Skip to content

Commit 931ae86

Browse files
davem330davem330
committed
Merge branch 'kcm-data-races'
Eric Dumazet says: ==================== kcm: annotate data-races This series address two different syzbot reports for KCM. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2 parents c99f0f7 + 0c745b5 commit 931ae86

File tree

1 file changed

+15
-8
lines changed

1 file changed

+15
-8
lines changed

net/kcm/kcmsock.c

Lines changed: 15 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -162,7 +162,8 @@ static void kcm_rcv_ready(struct kcm_sock *kcm)
162162
/* Buffer limit is okay now, add to ready list */
163163
list_add_tail(&kcm->wait_rx_list,
164164
&kcm->mux->kcm_rx_waiters);
165-
kcm->rx_wait = true;
165+
/* paired with lockless reads in kcm_rfree() */
166+
WRITE_ONCE(kcm->rx_wait, true);
166167
}
167168

168169
static void kcm_rfree(struct sk_buff *skb)
@@ -178,7 +179,7 @@ static void kcm_rfree(struct sk_buff *skb)
178179
/* For reading rx_wait and rx_psock without holding lock */
179180
smp_mb__after_atomic();
180181

181-
if (!kcm->rx_wait && !kcm->rx_psock &&
182+
if (!READ_ONCE(kcm->rx_wait) && !READ_ONCE(kcm->rx_psock) &&
182183
sk_rmem_alloc_get(sk) < sk->sk_rcvlowat) {
183184
spin_lock_bh(&mux->rx_lock);
184185
kcm_rcv_ready(kcm);
@@ -237,7 +238,8 @@ static void requeue_rx_msgs(struct kcm_mux *mux, struct sk_buff_head *head)
237238
if (kcm_queue_rcv_skb(&kcm->sk, skb)) {
238239
/* Should mean socket buffer full */
239240
list_del(&kcm->wait_rx_list);
240-
kcm->rx_wait = false;
241+
/* paired with lockless reads in kcm_rfree() */
242+
WRITE_ONCE(kcm->rx_wait, false);
241243

242244
/* Commit rx_wait to read in kcm_free */
243245
smp_wmb();
@@ -280,10 +282,12 @@ static struct kcm_sock *reserve_rx_kcm(struct kcm_psock *psock,
280282
kcm = list_first_entry(&mux->kcm_rx_waiters,
281283
struct kcm_sock, wait_rx_list);
282284
list_del(&kcm->wait_rx_list);
283-
kcm->rx_wait = false;
285+
/* paired with lockless reads in kcm_rfree() */
286+
WRITE_ONCE(kcm->rx_wait, false);
284287

285288
psock->rx_kcm = kcm;
286-
kcm->rx_psock = psock;
289+
/* paired with lockless reads in kcm_rfree() */
290+
WRITE_ONCE(kcm->rx_psock, psock);
287291

288292
spin_unlock_bh(&mux->rx_lock);
289293

@@ -310,7 +314,8 @@ static void unreserve_rx_kcm(struct kcm_psock *psock,
310314
spin_lock_bh(&mux->rx_lock);
311315

312316
psock->rx_kcm = NULL;
313-
kcm->rx_psock = NULL;
317+
/* paired with lockless reads in kcm_rfree() */
318+
WRITE_ONCE(kcm->rx_psock, NULL);
314319

315320
/* Commit kcm->rx_psock before sk_rmem_alloc_get to sync with
316321
* kcm_rfree
@@ -1240,7 +1245,8 @@ static void kcm_recv_disable(struct kcm_sock *kcm)
12401245
if (!kcm->rx_psock) {
12411246
if (kcm->rx_wait) {
12421247
list_del(&kcm->wait_rx_list);
1243-
kcm->rx_wait = false;
1248+
/* paired with lockless reads in kcm_rfree() */
1249+
WRITE_ONCE(kcm->rx_wait, false);
12441250
}
12451251

12461252
requeue_rx_msgs(mux, &kcm->sk.sk_receive_queue);
@@ -1793,7 +1799,8 @@ static void kcm_done(struct kcm_sock *kcm)
17931799

17941800
if (kcm->rx_wait) {
17951801
list_del(&kcm->wait_rx_list);
1796-
kcm->rx_wait = false;
1802+
/* paired with lockless reads in kcm_rfree() */
1803+
WRITE_ONCE(kcm->rx_wait, false);
17971804
}
17981805
/* Move any pending receive messages to other kcm sockets */
17991806
requeue_rx_msgs(mux, &sk->sk_receive_queue);

0 commit comments

Comments
 (0)