ipv6: annotate data races around np->min_hopcount

No report yet from KCSAN, yet worth documenting the races.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index e4bdb09..9c3d287 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -950,7 +950,10 @@ done:
                        goto e_inval;
                if (val < 0 || val > 255)
                        goto e_inval;
-               np->min_hopcount = val;
+               /* tcp_v6_err() and tcp_v6_rcv() might read min_hopcount
+                * while we are changing it.
+                */
+               WRITE_ONCE(np->min_hopcount, val);
                retv = 0;
                break;
        case IPV6_DONTFRAG:

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 50d9578..c93b2d4 100644 (file)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -414,7 +414,8 @@ static int tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (sk->sk_state == TCP_CLOSE)
                goto out;
 
-       if (ipv6_hdr(skb)->hop_limit < tcp_inet6_sk(sk)->min_hopcount) {
+       /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
+       if (ipv6_hdr(skb)->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
                __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
                goto out;
        }
@@ -1726,7 +1727,8 @@ process:
                        return 0;
                }
        }
-       if (hdr->hop_limit < tcp_inet6_sk(sk)->min_hopcount) {
+       /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
+       if (hdr->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
                __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
                goto discard_and_relse;
        }