lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMZ6RqKyMreMfNDmYU=tLyaEcReopmGx2VkBWPB12LLzd5o7Pg@mail.gmail.com>
Date: Mon, 10 Mar 2025 18:29:04 +0900
From: Vincent Mailhol <vincent.mailhol@...il.com>
To: Oliver Hartkopp <socketcan@...tkopp.net>
Cc: mkl@...gutronix.de, 
	syzbot <syzbot+78ce4489b812515d5e4d@...kaller.appspotmail.com>, 
	linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com, 
	linux-can@...r.kernel.org
Subject: Re: [syzbot] [can?] KCSAN: data-race in can_send / can_send (5)

On Mon. 10 Mar 2025 at 03:59, Oliver Hartkopp <socketcan@...tkopp.net> wrote:
> Hello Marc,
>
> On 09.03.25 11:46, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    0f52fd4f67c6 Merge tag 'bcachefs-2025-03-06' of git://evil..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12d12a54580000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=523b0e2f15224775
> > dashboard link: https://syzkaller.appspot.com/bug?extid=78ce4489b812515d5e4d
> > compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> >
> > Unfortunately, I don't have any reproducer for this issue yet.
> >
> > Downloadable assets:
> > disk image: https://storage.googleapis.com/syzbot-assets/eb0d7b540c67/disk-0f52fd4f.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/51c261332ad9/vmlinux-0f52fd4f.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/38914a4790c8/bzImage-0f52fd4f.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+78ce4489b812515d5e4d@...kaller.appspotmail.com
> >
> > ==================================================================
> > BUG: KCSAN: data-race in can_send / can_send
> >
> > read-write to 0xffff888117566290 of 8 bytes by interrupt on cpu 0:
> >   can_send+0x5a2/0x6d0 net/can/af_can.c:290
> >   bcm_can_tx+0x314/0x420 net/can/bcm.c:314
> >   bcm_tx_timeout_handler+0xea/0x280
> >   __run_hrtimer kernel/time/hrtimer.c:1801 [inline]
> >   __hrtimer_run_queues+0x20d/0x5e0 kernel/time/hrtimer.c:1865
> >   hrtimer_run_softirq+0xe4/0x2c0 kernel/time/hrtimer.c:1882
> >   handle_softirqs+0xbf/0x280 kernel/softirq.c:561
> >   run_ksoftirqd+0x1c/0x30 kernel/softirq.c:950
> >   smpboot_thread_fn+0x31c/0x4c0 kernel/smpboot.c:164
> >   kthread+0x4ae/0x520 kernel/kthread.c:464
> >   ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:148
> >   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> >
> > read-write to 0xffff888117566290 of 8 bytes by interrupt on cpu 1:
> >   can_send+0x5a2/0x6d0 net/can/af_can.c:290
> >   bcm_can_tx+0x314/0x420 net/can/bcm.c:314
> >   bcm_tx_timeout_handler+0xea/0x280
> >   __run_hrtimer kernel/time/hrtimer.c:1801 [inline]
> >   __hrtimer_run_queues+0x20d/0x5e0 kernel/time/hrtimer.c:1865
> >   hrtimer_run_softirq+0xe4/0x2c0 kernel/time/hrtimer.c:1882
> >   handle_softirqs+0xbf/0x280 kernel/softirq.c:561
> >   run_ksoftirqd+0x1c/0x30 kernel/softirq.c:950
> >   smpboot_thread_fn+0x31c/0x4c0 kernel/smpboot.c:164
> >   kthread+0x4ae/0x520 kernel/kthread.c:464
> >   ret_from_fork+0x4b/0x60 arch/x86/kernel/process.c:148
> >   ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
> >
> > value changed: 0x0000000000002b9d -> 0x0000000000002b9e
> >
>
> Increased by '1' ...
>
> I assume this problem is caused by increasing the per-netdevice statistic in
>
> https://elixir.bootlin.com/linux/v6.13.6/source/net/can/af_can.c#L289
>
> pkg_stats->tx_frames++;
> pkg_stats->tx_frames_delta++;
>
> We update the statistics for the device and in this specific case the
> hrtimer fired on two CPUs resulting in a can_send() to the same netdevice.
>
> Do you agree with this quick analysis?

Ack. Same conclusion here.

> Isn't there some lock-less per-cpu safe statistic handling within netdev
> we might pick for our use-case?

I see two solutions. Either we use lock_sock(skb->sk) and
release_sock(skb->sk) or we can change the types of
can_pkg_stats->tx_frames and can_pkg_stats->tx_frames_delta from long
to atomic_long_t.

The atomic_long_t is the closest solution to a lock-less. But my
preference goes to the lock_sock() which looks more natural in this
context. And look_sock() is just a spinlock which under the hood is
also an atomic, so no big penalty either.


Yours sincerely,
Vincent Mailhol

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ