Date: Wed, 17 Feb 2021 15:03:47 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 253589] KCSAN race between tcp_do_segment and sbfree with vtnet Message-ID: <bug-253589-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D253589 Bug ID: 253589 Summary: KCSAN race between tcp_do_segment and sbfree with vtnet Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: arichardson@FreeBSD.org I have been trying to run a kernel with KCSAN enabled and it reports the following race for me: CSan: Racy Access [Cpu7 Read Addr=3D0xfffff80016103578 Size=3D4 PC=3D0xffffffff81475058<tcp_do_segment>] [Cpu1 Write Addr=3D0xfffff80016103= 578 Size=3D4 PC=3D0xffffffff81291e55<sbfree>] kcsan_access() at kcsan_access+0x1be/frame 0xfffffe0051a313d0 tcp_do_segment() at tcp_do_segment+0x3228/frame 0xfffffe0051a31510 tcp_input() at tcp_input+0x12c3/frame 0xfffffe0051a316c0 ip_input() at ip_input+0x2fb/frame 0xfffffe0051a31780 netisr_dispatch_src() at netisr_dispatch_src+0x15c/frame 0xfffffe0051a317f0 netisr_dispatch() at netisr_dispatch+0x21/frame 0xfffffe0051a31810 ether_demux() at ether_demux+0x2b4/frame 0xfffffe0051a31870 ether_nh_input() at ether_nh_input+0x680/frame 0xfffffe0051a318e0 netisr_dispatch_src() at netisr_dispatch_src+0x15c/frame 0xfffffe0051a31950 netisr_dispatch() at netisr_dispatch+0x21/frame 0xfffffe0051a31970 ether_input() at ether_input+0x107/frame 0xfffffe0051a319e0 vtnet_rxq_eof() at vtnet_rxq_eof+0x103f/frame 0xfffffe0051a31b40 vtnet_rx_vq_process() at vtnet_rx_vq_process+0xee/frame 0xfffffe0051a31b90 vtnet_rx_vq_intr() at vtnet_rx_vq_intr+0x1f/frame 0xfffffe0051a31bb0 virtqueue_intr() at virtqueue_intr+0x30/frame 0xfffffe0051a31bd0 vtpci_vq_intr() at vtpci_vq_intr+0x1a/frame 0xfffffe0051a31bf0 ithread_loop() at ithread_loop+0x361/frame 0xfffffe0051a31cf0 fork_exit() at fork_exit+0xaf/frame 0xfffffe0051a31d30 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0051a31d30 This seems like CPU7 is trying to read from a struct sockbuf that is about = to be freed? The affected line appears to be the `if (sb->sb_flags & SB_STOP)` check at sys/sys/sockbuf.h:236. GDB tells me other CPU is executing `sb->sb_ccc -=3D m->m_len;` at sys/kern/uipc_sockbuf.c:303. Since these are not even accessing the same fields it seems like the memory= may have been reallocated? --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-253589-227>