| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAAXyoMNUYaNpd0oabi2gSDZY7VGBAup041mewLBfzp4qJBHHoA@mail.gmail.com>
Date: Thu, 8 Jan 2026 09:20:48 +0800
From: Yangfl <mmyangfl@...il.com>
To: netdev@...r.kernel.org
Subject: [bug report] possible u64_stats_sync abuse
Hi,
I've noticed many drivers use u64_stats_sync in a (possibly)
undesirable way, where the writers/readers use plain u64 operations
instead of opaque u64_stats_t. For example (not a complete list for
simplicity):
- drivers/net/ifb.c:164 : direct u64 read
do {
start = u64_stats_fetch_begin(&txp->rx_stats.sync);
packets = txp->rx_stats.packets;
bytes = txp->rx_stats.bytes;
} while (u64_stats_fetch_retry(&txp->rx_stats.sync, start));
- drivers/net/macsec.c:2888 : memcpy (alignment boundary violation)
do {
start = u64_stats_fetch_begin(&stats->syncp);
memcpy(&tmp, &stats->stats, sizeof(tmp));
} while (u64_stats_fetch_retry(&stats->syncp, start));
- drivers/net/veth.c:234 : operations not revoked?
do {
start = u64_stats_fetch_begin(&rq_stats->syncp);
for (j = 0; j < VETH_TQ_STATS_LEN; j++) {
offset = veth_tq_stats_desc[j].offset;
data[tx_idx + j] += *(u64 *)(base + offset);
}
} while (u64_stats_fetch_retry(&rq_stats->syncp, start));
While they may accidentally work on 32-bit architectures since
u64_stats_sync falls back to seqlock, it becomes no-op on 64-bit
architectures and compilers may send non atomic operations, although
the case is rare and one can hardly tell whether there are
inconsistencies in the statistics snapshot.
Should they be treated as bugs and fixed?
Regards
Powered by blists - more mailing lists