x207/0x430 net/ipv6/ndisc.c:647
 rt6_probe_deferred+0x98/0xf0 net/ipv6/route.c:615
 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
 worker_thread+0xa0/0x800 kernel/workqueue.c:2415
 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 29572 Comm: kworker/1:4 Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events rt6_probe_deferred

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/firewire/net.c
include/net/neighbour.h
net/core/neighbour.c
net/ethernet/eth.c

index 242359c2d1f1839999fdfa68aff7c1ee708fc291..215f4f71b943400898d27680daee531f794287c1 100644 (file)
@@ -249,7 +249,11 @@ static int fwnet_header_cache(const struct neighbour *neigh,
        h = (struct fwnet_header *)((u8 *)hh->hh_data + HH_DATA_OFF(sizeof(*h)));
        h->h_proto = type;
        memcpy(h->h_dest, neigh->ha, net->addr_len);
-       hh->hh_len = FWNET_HLEN;
+
+       /* Pairs with the READ_ONCE() in neigh_resolve_output(),
+        * neigh_hh_output() and neigh_update_hhs().
+        */
+       smp_store_release(&hh->hh_len, FWNET_HLEN);
 
        return 0;
 }
index 1d6b98119a1d60809b519e516104716e4c6bc6c4..e89273f9a0bc6a1010bb08f43cd7da02b91ca745 100644 (file)
@@ -458,7 +458,7 @@ static inline int neigh_hh_output(const struct hh_cache *hh, struct sk_buff *skb
 
        do {
                seq = read_seqbegin(&hh->hh_lock);
-               hh_len = hh->hh_len;
+               hh_len = READ_ONCE(hh->hh_len);
                if (likely(hh_len <= HH_DATA_MOD)) {
                        hh_alen = HH_DATA_MOD;
 
index 2664ad58e5c0187ac16ece7df21228f673d07280..16ac50b1b9a718d403c0849b74fafd183cb2224b 100644 (file)
@@ -1094,7 +1094,7 @@ static void neigh_update_hhs(struct neighbour *neigh)
 
        if (update) {
                hh = &neigh->hh;
-               if (hh->hh_len) {
+               if (READ_ONCE(hh->hh_len)) {
                        write_seqlock_bh(&hh->hh_lock);
                        update(hh, neigh->dev, neigh->ha);
                        write_sequnlock_bh(&hh->hh_lock);
@@ -1355,7 +1355,7 @@ int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb)
                struct net_device *dev = neigh->dev;
                unsigned int seq;
 
-               if (dev->header_ops->cache && !neigh->hh.hh_len)
+               if (dev->header_ops->cache && !READ_ONCE(neigh->hh.hh_len))
                        neigh_hh_init(neigh);
 
                do {
index eaeba9b99a737c424ab9e94279f87c4045ec03dc..7e0e5f2706ba26367cbb1ce5779f643dd876ad8b 100644 (file)
@@ -239,7 +239,12 @@ int eth_header_cache(const struct neighbour *neigh, struct hh_cache *hh, __be16
        eth->h_proto = type;
        memcpy(eth->h_source, dev->dev_addr, ETH_ALEN);
        memcpy(eth->h_dest, neigh->ha, ETH_ALEN);
-       hh->hh_len = ETH_HLEN;
+
+       /* Pairs with READ_ONCE() in neigh_resolve_output(),
+        * neigh_hh_output() and neigh_update_hhs().
+        */
+       smp_store_release(&hh->hh_len, ETH_HLEN);
+
        return 0;
 }
 EXPORT_SYMBOL(eth_header_cache);