On Mon, Feb 22, 2021 at 6:30 PM Gong, Sishuai <sish...@purdue.edu> wrote:
>
> Hello,
>
> We found a data race on dev->mtu between function __dev_set_mtu() and
> rawv6_send_hdrinc(). It happens with the following interleaving.
>
> writer: __dev_set_mtu()
> reader: rawv6_send_hdrinc()
>
> if (length > rt->dst.dev->mtu) {
> WRITE_ONCE(dev->mtu, new_mtu);
>
> ipv6_local_error(sk, EMSGSIZE, fl6,
> rt->dst.dev->mtu);
>
> If the writer happens to change dev->mtu to a value that is bigger than the
> variable ‘length’, then ipv6_local_error will read a value that doesn’t
> satisfy this conditional statement. While there is no need to use lock to
> protect the read, it is probably better to only read dev->mtu once in
> rawv6_send_hdrinc().
Makes sense. The same would then apply to raw_send_hdrinc().
