[Intel-wired-lan] KCSAN: data-race in e1000_clean / e1000_xmit_frame
Hao Sun
sunhao.th at gmail.com
Sun Apr 11 03:18:48 UTC 2021
Hi:
When using Healer(https://github.com/SunHao-0/healer/tree/dev) to fuzz
the Linux kernel, I found a data-race bug in e1000_clean /
e1000_xmit_frame, but I'm not sure about this.
Sorry, data-race is usually difficult to reproduce. I cannot provide
you with a reproducing program.
I hope that the stack trace information in the crash log can help you
locate the problem.
Kernel config and full log can be found in the attachment.
Here is the detail:
commit: 3b9cdafb5358eb9f3790de2f728f765fef100731
version: linux 5.11
git tree: upstream
==================================================================
BUG: KCSAN: data-race in e1000_clean / e1000_xmit_frame
write to 0xffffc90000c81592 of 2 bytes by task 8373 on cpu 1:
e1000_xmit_frame+0x1270/0x2900
xmit_one+0xf9/0x2e0
dev_hard_start_xmit+0x60/0x100
sch_direct_xmit+0x170/0x730
__qdisc_run+0x119/0x180
__dev_queue_xmit+0xa55/0x1520
dev_queue_xmit+0x13/0x20
ip_finish_output2+0xb09/0xba0
__ip_finish_output+0x2ce/0x430
ip_finish_output+0x39/0x160
ip_output+0xf6/0x1a0
__ip_queue_xmit+0x9ca/0x9f0
ip_queue_xmit+0x34/0x40
__tcp_transmit_skb+0x12b6/0x18f0
__tcp_send_ack+0x1e9/0x2e0
tcp_send_ack+0x23/0x30
tcp_cleanup_rbuf+0x1c4/0x310
tcp_recvmsg_locked+0x1119/0x16f0
tcp_recvmsg+0x145/0x430
inet_recvmsg+0xa3/0x210
sock_read_iter+0x19e/0x1e0
vfs_read+0x552/0x5c0
ksys_read+0xce/0x180
__x64_sys_read+0x3e/0x50
do_syscall_64+0x39/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffffc90000c81592 of 2 bytes by interrupt on cpu 0:
e1000_clean+0xb6/0x1f10
__napi_poll+0x77/0x510
net_rx_action+0x29f/0x670
__do_softirq+0x13c/0x2c8
asm_call_irq_on_stack+0xf/0x20
do_softirq_own_stack+0x32/0x40
__irq_exit_rcu+0xb4/0xc0
common_interrupt+0xbd/0x140
asm_common_interrupt+0x1e/0x40
kcsan_setup_watchpoint+0x44e/0x490
handle_mm_fault+0x2ac/0x17b0
do_user_addr_fault+0x60c/0xc00
exc_page_fault+0x94/0x290
asm_exc_page_fault+0x1e/0x30
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config
Type: application/octet-stream
Size: 220871 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/intel-wired-lan/attachments/20210411/e8bbc9da/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log
Type: application/octet-stream
Size: 7500 bytes
Desc: not available
URL: <http://lists.osuosl.org/pipermail/intel-wired-lan/attachments/20210411/e8bbc9da/attachment-0003.obj>
More information about the Intel-wired-lan
mailing list