Hello,
We found a data race on dev->mtu between function __dev_set_mtu() and
rawv6_send_hdrinc(). It happens with the following interleaving.
writer: __dev_set_mtu()
reader: rawv6_send_hdrinc()
if (length > rt->dst.dev->mtu) {
WRITE_ONCE(dev->mtu, new_mtu);
ipv6_local_error(sk, EMSGSIZE, fl6,
rt->dst.dev->mtu);
If the writer happens to change dev->mtu to a value that is bigger than the
variable ‘length’, then ipv6_local_error will read a value that doesn’t satisfy
this conditional statement. While there is no need to use lock to protect the
read, it is probably better to only read dev->mtu once in rawv6_send_hdrinc().
Thanks,
Sishuai
